Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
oneDrive.exe

Overview

General Information

Sample name:oneDrive.exe
Analysis ID:1524367
MD5:8509691d37f05049067df88592964a4b
SHA1:37db71172ab64c108fedca85e5be51a499b2ba12
SHA256:451ee465675e674cebe3c42ed41356ae2c972703e1dc7800a187426a6b34efdc
Tags:CeranaKeeperexeuser-JAMESWT_MHT
Infos:

Detection

Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Found pyInstaller with non standard icon
Sigma detected: Rar Usage with Password and Compression Level
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • oneDrive.exe (PID: 7516 cmdline: "C:\Users\user\Desktop\oneDrive.exe" MD5: 8509691D37F05049067DF88592964A4B)
    • oneDrive.exe (PID: 7544 cmdline: "C:\Users\user\Desktop\oneDrive.exe" MD5: 8509691D37F05049067DF88592964A4B)
      • cmd.exe (PID: 7580 cmdline: C:\Windows\system32\cmd.exe /c "del C:\Windows\Help\en-us\*.rar" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7588 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 7836 cmdline: C:\Windows\system32\cmd.exe /c "hostname" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7844 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • HOSTNAME.EXE (PID: 7888 cmdline: hostname MD5: 33AFAA43B84BDEAB12E02F9DBD2B2EE0)
      • cmd.exe (PID: 7904 cmdline: C:\Windows\system32\cmd.exe /c "C:\ProgramData\Microsoft\Rar.exe a -r -v1m -n@C:\Windows\media\check.wav -ta20240929000000 -hpN@991li#S!@# C:\Windows\Help\en-us\87072c.rar C:\users\*.*" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7912 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 8008 cmdline: C:\Windows\system32\cmd.exe /c "tasklist" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tasklist.exe (PID: 8060 cmdline: tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • cmd.exe (PID: 8116 cmdline: C:\Windows\system32\cmd.exe /c "hostname" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8124 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • HOSTNAME.EXE (PID: 8160 cmdline: hostname MD5: 33AFAA43B84BDEAB12E02F9DBD2B2EE0)
      • cmd.exe (PID: 8176 cmdline: C:\Windows\system32\cmd.exe /c "C:\ProgramData\Microsoft\Rar.exe a -r -v1m -n@C:\Windows\media\check.wav -ta20240929000000 -hpN@991li#S!@# C:\Windows\Help\en-us\87072D.rar D:\\*.*" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8184 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 1848 cmdline: C:\Windows\system32\cmd.exe /c "tasklist" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 1748 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tasklist.exe (PID: 1964 cmdline: tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Rar Usage with Password and Compression Level
Source: Process startedAuthor: @ROxPinTeddy: Data: Command: C:\Windows\system32\cmd.exe /c "C:\ProgramData\Microsoft\Rar.exe a -r -v1m -n@C:\Windows\media\check.wav -ta20240929000000 -hpN@991li#S!@# C:\Windows\Help\en-us\87072c.rar C:\users\*.*", CommandLine: C:\Windows\system32\cmd.exe /c "C:\ProgramData\Microsoft\Rar.exe a -r -v1m -n@C:\Windows\media\check.wav -ta20240929000000 -hpN@991li#S!@# C:\Windows\Help\en-us\87072c.rar C:\users\*.*", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\oneDrive.exe", ParentImage: C:\Users\user\Desktop\oneDrive.exe, ParentProcessId: 7544, ParentProcessName: oneDrive.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "C:\ProgramData\Microsoft\Rar.exe a -r -v1m -n@C:\Windows\media\check.wav -ta20240929000000 -hpN@991li#S!@# C:\Windows\Help\en-us\87072c.rar C:\users\*.*", ProcessId: 7904, ProcessName: cmd.exe
Sigma detected: Suspicious Execution of Hostname
Source: Process startedAuthor: frack113: Data: Command: hostname, CommandLine: hostname, CommandLine|base64offset|contains: -, Image: C:\Windows\System32\HOSTNAME.EXE, NewProcessName: C:\Windows\System32\HOSTNAME.EXE, OriginalFileName: C:\Windows\System32\HOSTNAME.EXE, ParentCommandLine: C:\Windows\system32\cmd.exe /c "hostname", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7836, ParentProcessName: cmd.exe, ProcessCommandLine: hostname, ProcessId: 7888, ProcessName: HOSTNAME.EXE

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: oneDrive.exeAvira: detected
Multi AV Scanner detection for submitted file
Source: oneDrive.exeReversingLabs: Detection: 31%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
Source: oneDrive.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: D:\_w\1\b\bin\amd64\python310.pdb source: oneDrive.exe, 00000002.00000002.2048958816.00007FFB0C10D000.00000040.00000001.01000000.00000004.sdmp
Source: Binary string: d:\a01\_work\2\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: oneDrive.exe, 00000001.00000003.1516035668.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000002.00000002.2049874435.00007FFB24BE1000.00000002.00000001.01000000.00000005.sdmp, VCRUNTIME140.dll.1.dr
Source: C:\Users\user\Desktop\oneDrive.exeCode function: 1_2_00007FF6869D6714 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,1_2_00007FF6869D6714
Source: C:\Users\user\Desktop\oneDrive.exeCode function: 1_2_00007FF6869C7820 FindFirstFileExW,FindClose,1_2_00007FF6869C7820
Source: C:\Users\user\Desktop\oneDrive.exeCode function: 1_2_00007FF6869D6714 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,1_2_00007FF6869D6714
Source: C:\Users\user\Desktop\oneDrive.exeCode function: 1_2_00007FF6869E09B4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,1_2_00007FF6869E09B4
Source: C:\Users\user\Desktop\oneDrive.exeCode function: 2_2_00007FF6869C7820 FindFirstFileExW,FindClose,2_2_00007FF6869C7820
Source: C:\Users\user\Desktop\oneDrive.exeCode function: 2_2_00007FF6869D6714 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,2_2_00007FF6869D6714
Source: C:\Users\user\Desktop\oneDrive.exeCode function: 2_2_00007FF6869D6714 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,2_2_00007FF6869D6714
Source: C:\Users\user\Desktop\oneDrive.exeCode function: 2_2_00007FF6869E09B4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,2_2_00007FF6869E09B4
Source: oneDrive.exe, 00000001.00000003.1518068983.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516699890.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516876549.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1517195160.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1518700114.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516336331.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1518520091.000002090D190000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1517590579.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516990933.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1518520091.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516220557.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516515363.000002090D183000.00000004.00000020.00020000.00000000.sdmp, libssl-1_1.dll.1.dr, unicodedata.pyd.1.dr, _ssl.pyd.1.dr, _lzma.pyd.1.dr, _decimal.pyd.1.dr, _hashlib.pyd.1.dr, _socket.pyd.1.dr, libcrypto-1_1.dll.1.dr, python310.dll.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: oneDrive.exe, 00000001.00000003.1516876549.000002090D183000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2Assure
Source: oneDrive.exe, 00000001.00000003.1518068983.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516699890.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516876549.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1517195160.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1518700114.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516336331.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1517590579.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516990933.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1518520091.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516220557.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516515363.000002090D183000.00000004.00000020.00020000.00000000.sdmp, libssl-1_1.dll.1.dr, unicodedata.pyd.1.dr, _ssl.pyd.1.dr, _lzma.pyd.1.dr, _decimal.pyd.1.dr, _hashlib.pyd.1.dr, _socket.pyd.1.dr, libcrypto-1_1.dll.1.dr, python310.dll.1.dr, select.pyd.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: oneDrive.exe, 00000001.00000003.1518068983.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516699890.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516876549.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1517195160.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1518700114.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516336331.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1518520091.000002090D190000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1517590579.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516990933.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1518520091.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516220557.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516515363.000002090D183000.00000004.00000020.00020000.00000000.sdmp, libssl-1_1.dll.1.dr, unicodedata.pyd.1.dr, _ssl.pyd.1.dr, _lzma.pyd.1.dr, _decimal.pyd.1.dr, _hashlib.pyd.1.dr, _socket.pyd.1.dr, libcrypto-1_1.dll.1.dr, python310.dll.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: oneDrive.exe, 00000001.00000003.1516876549.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1517590579.000002090D183000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digi
Source: oneDrive.exe, 00000001.00000003.1518068983.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516699890.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516876549.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1517195160.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1518700114.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516336331.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1517590579.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516990933.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1518520091.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516220557.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516515363.000002090D183000.00000004.00000020.00020000.00000000.sdmp, libssl-1_1.dll.1.dr, unicodedata.pyd.1.dr, _ssl.pyd.1.dr, _lzma.pyd.1.dr, _decimal.pyd.1.dr, _hashlib.pyd.1.dr, _socket.pyd.1.dr, libcrypto-1_1.dll.1.dr, python310.dll.1.dr, select.pyd.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: oneDrive.exe, 00000001.00000003.1518068983.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516699890.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516876549.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1517195160.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1518700114.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516336331.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1518520091.000002090D190000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1517590579.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516990933.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1518520091.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516220557.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516515363.000002090D183000.00000004.00000020.00020000.00000000.sdmp, libssl-1_1.dll.1.dr, unicodedata.pyd.1.dr, _ssl.pyd.1.dr, _lzma.pyd.1.dr, _decimal.pyd.1.dr, _hashlib.pyd.1.dr, _socket.pyd.1.dr, libcrypto-1_1.dll.1.dr, python310.dll.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: oneDrive.exe, 00000001.00000003.1518068983.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516699890.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516876549.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1517195160.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1518700114.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516336331.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1517590579.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516990933.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1518520091.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516220557.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516515363.000002090D183000.00000004.00000020.00020000.00000000.sdmp, libssl-1_1.dll.1.dr, unicodedata.pyd.1.dr, _ssl.pyd.1.dr, _lzma.pyd.1.dr, _decimal.pyd.1.dr, _hashlib.pyd.1.dr, _socket.pyd.1.dr, libcrypto-1_1.dll.1.dr, python310.dll.1.dr, select.pyd.1.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: oneDrive.exe, 00000001.00000003.1518068983.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516699890.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516876549.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1517195160.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1518700114.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516336331.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1518520091.000002090D190000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1517590579.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516990933.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1518520091.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516220557.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516515363.000002090D183000.00000004.00000020.00020000.00000000.sdmp, libssl-1_1.dll.1.dr, unicodedata.pyd.1.dr, _ssl.pyd.1.dr, _lzma.pyd.1.dr, _decimal.pyd.1.dr, _hashlib.pyd.1.dr, _socket.pyd.1.dr, libcrypto-1_1.dll.1.dr, python310.dll.1.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: oneDrive.exe, 00000001.00000003.1518068983.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516699890.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516876549.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1517195160.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1518700114.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516336331.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1518520091.000002090D190000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1517590579.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516990933.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1518520091.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516220557.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516515363.000002090D183000.00000004.00000020.00020000.00000000.sdmp, libssl-1_1.dll.1.dr, unicodedata.pyd.1.dr, _ssl.pyd.1.dr, _lzma.pyd.1.dr, _decimal.pyd.1.dr, _hashlib.pyd.1.dr, _socket.pyd.1.dr, libcrypto-1_1.dll.1.dr, python310.dll.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: oneDrive.exe, 00000001.00000003.1518068983.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516699890.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516876549.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1517195160.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1518700114.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516336331.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1517590579.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516990933.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1518520091.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516220557.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516515363.000002090D183000.00000004.00000020.00020000.00000000.sdmp, libssl-1_1.dll.1.dr, unicodedata.pyd.1.dr, _ssl.pyd.1.dr, _lzma.pyd.1.dr, _decimal.pyd.1.dr, _hashlib.pyd.1.dr, _socket.pyd.1.dr, libcrypto-1_1.dll.1.dr, python310.dll.1.dr, select.pyd.1.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: oneDrive.exe, 00000001.00000003.1518068983.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516699890.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516876549.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1517195160.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1518700114.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516336331.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1518520091.000002090D190000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1517590579.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516990933.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1518520091.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516220557.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516515363.000002090D183000.00000004.00000020.00020000.00000000.sdmp, libssl-1_1.dll.1.dr, unicodedata.pyd.1.dr, _ssl.pyd.1.dr, _lzma.pyd.1.dr, _decimal.pyd.1.dr, _hashlib.pyd.1.dr, _socket.pyd.1.dr, libcrypto-1_1.dll.1.dr, python310.dll.1.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: oneDrive.exe, 00000001.00000003.1518068983.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516699890.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516876549.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1517195160.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1518700114.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516336331.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1518520091.000002090D190000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1517590579.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516990933.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1518520091.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516220557.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516515363.000002090D183000.00000004.00000020.00020000.00000000.sdmp, libssl-1_1.dll.1.dr, unicodedata.pyd.1.dr, _ssl.pyd.1.dr, _lzma.pyd.1.dr, _decimal.pyd.1.dr, _hashlib.pyd.1.dr, _socket.pyd.1.dr, libcrypto-1_1.dll.1.dr, python310.dll.1.drString found in binary or memory: http://ocsp.digicert.com0C
Source: oneDrive.exe, 00000001.00000003.1518068983.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516699890.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516876549.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1517195160.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1518700114.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516336331.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1517590579.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516990933.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1518520091.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516220557.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516515363.000002090D183000.00000004.00000020.00020000.00000000.sdmp, libssl-1_1.dll.1.dr, unicodedata.pyd.1.dr, _ssl.pyd.1.dr, _lzma.pyd.1.dr, _decimal.pyd.1.dr, _hashlib.pyd.1.dr, _socket.pyd.1.dr, libcrypto-1_1.dll.1.dr, python310.dll.1.dr, select.pyd.1.drString found in binary or memory: http://ocsp.digicert.com0N
Source: oneDrive.exe, 00000001.00000003.1518068983.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516699890.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516876549.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1517195160.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1518700114.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516336331.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1518520091.000002090D190000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1517590579.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516990933.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1518520091.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516220557.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516515363.000002090D183000.00000004.00000020.00020000.00000000.sdmp, libssl-1_1.dll.1.dr, unicodedata.pyd.1.dr, _ssl.pyd.1.dr, _lzma.pyd.1.dr, _decimal.pyd.1.dr, _hashlib.pyd.1.dr, _socket.pyd.1.dr, libcrypto-1_1.dll.1.dr, python310.dll.1.drString found in binary or memory: http://ocsp.digicert.com0O
Source: oneDrive.exe, 00000002.00000003.2042519257.000002365FB4A000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000002.00000002.2046516934.000002365F4D0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.cl.cam.ac.uk/~mgk25/iso-time.html
Source: oneDrive.exe, 00000001.00000003.1518068983.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516699890.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516876549.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1517195160.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1518700114.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516336331.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1518520091.000002090D190000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1517590579.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516990933.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1518520091.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516220557.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516515363.000002090D183000.00000004.00000020.00020000.00000000.sdmp, libssl-1_1.dll.1.dr, unicodedata.pyd.1.dr, _ssl.pyd.1.dr, _lzma.pyd.1.dr, _decimal.pyd.1.dr, _hashlib.pyd.1.dr, _socket.pyd.1.dr, libcrypto-1_1.dll.1.dr, python310.dll.1.drString found in binary or memory: http://www.digicert.com/CPS0
Source: oneDrive.exe, 00000002.00000003.2042519257.000002365FB3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.iana.org/time-zones/repository/tz-link.html
Source: oneDrive.exe, 00000002.00000002.2047409308.000002365FA9C000.00000004.00001000.00020000.00000000.sdmp, oneDrive.exe, 00000002.00000003.2042519257.000002365FB4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.phys.uu.nl/~vgent/calendar/isocalendar.htm
Source: base_library.zip.1.drString found in binary or memory: http://www.robotstxt.org/norobots-rfc.txt
Source: oneDrive.exe, 00000002.00000003.2044048368.000002365D78E000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000002.00000003.1524346227.000002365D781000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000002.00000003.2043078495.000002365D766000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000002.00000003.1524238232.000002365D781000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000002.00000003.2044640579.000002365D791000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000002.00000003.2043151919.000002365D781000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000002.00000003.1525072404.000002365D77E000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000002.00000003.2043506842.000002365D7C9000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000002.00000002.2046222587.000002365D791000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
Source: oneDrive.exe, 00000002.00000002.2046516934.000002365F558000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
Source: oneDrive.exe, 00000002.00000002.2046222587.000002365D791000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
Source: oneDrive.exe, 00000002.00000003.2044048368.000002365D78E000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000002.00000003.1524346227.000002365D781000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000002.00000003.2043078495.000002365D766000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000002.00000003.1524238232.000002365D781000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000002.00000003.2044640579.000002365D791000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000002.00000003.2043151919.000002365D781000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000002.00000003.1525072404.000002365D77E000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000002.00000003.2043506842.000002365D7C9000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000002.00000002.2046222587.000002365D791000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
Source: oneDrive.exe, 00000002.00000003.2044048368.000002365D78E000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000002.00000003.1524346227.000002365D781000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000002.00000003.2043078495.000002365D766000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000002.00000003.1524238232.000002365D781000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000002.00000003.2044640579.000002365D791000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000002.00000003.2043151919.000002365D781000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000002.00000003.1525072404.000002365D77E000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000002.00000003.2043506842.000002365D7C9000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000002.00000002.2046222587.000002365D791000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
Source: base_library.zip.1.drString found in binary or memory: https://mahler:8092/site-updates.py
Source: oneDrive.exe, 00000002.00000002.2046516934.000002365F4D0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://pixeldrain.com/api/file
Source: oneDrive.exe, 00000002.00000002.2048958816.00007FFB0C10D000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: https://python.org/dev/peps/pep-0263/
Source: oneDrive.exe, 00000001.00000003.1518068983.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516699890.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516876549.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1517195160.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1518700114.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516336331.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1518520091.000002090D190000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1517590579.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516990933.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1518520091.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516220557.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516515363.000002090D183000.00000004.00000020.00020000.00000000.sdmp, libssl-1_1.dll.1.dr, unicodedata.pyd.1.dr, _ssl.pyd.1.dr, _lzma.pyd.1.dr, _decimal.pyd.1.dr, _hashlib.pyd.1.dr, _socket.pyd.1.dr, libcrypto-1_1.dll.1.dr, python310.dll.1.drString found in binary or memory: https://www.digicert.com/CPS0
Source: oneDrive.exe, 00000001.00000003.1517590579.000002090D183000.00000004.00000020.00020000.00000000.sdmp, libssl-1_1.dll.1.dr, libcrypto-1_1.dll.1.drString found in binary or memory: https://www.openssl.org/H
Source: base_library.zip.1.drString found in binary or memory: https://www.python.org/
Source: oneDrive.exe, 00000001.00000003.1518995615.000002090D183000.00000004.00000020.00020000.00000000.sdmp, base_library.zip.1.drString found in binary or memory: https://www.python.org/dev/peps/pep-0205/
Source: oneDrive.exe, 00000002.00000002.2046516934.000002365F4D0000.00000004.00001000.00020000.00000000.sdmp, base_library.zip.1.drString found in binary or memory: https://www.python.org/download/releases/2.3/mro/.
Source: C:\Users\user\Desktop\oneDrive.exeCode function: 1_2_00007FF6869C67801_2_00007FF6869C6780
Source: C:\Users\user\Desktop\oneDrive.exeCode function: 1_2_00007FF6869E4E201_2_00007FF6869E4E20
Source: C:\Users\user\Desktop\oneDrive.exeCode function: 1_2_00007FF6869E5D6C1_2_00007FF6869E5D6C
Source: C:\Users\user\Desktop\oneDrive.exeCode function: 1_2_00007FF6869D67141_2_00007FF6869D6714
Source: C:\Users\user\Desktop\oneDrive.exeCode function: 1_2_00007FF6869E58201_2_00007FF6869E5820
Source: C:\Users\user\Desktop\oneDrive.exeCode function: 1_2_00007FF6869D28001_2_00007FF6869D2800
Source: C:\Users\user\Desktop\oneDrive.exeCode function: 1_2_00007FF6869D4F501_2_00007FF6869D4F50
Source: C:\Users\user\Desktop\oneDrive.exeCode function: 1_2_00007FF6869D6F981_2_00007FF6869D6F98
Source: C:\Users\user\Desktop\oneDrive.exeCode function: 1_2_00007FF6869D0FB41_2_00007FF6869D0FB4
Source: C:\Users\user\Desktop\oneDrive.exeCode function: 1_2_00007FF6869D67141_2_00007FF6869D6714
Source: C:\Users\user\Desktop\oneDrive.exeCode function: 1_2_00007FF6869C80A01_2_00007FF6869C80A0
Source: C:\Users\user\Desktop\oneDrive.exeCode function: 1_2_00007FF6869E509C1_2_00007FF6869E509C
Source: C:\Users\user\Desktop\oneDrive.exeCode function: 1_2_00007FF6869DD0981_2_00007FF6869DD098
Source: C:\Users\user\Desktop\oneDrive.exeCode function: 1_2_00007FF6869D65601_2_00007FF6869D6560
Source: C:\Users\user\Desktop\oneDrive.exeCode function: 1_2_00007FF6869DFA081_2_00007FF6869DFA08
Source: C:\Users\user\Desktop\oneDrive.exeCode function: 1_2_00007FF6869D0DB01_2_00007FF6869D0DB0
Source: C:\Users\user\Desktop\oneDrive.exeCode function: 1_2_00007FF6869DD7181_2_00007FF6869DD718
Source: C:\Users\user\Desktop\oneDrive.exeCode function: 1_2_00007FF6869D1E701_2_00007FF6869D1E70
Source: C:\Users\user\Desktop\oneDrive.exeCode function: 1_2_00007FF6869D13C41_2_00007FF6869D13C4
Source: C:\Users\user\Desktop\oneDrive.exeCode function: 1_2_00007FF6869D2C041_2_00007FF6869D2C04
Source: C:\Users\user\Desktop\oneDrive.exeCode function: 1_2_00007FF6869DCC041_2_00007FF6869DCC04
Source: C:\Users\user\Desktop\oneDrive.exeCode function: 1_2_00007FF6869E8B681_2_00007FF6869E8B68
Source: C:\Users\user\Desktop\oneDrive.exeCode function: 1_2_00007FF6869D0BA41_2_00007FF6869D0BA4
Source: C:\Users\user\Desktop\oneDrive.exeCode function: 1_2_00007FF6869D8BA01_2_00007FF6869D8BA0
Source: C:\Users\user\Desktop\oneDrive.exeCode function: 1_2_00007FF6869C1B901_2_00007FF6869C1B90
Source: C:\Users\user\Desktop\oneDrive.exeCode function: 1_2_00007FF6869E2D301_2_00007FF6869E2D30
Source: C:\Users\user\Desktop\oneDrive.exeCode function: 1_2_00007FF6869D11C01_2_00007FF6869D11C0
Source: C:\Users\user\Desktop\oneDrive.exeCode function: 1_2_00007FF6869E31CC1_2_00007FF6869E31CC
Source: C:\Users\user\Desktop\oneDrive.exeCode function: 1_2_00007FF6869DFA081_2_00007FF6869DFA08
Source: C:\Users\user\Desktop\oneDrive.exeCode function: 1_2_00007FF6869D09A01_2_00007FF6869D09A0
Source: C:\Users\user\Desktop\oneDrive.exeCode function: 1_2_00007FF6869E09B41_2_00007FF6869E09B4
Source: C:\Users\user\Desktop\oneDrive.exeCode function: 2_2_00007FF6869E5D6C2_2_00007FF6869E5D6C
Source: C:\Users\user\Desktop\oneDrive.exeCode function: 2_2_00007FF6869E58202_2_00007FF6869E5820
Source: C:\Users\user\Desktop\oneDrive.exeCode function: 2_2_00007FF6869D28002_2_00007FF6869D2800
Source: C:\Users\user\Desktop\oneDrive.exeCode function: 2_2_00007FF6869D4F502_2_00007FF6869D4F50
Source: C:\Users\user\Desktop\oneDrive.exeCode function: 2_2_00007FF6869D6F982_2_00007FF6869D6F98
Source: C:\Users\user\Desktop\oneDrive.exeCode function: 2_2_00007FF6869D0FB42_2_00007FF6869D0FB4
Source: C:\Users\user\Desktop\oneDrive.exeCode function: 2_2_00007FF6869C67802_2_00007FF6869C6780
Source: C:\Users\user\Desktop\oneDrive.exeCode function: 2_2_00007FF6869D67142_2_00007FF6869D6714
Source: C:\Users\user\Desktop\oneDrive.exeCode function: 2_2_00007FF6869C80A02_2_00007FF6869C80A0
Source: C:\Users\user\Desktop\oneDrive.exeCode function: 2_2_00007FF6869E509C2_2_00007FF6869E509C
Source: C:\Users\user\Desktop\oneDrive.exeCode function: 2_2_00007FF6869DD0982_2_00007FF6869DD098
Source: C:\Users\user\Desktop\oneDrive.exeCode function: 2_2_00007FF6869E4E202_2_00007FF6869E4E20
Source: C:\Users\user\Desktop\oneDrive.exeCode function: 2_2_00007FF6869D65602_2_00007FF6869D6560
Source: C:\Users\user\Desktop\oneDrive.exeCode function: 2_2_00007FF6869DFA082_2_00007FF6869DFA08
Source: C:\Users\user\Desktop\oneDrive.exeCode function: 2_2_00007FF6869D0DB02_2_00007FF6869D0DB0
Source: C:\Users\user\Desktop\oneDrive.exeCode function: 2_2_00007FF6869DD7182_2_00007FF6869DD718
Source: C:\Users\user\Desktop\oneDrive.exeCode function: 2_2_00007FF6869D67142_2_00007FF6869D6714
Source: C:\Users\user\Desktop\oneDrive.exeCode function: 2_2_00007FF6869D1E702_2_00007FF6869D1E70
Source: C:\Users\user\Desktop\oneDrive.exeCode function: 2_2_00007FF6869D13C42_2_00007FF6869D13C4
Source: C:\Users\user\Desktop\oneDrive.exeCode function: 2_2_00007FF6869D2C042_2_00007FF6869D2C04
Source: C:\Users\user\Desktop\oneDrive.exeCode function: 2_2_00007FF6869DCC042_2_00007FF6869DCC04
Source: C:\Users\user\Desktop\oneDrive.exeCode function: 2_2_00007FF6869E8B682_2_00007FF6869E8B68
Source: C:\Users\user\Desktop\oneDrive.exeCode function: 2_2_00007FF6869D0BA42_2_00007FF6869D0BA4
Source: C:\Users\user\Desktop\oneDrive.exeCode function: 2_2_00007FF6869D8BA02_2_00007FF6869D8BA0
Source: C:\Users\user\Desktop\oneDrive.exeCode function: 2_2_00007FF6869C1B902_2_00007FF6869C1B90
Source: C:\Users\user\Desktop\oneDrive.exeCode function: 2_2_00007FF6869E2D302_2_00007FF6869E2D30
Source: C:\Users\user\Desktop\oneDrive.exeCode function: 2_2_00007FF6869D11C02_2_00007FF6869D11C0
Source: C:\Users\user\Desktop\oneDrive.exeCode function: 2_2_00007FF6869E31CC2_2_00007FF6869E31CC
Source: C:\Users\user\Desktop\oneDrive.exeCode function: 2_2_00007FF6869DFA082_2_00007FF6869DFA08
Source: C:\Users\user\Desktop\oneDrive.exeCode function: 2_2_00007FF6869D09A02_2_00007FF6869D09A0
Source: C:\Users\user\Desktop\oneDrive.exeCode function: 2_2_00007FF6869E09B42_2_00007FF6869E09B4
Source: C:\Users\user\Desktop\oneDrive.exeCode function: 2_2_00007FFB24BD75082_2_00007FFB24BD7508
Source: C:\Users\user\Desktop\oneDrive.exeCode function: String function: 00007FF6869C2770 appears 82 times
Source: unicodedata.pyd.1.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: oneDrive.exe, 00000001.00000003.1516699890.000002090D183000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_lzma.pyd. vs oneDrive.exe
Source: oneDrive.exe, 00000001.00000003.1516035668.000002090D183000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamevcruntime140.dllT vs oneDrive.exe
Source: oneDrive.exe, 00000001.00000003.1516876549.000002090D183000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_socket.pyd. vs oneDrive.exe
Source: oneDrive.exe, 00000001.00000003.1518700114.000002090D183000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameunicodedata.pyd. vs oneDrive.exe
Source: oneDrive.exe, 00000001.00000003.1516336331.000002090D183000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_decimal.pyd. vs oneDrive.exe
Source: oneDrive.exe, 00000001.00000003.1517590579.000002090D183000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelibsslH vs oneDrive.exe
Source: oneDrive.exe, 00000001.00000003.1516990933.000002090D183000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_ssl.pyd. vs oneDrive.exe
Source: oneDrive.exe, 00000001.00000003.1518520091.000002090D183000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameselect.pyd. vs oneDrive.exe
Source: oneDrive.exe, 00000001.00000003.1516220557.000002090D183000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_bz2.pyd. vs oneDrive.exe
Source: oneDrive.exe, 00000001.00000003.1516515363.000002090D183000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_hashlib.pyd. vs oneDrive.exe
Source: oneDrive.exeBinary or memory string: OriginalFilename vs oneDrive.exe
Source: oneDrive.exe, 00000002.00000002.2049775351.00007FFB0C237000.00000004.00000001.01000000.00000004.sdmpBinary or memory string: OriginalFilenamepython310.dll. vs oneDrive.exe
Source: oneDrive.exe, 00000002.00000002.2049922649.00007FFB24BE7000.00000002.00000001.01000000.00000005.sdmpBinary or memory string: OriginalFilenamevcruntime140.dllT vs oneDrive.exe
Source: libcrypto-1_1.dll.1.drStatic PE information: Section: UPX1 ZLIB complexity 0.998725
Source: libssl-1_1.dll.1.drStatic PE information: Section: UPX1 ZLIB complexity 0.9921420784883721
Source: python310.dll.1.drStatic PE information: Section: UPX1 ZLIB complexity 0.9990745427643289
Source: unicodedata.pyd.1.drStatic PE information: Section: UPX1 ZLIB complexity 0.9937514282449725
Source: classification engineClassification label: mal68.winEXE@32/13@0/0
Source: C:\Users\user\Desktop\oneDrive.exeCode function: 1_2_00007FF6869C74B0 GetLastError,FormatMessageW,WideCharToMultiByte,1_2_00007FF6869C74B0
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8184:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8016:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7588:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8124:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7912:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1748:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7844:120:WilError_03
Source: C:\Users\user\Desktop\oneDrive.exeFile created: C:\Users\user~1\AppData\Local\Temp\_MEI75162Jump to behavior
Source: oneDrive.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Users\user\Desktop\oneDrive.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: oneDrive.exeReversingLabs: Detection: 31%
Source: C:\Users\user\Desktop\oneDrive.exeFile read: C:\Users\user\Desktop\oneDrive.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\oneDrive.exe "C:\Users\user\Desktop\oneDrive.exe"
Source: C:\Users\user\Desktop\oneDrive.exeProcess created: C:\Users\user\Desktop\oneDrive.exe "C:\Users\user\Desktop\oneDrive.exe"
Source: C:\Users\user\Desktop\oneDrive.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "del C:\Windows\Help\en-us\*.rar"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\oneDrive.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "hostname"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\HOSTNAME.EXE hostname
Source: C:\Users\user\Desktop\oneDrive.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\ProgramData\Microsoft\Rar.exe a -r -v1m -n@C:\Windows\media\check.wav -ta20240929000000 -hpN@991li#S!@# C:\Windows\Help\en-us\87072c.rar C:\users\*.*"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\oneDrive.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Users\user\Desktop\oneDrive.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "hostname"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\HOSTNAME.EXE hostname
Source: C:\Users\user\Desktop\oneDrive.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\ProgramData\Microsoft\Rar.exe a -r -v1m -n@C:\Windows\media\check.wav -ta20240929000000 -hpN@991li#S!@# C:\Windows\Help\en-us\87072D.rar D:\\*.*"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\oneDrive.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Users\user\Desktop\oneDrive.exeProcess created: C:\Users\user\Desktop\oneDrive.exe "C:\Users\user\Desktop\oneDrive.exe"Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "del C:\Windows\Help\en-us\*.rar"Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "hostname"Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\ProgramData\Microsoft\Rar.exe a -r -v1m -n@C:\Windows\media\check.wav -ta20240929000000 -hpN@991li#S!@# C:\Windows\Help\en-us\87072c.rar C:\users\*.*"Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "hostname"Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\ProgramData\Microsoft\Rar.exe a -r -v1m -n@C:\Windows\media\check.wav -ta20240929000000 -hpN@991li#S!@# C:\Windows\Help\en-us\87072D.rar D:\\*.*"Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\HOSTNAME.EXE hostnameJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklistJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\HOSTNAME.EXE hostname
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Users\user\Desktop\oneDrive.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\oneDrive.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Users\user\Desktop\oneDrive.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\oneDrive.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\oneDrive.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\oneDrive.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\oneDrive.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\HOSTNAME.EXESection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\HOSTNAME.EXESection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\HOSTNAME.EXESection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\HOSTNAME.EXESection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\HOSTNAME.EXESection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\HOSTNAME.EXESection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\HOSTNAME.EXESection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\HOSTNAME.EXESection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\HOSTNAME.EXESection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\HOSTNAME.EXESection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\HOSTNAME.EXESection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\HOSTNAME.EXESection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\HOSTNAME.EXESection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\HOSTNAME.EXESection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\HOSTNAME.EXESection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\HOSTNAME.EXESection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Users\user\Desktop\oneDrive.exeFile opened: C:\Users\user\Desktop\pyvenv.cfgJump to behavior
Source: oneDrive.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: oneDrive.exeStatic file information: File size 4802649 > 1048576
Source: oneDrive.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: oneDrive.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: oneDrive.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: oneDrive.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: oneDrive.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: oneDrive.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: oneDrive.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: oneDrive.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: D:\_w\1\b\bin\amd64\python310.pdb source: oneDrive.exe, 00000002.00000002.2048958816.00007FFB0C10D000.00000040.00000001.01000000.00000004.sdmp
Source: Binary string: d:\a01\_work\2\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: oneDrive.exe, 00000001.00000003.1516035668.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000002.00000002.2049874435.00007FFB24BE1000.00000002.00000001.01000000.00000005.sdmp, VCRUNTIME140.dll.1.dr
Source: oneDrive.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: oneDrive.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: oneDrive.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: oneDrive.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: oneDrive.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: oneDrive.exeStatic PE information: section name: _RDATA
Source: VCRUNTIME140.dll.1.drStatic PE information: section name: _RDATA
Source: C:\Users\user\Desktop\oneDrive.exeCode function: 1_2_00007FF686A110E4 push rcx; retn 0000h1_2_00007FF686A110ED
Source: C:\Users\user\Desktop\oneDrive.exeCode function: 1_2_00007FF686A110CC push rbp; retn 0000h1_2_00007FF686A110CD
Source: C:\Users\user\Desktop\oneDrive.exeCode function: 2_2_00007FF686A110E4 push rcx; retn 0000h2_2_00007FF686A110ED
Source: C:\Users\user\Desktop\oneDrive.exeCode function: 2_2_00007FF686A110CC push rbp; retn 0000h2_2_00007FF686A110CD
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1

Persistence and Installation Behavior

barindex
Found pyInstaller with non standard icon
Source: C:\Users\user\Desktop\oneDrive.exeProcess created: "C:\Users\user\Desktop\oneDrive.exe"
Source: C:\Users\user\Desktop\oneDrive.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI75162\unicodedata.pydJump to dropped file
Source: C:\Users\user\Desktop\oneDrive.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI75162\VCRUNTIME140.dllJump to dropped file
Source: C:\Users\user\Desktop\oneDrive.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI75162\_hashlib.pydJump to dropped file
Source: C:\Users\user\Desktop\oneDrive.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI75162\python310.dllJump to dropped file
Source: C:\Users\user\Desktop\oneDrive.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI75162\_bz2.pydJump to dropped file
Source: C:\Users\user\Desktop\oneDrive.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI75162\libssl-1_1.dllJump to dropped file
Source: C:\Users\user\Desktop\oneDrive.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI75162\select.pydJump to dropped file
Source: C:\Users\user\Desktop\oneDrive.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI75162\_lzma.pydJump to dropped file
Source: C:\Users\user\Desktop\oneDrive.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI75162\_socket.pydJump to dropped file
Source: C:\Users\user\Desktop\oneDrive.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI75162\_ssl.pydJump to dropped file
Source: C:\Users\user\Desktop\oneDrive.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI75162\libcrypto-1_1.dllJump to dropped file
Source: C:\Users\user\Desktop\oneDrive.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI75162\_decimal.pydJump to dropped file
Source: C:\Users\user\Desktop\oneDrive.exeCode function: 1_2_00007FF6869C3DF0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_00007FF6869C3DF0
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\oneDrive.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75162\unicodedata.pydJump to dropped file
Source: C:\Users\user\Desktop\oneDrive.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75162\_hashlib.pydJump to dropped file
Source: C:\Users\user\Desktop\oneDrive.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75162\python310.dllJump to dropped file
Source: C:\Users\user\Desktop\oneDrive.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75162\libssl-1_1.dllJump to dropped file
Source: C:\Users\user\Desktop\oneDrive.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75162\_bz2.pydJump to dropped file
Source: C:\Users\user\Desktop\oneDrive.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75162\select.pydJump to dropped file
Source: C:\Users\user\Desktop\oneDrive.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75162\_lzma.pydJump to dropped file
Source: C:\Users\user\Desktop\oneDrive.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75162\_socket.pydJump to dropped file
Source: C:\Users\user\Desktop\oneDrive.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75162\_ssl.pydJump to dropped file
Source: C:\Users\user\Desktop\oneDrive.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75162\libcrypto-1_1.dllJump to dropped file
Source: C:\Users\user\Desktop\oneDrive.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75162\_decimal.pydJump to dropped file
Source: C:\Users\user\Desktop\oneDrive.exeAPI coverage: 5.5 %
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\oneDrive.exeCode function: 1_2_00007FF6869D6714 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,1_2_00007FF6869D6714
Source: C:\Users\user\Desktop\oneDrive.exeCode function: 1_2_00007FF6869C7820 FindFirstFileExW,FindClose,1_2_00007FF6869C7820
Source: C:\Users\user\Desktop\oneDrive.exeCode function: 1_2_00007FF6869D6714 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,1_2_00007FF6869D6714
Source: C:\Users\user\Desktop\oneDrive.exeCode function: 1_2_00007FF6869E09B4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,1_2_00007FF6869E09B4
Source: C:\Users\user\Desktop\oneDrive.exeCode function: 2_2_00007FF6869C7820 FindFirstFileExW,FindClose,2_2_00007FF6869C7820
Source: C:\Users\user\Desktop\oneDrive.exeCode function: 2_2_00007FF6869D6714 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,2_2_00007FF6869D6714
Source: C:\Users\user\Desktop\oneDrive.exeCode function: 2_2_00007FF6869D6714 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,2_2_00007FF6869D6714
Source: C:\Users\user\Desktop\oneDrive.exeCode function: 2_2_00007FF6869E09B4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,2_2_00007FF6869E09B4
Source: HOSTNAME.EXE, 00000010.00000002.1835588220.000002AE70119000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: HOSTNAME.EXE, 00000008.00000002.1627714013.00000234D0FB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllVV
Source: C:\Users\user\Desktop\oneDrive.exeCode function: 1_2_00007FF6869CB69C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00007FF6869CB69C
Source: C:\Users\user\Desktop\oneDrive.exeCode function: 1_2_00007FF6869E25A0 GetProcessHeap,1_2_00007FF6869E25A0
Source: C:\Windows\System32\tasklist.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\tasklist.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\oneDrive.exeCode function: 1_2_00007FF6869CB880 SetUnhandledExceptionFilter,1_2_00007FF6869CB880
Source: C:\Users\user\Desktop\oneDrive.exeCode function: 1_2_00007FF6869CAE00 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_00007FF6869CAE00
Source: C:\Users\user\Desktop\oneDrive.exeCode function: 1_2_00007FF6869CB69C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00007FF6869CB69C
Source: C:\Users\user\Desktop\oneDrive.exeCode function: 1_2_00007FF6869D9AE4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00007FF6869D9AE4
Source: C:\Users\user\Desktop\oneDrive.exeCode function: 2_2_00007FF6869CB880 SetUnhandledExceptionFilter,2_2_00007FF6869CB880
Source: C:\Users\user\Desktop\oneDrive.exeCode function: 2_2_00007FF6869CAE00 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00007FF6869CAE00
Source: C:\Users\user\Desktop\oneDrive.exeCode function: 2_2_00007FF6869CB69C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00007FF6869CB69C
Source: C:\Users\user\Desktop\oneDrive.exeCode function: 2_2_00007FF6869D9AE4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00007FF6869D9AE4
Source: C:\Users\user\Desktop\oneDrive.exeCode function: 2_2_00007FFB24BE004C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00007FFB24BE004C
Source: C:\Users\user\Desktop\oneDrive.exeProcess created: C:\Users\user\Desktop\oneDrive.exe "C:\Users\user\Desktop\oneDrive.exe"Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "del C:\Windows\Help\en-us\*.rar"Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "hostname"Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\ProgramData\Microsoft\Rar.exe a -r -v1m -n@C:\Windows\media\check.wav -ta20240929000000 -hpN@991li#S!@# C:\Windows\Help\en-us\87072c.rar C:\users\*.*"Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "hostname"Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\ProgramData\Microsoft\Rar.exe a -r -v1m -n@C:\Windows\media\check.wav -ta20240929000000 -hpN@991li#S!@# C:\Windows\Help\en-us\87072D.rar D:\\*.*"Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\HOSTNAME.EXE hostnameJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklistJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\HOSTNAME.EXE hostname
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Users\user\Desktop\oneDrive.exeCode function: 1_2_00007FF6869E89B0 cpuid 1_2_00007FF6869E89B0
Source: C:\Users\user\Desktop\oneDrive.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\oneDrive.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\oneDrive.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\oneDrive.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\oneDrive.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\oneDrive.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\oneDrive.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\oneDrive.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\oneDrive.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\oneDrive.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\oneDrive.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\oneDrive.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\oneDrive.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\oneDrive.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\oneDrive.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\oneDrive.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\oneDrive.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\oneDrive.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\oneDrive.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\oneDrive.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\oneDrive.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\oneDrive.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\oneDrive.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\oneDrive.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\oneDrive.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\oneDrive.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\oneDrive.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\oneDrive.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\oneDrive.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\oneDrive.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\oneDrive.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\oneDrive.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\oneDrive.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\oneDrive.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\oneDrive.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\oneDrive.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\oneDrive.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\oneDrive.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\oneDrive.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\oneDrive.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\oneDrive.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\oneDrive.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\oneDrive.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\oneDrive.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\oneDrive.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\oneDrive.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\oneDrive.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\oneDrive.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\oneDrive.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\oneDrive.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\oneDrive.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\oneDrive.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\oneDrive.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\oneDrive.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\oneDrive.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\oneDrive.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\oneDrive.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\oneDrive.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\oneDrive.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\oneDrive.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\oneDrive.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162 VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\oneDrive.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162 VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\oneDrive.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162 VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\oneDrive.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162 VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\oneDrive.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\oneDrive.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162 VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\oneDrive.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162 VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\oneDrive.exeQueries volume information: C:\Users\user\Desktop\oneDrive.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\oneDrive.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162 VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\oneDrive.exeQueries volume information: C:\Users\user\Desktop\oneDrive.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\oneDrive.exeQueries volume information: C:\Users\user\Desktop\oneDrive.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\oneDrive.exeQueries volume information: C:\Users\user\Desktop\oneDrive.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\oneDrive.exeQueries volume information: C:\Users\user\Desktop\oneDrive.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\oneDrive.exeQueries volume information: C:\Users\user\Desktop\oneDrive.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\oneDrive.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\oneDrive.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\oneDrive.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\oneDrive.exeQueries volume information: C:\Users\user\Desktop\oneDrive.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\oneDrive.exeQueries volume information: C:\Users\user\Desktop\oneDrive.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\oneDrive.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\oneDrive.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\oneDrive.exeQueries volume information: C:\Users\user\Desktop\oneDrive.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\oneDrive.exeQueries volume information: C:\Users\user\Desktop\oneDrive.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\oneDrive.exeQueries volume information: C:\Users\user\Desktop\oneDrive.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\oneDrive.exeQueries volume information: C:\Users\user\Desktop\oneDrive.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\oneDrive.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\oneDrive.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\oneDrive.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162 VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\oneDrive.exeQueries volume information: \Device\CdRom0\ VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\oneDrive.exeCode function: 1_2_00007FF6869CB580 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,1_2_00007FF6869CB580
Source: C:\Users\user\Desktop\oneDrive.exeCode function: 1_2_00007FF6869E4E20 _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,1_2_00007FF6869E4E20
Source: C:\Users\user\Desktop\oneDrive.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Windows Management Instrumentation		1
DLL Side-Loading		11
Process Injection		11
Process Injection		OS Credential Dumping2
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Deobfuscate/Decode Files or Information		LSASS Memory21
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)21
Obfuscated Files or Information		Security Account Manager1
Process Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
Software Packing		NTDS1
File and Directory Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading		LSA Secrets24
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1524367 Sample: oneDrive.exe Startdate: 02/10/2024 Architecture: WINDOWS Score: 68 48 Antivirus / Scanner detection for submitted sample 2->48 50 Multi AV Scanner detection for submitted file 2->50 52 AI detected suspicious sample 2->52 54 Sigma detected: Rar Usage with Password and Compression Level 2->54 8 oneDrive.exe 14 2->8         started        process3 file4 40 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 8->40 dropped 42 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 8->42 dropped 44 C:\Users\user\AppData\Local\...\python310.dll, PE32+ 8->44 dropped 46 9 other files (none is malicious) 8->46 dropped 56 Found pyInstaller with non standard icon 8->56 12 oneDrive.exe 8->12         started        signatures5 process6 process7 14 cmd.exe 1 12->14         started        16 cmd.exe 1 12->16         started        18 cmd.exe 12->18         started        20 4 other processes 12->20 process8 22 conhost.exe 14->22         started        24 HOSTNAME.EXE 1 14->24         started        26 conhost.exe 16->26         started        28 tasklist.exe 1 16->28         started        30 conhost.exe 18->30         started        32 HOSTNAME.EXE 1 18->32         started        34 conhost.exe 20->34         started        36 conhost.exe 20->36         started        38 3 other processes 20->38

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
oneDrive.exe32%ReversingLabsWin32.Trojan.Generic
oneDrive.exe100%AviraTR/Drop.Agent.nuump

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\_MEI75162\VCRUNTIME140.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI75162\_bz2.pyd0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI75162\_decimal.pyd0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI75162\_hashlib.pyd0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI75162\_lzma.pyd0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI75162\_socket.pyd0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI75162\_ssl.pyd0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI75162\libcrypto-1_1.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI75162\libssl-1_1.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI75162\python310.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI75162\select.pyd0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI75162\unicodedata.pyd0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://www.openssl.org/H0%URL Reputationsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688oneDrive.exe, 00000002.00000002.2046516934.000002365F558000.00000004.00001000.00020000.00000000.sdmpfalse
    		unknown
    https://pixeldrain.com/api/fileoneDrive.exe, 00000002.00000002.2046516934.000002365F4D0000.00000004.00001000.00020000.00000000.sdmpfalse
      		unknown
      https://mahler:8092/site-updates.pybase_library.zip.1.drfalse
        		unknown
        http://www.robotstxt.org/norobots-rfc.txtbase_library.zip.1.drfalse
          		unknown
          https://www.python.org/download/releases/2.3/mro/.oneDrive.exe, 00000002.00000002.2046516934.000002365F4D0000.00000004.00001000.00020000.00000000.sdmp, base_library.zip.1.drfalse
            		unknown
            https://www.python.org/base_library.zip.1.drfalse
              		unknown
              https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/readeroneDrive.exe, 00000002.00000003.2044048368.000002365D78E000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000002.00000003.1524346227.000002365D781000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000002.00000003.2043078495.000002365D766000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000002.00000003.1524238232.000002365D781000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000002.00000003.2044640579.000002365D791000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000002.00000003.2043151919.000002365D781000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000002.00000003.1525072404.000002365D77E000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000002.00000003.2043506842.000002365D7C9000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000002.00000002.2046222587.000002365D791000.00000004.00000020.00020000.00000000.sdmpfalse
                		unknown
                https://www.openssl.org/HoneDrive.exe, 00000001.00000003.1517590579.000002090D183000.00000004.00000020.00020000.00000000.sdmp, libssl-1_1.dll.1.dr, libcrypto-1_1.dll.1.drfalse
                • URL Reputation: safe
                		unknown
                http://www.iana.org/time-zones/repository/tz-link.htmloneDrive.exe, 00000002.00000003.2042519257.000002365FB3A000.00000004.00000020.00020000.00000000.sdmpfalse
                  		unknown
                  https://www.python.org/dev/peps/pep-0205/oneDrive.exe, 00000001.00000003.1518995615.000002090D183000.00000004.00000020.00020000.00000000.sdmp, base_library.zip.1.drfalse
                    		unknown
                    http://www.cl.cam.ac.uk/~mgk25/iso-time.htmloneDrive.exe, 00000002.00000003.2042519257.000002365FB4A000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000002.00000002.2046516934.000002365F4D0000.00000004.00001000.00020000.00000000.sdmpfalse
                      		unknown
                      https://python.org/dev/peps/pep-0263/oneDrive.exe, 00000002.00000002.2048958816.00007FFB0C10D000.00000040.00000001.01000000.00000004.sdmpfalse
                        		unknown
                        https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#oneDrive.exe, 00000002.00000003.2044048368.000002365D78E000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000002.00000003.1524346227.000002365D781000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000002.00000003.2043078495.000002365D766000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000002.00000003.1524238232.000002365D781000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000002.00000003.2044640579.000002365D791000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000002.00000003.2043151919.000002365D781000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000002.00000003.1525072404.000002365D77E000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000002.00000003.2043506842.000002365D7C9000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000002.00000002.2046222587.000002365D791000.00000004.00000020.00020000.00000000.sdmpfalse
                          		unknown
                          https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.pyoneDrive.exe, 00000002.00000002.2046222587.000002365D791000.00000004.00000020.00020000.00000000.sdmpfalse
                            		unknown
                            http://www.phys.uu.nl/~vgent/calendar/isocalendar.htmoneDrive.exe, 00000002.00000002.2047409308.000002365FA9C000.00000004.00001000.00020000.00000000.sdmp, oneDrive.exe, 00000002.00000003.2042519257.000002365FB4A000.00000004.00000020.00020000.00000000.sdmpfalse
                              		unknown
                              http://crl3.digioneDrive.exe, 00000001.00000003.1516876549.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1517590579.000002090D183000.00000004.00000020.00020000.00000000.sdmpfalse
                                		unknown
                                https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_syoneDrive.exe, 00000002.00000003.2044048368.000002365D78E000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000002.00000003.1524346227.000002365D781000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000002.00000003.2043078495.000002365D766000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000002.00000003.1524238232.000002365D781000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000002.00000003.2044640579.000002365D791000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000002.00000003.2043151919.000002365D781000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000002.00000003.1525072404.000002365D77E000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000002.00000003.2043506842.000002365D7C9000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000002.00000002.2046222587.000002365D791000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		unknown

                                  World Map of Contacted IPs

                                  No contacted IP infos

                                  General Information

                                  Joe Sandbox version:41.0.0 Charoite
                                  Analysis ID:1524367
                                  Start date and time:2024-10-02 18:08:56 +02:00
                                  Joe Sandbox product:CloudBasic
                                  Overall analysis duration:0h 5m 24s
                                  Hypervisor based Inspection enabled:false
                                  Report type:full
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                  Number of analysed new started processes analysed:24
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:0
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Sample name:oneDrive.exe
                                  Detection:MAL
                                  Classification:mal68.winEXE@32/13@0/0
                                  EGA Information:
                                  • Successful, ratio: 100%
                                  HCA Information:
                                  • Successful, ratio: 99%
                                  • Number of executed functions: 58
                                  • Number of non-executed functions: 158
                                  Cookbook Comments:
                                  • Found application associated with file extension: .exe
                                  • Stop behavior analysis, all processes terminated

                                  Warnings

                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe
                                  • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
                                  • Not all processes where analyzed, report is missing behavior information
                                  • VT rate limit hit for: oneDrive.exe

                                  Simulations

                                  Behavior and APIs

                                  No simulations

                                  Joe Sandbox View / Context

                                  IPs

                                  No context

                                  Domains

                                  No context

                                  ASNs

                                  No context

                                  JA3 Fingerprints

                                  No context

                                  Dropped Files

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  C:\Users\user\AppData\Local\Temp\_MEI75162\VCRUNTIME140.dllfile.exeGet hashmaliciousDUMPNTLMBrowse
                                    newvideozones.click.ps1Get hashmaliciousUnknownBrowse
                                      https://github.com/VioletteChiara/AnimalTA/releases/download/v3.2.2/AnimalTA_installer_v3.2.2.exeGet hashmaliciousUnknownBrowse
                                        pkgconsole.exeGet hashmaliciousAsyncRAT, Discord Token Stealer, MicroClip, RedLineBrowse
                                          hvKNAvvNd4.exeGet hashmaliciousAsyncRAT, Discord Token Stealer, MicroClip, RedLineBrowse
                                            check.batGet hashmaliciousPython StealerBrowse
                                              corpsero.exeGet hashmaliciousUnknownBrowse
                                                83MZfLKh7D.exeGet hashmaliciousAsyncRAT, Discord Token Stealer, Luca Stealer, MicroClip, RedLineBrowse
                                                  TWlznBtQLz.exeGet hashmaliciousAsyncRAT, Luca Stealer, MicroClip, RedLineBrowse
                                                    8Mgx5RP6Wc.exeGet hashmaliciousDiscord Token StealerBrowse

                                                      Created / dropped Files

                                                      C:\Users\user\AppData\Local\Temp\_MEI75162\VCRUNTIME140.dll

                                                      Download File
                                                      Process:C:\Users\user\Desktop\oneDrive.exe
                                                      File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):97160
                                                      Entropy (8bit):6.422776154074499
                                                      Encrypted:false
                                                      SSDEEP:1536:yDHLG4SsAzAvadZw+1Hcx8uIYNUzUnHg4becbK/zJrCT:yDrfZ+jPYNznHg4becbK/Fr
                                                      MD5:11D9AC94E8CB17BD23DEA89F8E757F18
                                                      SHA1:D4FB80A512486821AD320C4FD67ABCAE63005158
                                                      SHA-256:E1D6F78A72836EA120BD27A33AE89CBDC3F3CA7D9D0231AAA3AAC91996D2FA4E
                                                      SHA-512:AA6AFD6BEA27F554E3646152D8C4F96F7BCAAA4933F8B7C04346E410F93F23CFA6D29362FD5D51CCBB8B6223E094CD89E351F072AD0517553703F5BF9DE28778
                                                      Malicious:false
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                      Joe Sandbox View:
                                                      • Filename: file.exe, Detection: malicious, Browse
                                                      • Filename: newvideozones.click.ps1, Detection: malicious, Browse
                                                      • Filename: , Detection: malicious, Browse
                                                      • Filename: pkgconsole.exe, Detection: malicious, Browse
                                                      • Filename: hvKNAvvNd4.exe, Detection: malicious, Browse
                                                      • Filename: check.bat, Detection: malicious, Browse
                                                      • Filename: corpsero.exe, Detection: malicious, Browse
                                                      • Filename: 83MZfLKh7D.exe, Detection: malicious, Browse
                                                      • Filename: TWlznBtQLz.exe, Detection: malicious, Browse
                                                      • Filename: 8Mgx5RP6Wc.exe, Detection: malicious, Browse
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......*..qn.."n.."n.."...#l.."g.."e.."n.."B.."<..#c.."<..#~.."<..#q.."<..#o.."<.g"o.."<..#o.."Richn.."................PE..d....(.`.........." .........`......p.....................................................`A.........................................B..4....J...............p..X....X...#..........h,..T............................,..8............................................text............................... ..`.rdata...@.......B..................@..@.data...@....`.......@..............@....pdata..X....p.......D..............@..@_RDATA...............P..............@..@.rsrc................R..............@..@.reloc...............V..............@..B........................................................................................................................................................................................................................

                                                      C:\Users\user\AppData\Local\Temp\_MEI75162\_bz2.pyd

                                                      Download File
                                                      Process:C:\Users\user\Desktop\oneDrive.exe
                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):44784
                                                      Entropy (8bit):7.758117629952991
                                                      Encrypted:false
                                                      SSDEEP:768:KYALi+CQICxpocJb5PR1qNWk7xGZ6jtdZZxF3oIUCy6tScjqpL4IAMVOeEDG4yw4:9ALiIISocD6Ck7ZxGYy6t24IAMVO7yw
                                                      MD5:CE449D962AD4E5C30A9979FB518768C5
                                                      SHA1:5F5B634AF8F539699C1147AD7D008AD352E6C90F
                                                      SHA-256:6F941039F9B458AF12F44D077C149E64F2FF5111D4CD252E05388628E9FE54FB
                                                      SHA-512:4E400E233779D93A006387C552DAEA14896D5865C22BF0D0E0061034E233F49D3EC2DFE4D7DF7EA03A9470DE5F140702F87D747A69BE78EB0C405E50CB6254D4
                                                      Malicious:false
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......G..>...m...m...m..=m...mQ..l...me.Sm...mQ..l...mQ..l...mQ..l...m...l...m...l...m...m\..m...l...m...l...m..Qm...m...l...mRich...m................PE..d....O[a.........." .................c....................................................`.............................................H.................... ..,..............$....................................o..8...........................................UPX0....................................UPX1................................@....rsrc...............................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                      C:\Users\user\AppData\Local\Temp\_MEI75162\_decimal.pyd

                                                      Download File
                                                      Process:C:\Users\user\Desktop\oneDrive.exe
                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):103656
                                                      Entropy (8bit):7.926445614908681
                                                      Encrypted:false
                                                      SSDEEP:1536:Gr2FnfxlQ7BIxnMRA40Jg9fsX9WyBP9CaYW93ZuHaIyRkJgU1uIAYqYJwyxo:82FfMR0asX9WwTJuHaIOIAYqYJ1o
                                                      MD5:A43584E0A77663AE9EF880F795C3443B
                                                      SHA1:49381996DE63CC596B13AC5A5A6E2E38A41F7242
                                                      SHA-256:6187149EDFFA1BA7139940E99A2DC71731C10698B243A21BE770BA39F4B201C9
                                                      SHA-512:97D546DF59A0E3C46339F73B2F82B0380C60B25E1AC29780C407AB7C153AD349F4876A59753CF700C858F149E230134B8ACD4EBFD7715AFB7991DBA3F235039E
                                                      Malicious:false
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........>..P..P..P.....P...Q..P...U..P...T..P...S..P.Q.Q..P...Q..P..Q...P.Q.S..P.Q.]..P.Q.P..P.Q...P.Q.R..P.Rich.P.................PE..d....O[a.........." .....p...................................................0............`..........................................,..P....)....... ...........'...........-..........................................8...........................................UPX0....................................UPX1.....p.......f..................@....rsrc........ .......j..............@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                      C:\Users\user\AppData\Local\Temp\_MEI75162\_hashlib.pyd

                                                      Download File
                                                      Process:C:\Users\user\Desktop\oneDrive.exe
                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):31464
                                                      Entropy (8bit):7.601890523826956
                                                      Encrypted:false
                                                      SSDEEP:768:TpB1JH2ZEsqMA7VPLgbbSxp48IAYITmDG4ywh2:TpB1J8EsqPPLgb2U8IAYITyyz
                                                      MD5:813FED5002DBC12187B9854C3F7B19E1
                                                      SHA1:8F25D1FA742E44B53B936BECF96E5578905BD49B
                                                      SHA-256:7871BA8E0A2E62CBF67B3C325856F3A6C184244F4EA182CA4D37DF71E3579372
                                                      SHA-512:2500CB93D3110081BC7D67913E968E8FA2AE5DEA96371650FAFD1920E7301FCD0D5EF8DCA5B248497E36C6F491C86BCF9EBA6D67595D202D64FC6B9DAB25C089
                                                      Malicious:false
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......T.................m.....B.......B.......B.......B.....................F......................................Rich....................PE..d....O[a.........." .....P..........P/.......................................P............`.........................................|K..P....I.......@.......................K......................................P;..8...........................................UPX0....................................UPX1.....P.......N..................@....rsrc........@.......R..............@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                      C:\Users\user\AppData\Local\Temp\_MEI75162\_lzma.pyd

                                                      Download File
                                                      Process:C:\Users\user\Desktop\oneDrive.exe
                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):83176
                                                      Entropy (8bit):7.914477090250098
                                                      Encrypted:false
                                                      SSDEEP:1536:K9axlKSugjKItvsXAVDW/UVkbqLYYOHrPvIAD1F/yo0:VkHgjKIRCAV4akb4YlIAD1FA
                                                      MD5:EA47E0C7CE88D0E5B2DDDB4CD87B19CB
                                                      SHA1:DBDA90AC617CA7B436E64EEA0EA67F7588E88A54
                                                      SHA-256:346EC5F471A698C200C639E4FBF1759BA270DC36CB2EA92CAD70F18F735B872F
                                                      SHA-512:89E4AA3B4EEB01DD8143A0822C379EF6F6A1E7972F7CA14808C21D85B38FCA13BCDCF71A9DF881634B4B93EB553C7F99E0C4F5C45CFB139F179F36D258A2737A
                                                      Malicious:false
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........l.h...h...h.......h.......h.......h.......h.......h..+....h.......h...h...h..+....h..+....h..+....h..+....h..Rich.h..........PE..d....O[a.........." ..... ................................................................`.........................................4...L....................@..........................................................8...........................................UPX0....................................UPX1..... ..........................@....rsrc...............................@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                      C:\Users\user\AppData\Local\Temp\_MEI75162\_socket.pyd

                                                      Download File
                                                      Process:C:\Users\user\Desktop\oneDrive.exe
                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):39144
                                                      Entropy (8bit):7.677237240694584
                                                      Encrypted:false
                                                      SSDEEP:768:s6p4KUJsCdi2aLC8RJGcNETXKqcJjwynQjk/HXgdpTbpIABwOmfDG4y/W7h5:VpghdidC8uc2TaqchwyQjsHibpIABwOC
                                                      MD5:0E93D87D1523899D18C6E2636CAE3147
                                                      SHA1:714CFCA29BF82FD5C61292676710E8614D62E364
                                                      SHA-256:C762D81610A4163A40724E1EF13FA9C07ACC99BEC928AD90D1A27705DF477E98
                                                      SHA-512:7464168BF26A96112109944BC837BF477BDFCCE8DAACC63A19799FCDFEF03DCEF3A552DA7D433E9553B94D7C2DA36CF69F92F20633E9BC2C491D80DF2BF6DB40
                                                      Malicious:false
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......BV...7...7...7...Og..7..TB...7..TB..7..TB..7..TB...7...B...7...\...7...7...7...B...7...B...7...B...7...B...7..Rich.7..........................PE..d....O[a.........." .....p...........k....................................................`.............................................P.......h............ ..<...........X........................................w..8...........................................UPX0....................................UPX1.....p.......j..................@....rsrc................n..............@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                      C:\Users\user\AppData\Local\Temp\_MEI75162\_ssl.pyd

                                                      Download File
                                                      Process:C:\Users\user\Desktop\oneDrive.exe
                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):59112
                                                      Entropy (8bit):7.825725095421999
                                                      Encrypted:false
                                                      SSDEEP:1536:SVSeTECZ1REn5q3bzLzeqmDXt+LHD04KT0WhvG2IAM7F5vyU:y9EWbK+bz70Xt+Lg4q0UnIAM7F/
                                                      MD5:8CFBBD3785EE9D63F6964CE3DD6A3DDF
                                                      SHA1:68F03518A2B886DC55D528ACB35A2BE1B88DD7CF
                                                      SHA-256:6F080DE35210710561CA59EDF39EE23833913FBDF6124C75D01397AC56E93368
                                                      SHA-512:BB952983EC05969D9B1A58ED044A99C39017EF4713069066B06BA8DE1BB91421D43507D004F0743E66362CBAAF5AA2C6C05242DECCAE502C17D5295DF104E6C4
                                                      Malicious:false
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........H..w&.w&.w&....w&...'.w&...#.w&...".w&...%.w&.%.'.w&...'.w&..'.w&.w'..v&.%.+.w&.%.&.w&.%...w&.%.$.w&.Rich.w&.................PE..d....O[a.........." ................`.....................................................`.........................................p...d....................P......................................................p...8...........................................UPX0....................................UPX1................................@....rsrc...............................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                      C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip

                                                      Download File
                                                      Process:C:\Users\user\Desktop\oneDrive.exe
                                                      File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                      Category:modified
                                                      Size (bytes):1064190
                                                      Entropy (8bit):5.6724117500610065
                                                      Encrypted:false
                                                      SSDEEP:12288:LVghgWWy4C6Sdc77A4a2YloXVw9sfJEKHwQjuErsv6SDQN+:LVgh1V4hLa2kAVw9sfJEKH9uEYv9QN+
                                                      MD5:4DAA5024B193E214F7FD551E13EEE561
                                                      SHA1:4FCE6977CA26624EAE0B571D83300A6245E1D1FA
                                                      SHA-256:2EDDABBF799E207E1602BC200D7C96594990AD95047C49D69C1025C4C10A7E48
                                                      SHA-512:4137600AAD6B23FFB1449C1AF64614C6FA5770F945E70FAE35AE7156CB0DF2F176D2291CB747BA3DA1EC5668F4FCACB3FAB94F37D44C490B8F960026B4AAB582
                                                      Malicious:false
                                                      Preview:PK..........!.^/.............._collections_abc.pyco....................................@.......d.Z.d.d.l.m.Z.m.Z...d.d.l.Z.e.e.e.....Z.e.d...Z.d.d...Z.e.e...Z.[.g.d...Z.d.Z.e.e.d.....Z.e.e.e.......Z.e.e.i.........Z.e.e.i.........Z.e.e.i.........Z.e.e.g.....Z.e.e.e.g.......Z.e.e.e.d.......Z.e.e.e.d.d.>.......Z.e.e.e.......Z.e.e.d.....Z e.e.d.....Z!e.e.e"......Z#e.i.......Z$e.i.......Z%e.i.......Z&e.e.j'..Z(e.d.d.......Z)d.d...Z*e*..Z*e.e*..Z+e*.,....[*d.d...Z-e-..Z-e.e-..Z.[-d.d...Z/G.d.d...d.e.d...Z0G.d.d...d.e.d...Z1G.d.d...d.e1..Z2e2.3e+....G.d.d...d.e.d...Z4G.d.d ..d e4..Z5G.d!d"..d"e5..Z6e6.3e.....G.d#d$..d$e.d...Z7G.d%d&..d&e7..Z8e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e ....e8.3e!....e8.3e#....G.d'd(..d(e7..Z9G.d)d*..d*e8..Z:e:.3e)....G.d+d,..d,e.d...Z;G.d-d...d.e.d...Z<G.d/d0..d0e;e7e<..Z=G.d1d2..d2e...Z>d3d4..Z?d5d6..Z@d7d8..ZAG.d9d:..d:e.d...ZBG.d;d<..d<e=..ZCeC.3eD....G.d=d>..d>eC..ZEeE.3e.....G.d?d@..d@e=..ZFeF

                                                      C:\Users\user\AppData\Local\Temp\_MEI75162\libcrypto-1_1.dll

                                                      Download File
                                                      Process:C:\Users\user\Desktop\oneDrive.exe
                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):1102072
                                                      Entropy (8bit):7.937741945378803
                                                      Encrypted:false
                                                      SSDEEP:24576:ZmjOKwERFZcyYl23vf5/PuYm5jOukzPRHE935b1CPwDv3uFfJT:899rZcyY0vf5eYtzgpb1CPwDv3uFfJT
                                                      MD5:ED33D69655B6698FE1AB97F41C37659E
                                                      SHA1:6BA390714A1ED0926B81923340EAC22A115384BF
                                                      SHA-256:16A844C815B485BAB5A705AE2DCA11D7C24E6AC84649D506EE0B0A0302233C90
                                                      SHA-512:8499087665554161A31CF3C60100AF0AFF04A8D1F7F5978E6CEA959154F46C486CFCB371185E29C37C2CA96B4AA696162BD740BF22237823DE37603547BB0E10
                                                      Malicious:false
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......;.>y..P*..P*..P*v..*m.P*-.Q+}.P*-.U+t.P*-.T+w.P*-.S+{.P*k.Q+t.P*..Q*..P*).S+b.P*).T+..P*).P+~.P*).*~.P*).R+~.P*Rich..P*........PE..d.....'a.........." .............p&.P.5...&..................................@7...........`......................................... 85......35.h....05......@2..............87.....................................h$5.8...........................................UPX0.....p&.............................UPX1..........&.....................@....rsrc........05.....................@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                      C:\Users\user\AppData\Local\Temp\_MEI75162\libssl-1_1.dll

                                                      Download File
                                                      Process:C:\Users\user\Desktop\oneDrive.exe
                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):203000
                                                      Entropy (8bit):7.923707983801741
                                                      Encrypted:false
                                                      SSDEEP:3072:Ar1sMu77AZKZYQH0MLv5L/gUBx/GkGI4xoga1dFTDmeXxQotSZmdvKYT:sDmn6QUATTCkmza1/TD6lZmYYT
                                                      MD5:A662C288C164C94EF0C171BB1E2F8FB8
                                                      SHA1:B374A807CD8FF4CACA62C69C7BF9D2944BB58D26
                                                      SHA-256:C414891850A20CE9DF7CF6739EC3FA8A57D1A2C711E1D246DC137EF3F58DD377
                                                      SHA-512:4D1A80EA673CED29BDEEA4B6C9DC2CFA88AE60FF32329503196B5C6B37A72FF84ADF12F1DAA1598D1AFB0031949B0FD7171094B631DD65E08C6BCAC99992269F
                                                      Malicious:false
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&v..G.^.G.^.G.^.?.^.G.^.2._.G.^.,._.G.^.2._.G.^.2._.G.^.2._.G.^.2._.G.^.G.^HF.^.2._.G.^.2._.G.^.2.^.G.^.2._.G.^Rich.G.^........................PE..d.....'a.........." .........P...P.......`...................................`............`.............................................4@.......................K...........V..........................................8...........................................UPX0.....P..............................UPX1.........`......................@....rsrc....P.......H..................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                      C:\Users\user\AppData\Local\Temp\_MEI75162\python310.dll

                                                      Download File
                                                      Process:C:\Users\user\Desktop\oneDrive.exe
                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):1500400
                                                      Entropy (8bit):7.991842049368431
                                                      Encrypted:true
                                                      SSDEEP:24576:Vfng8rkHg8NdzWjg0oHc47V2AvoceevFH1fuc0kk3do2Nnix7zXKx2NHgP8txDi:xrQAkzWnoHc452+Luc0Ndo2NnuzXof0H
                                                      MD5:FE730FAA642713F53BE7423421CF3273
                                                      SHA1:B31588980A40F4FC45C5DEB51869D850D1490DA1
                                                      SHA-256:DE05A58247136D07970B5D3A0582143833E397ABFB9BA22E36FCAE99F4C7C66D
                                                      SHA-512:AB11100259A5B81A8C424F2EA47886CA821BAD1128973FD4BC068F9F46B4000F54793EDB2DCB596E63616BB45E88B30EA129100225685C17ED36CA6B238C37BF
                                                      Malicious:false
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........................~..........................................3...F..3......3.|....3......Rich...........PE..d...pO[a.........." .............`/.0SE..p/..................................PF...........`...........................................E......yE.d....pE......@B.0............@F.$...................................H_E.8...........................................UPX0.....`/.............................UPX1.........p/.....................@....rsrc........pE.....................@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                      C:\Users\user\AppData\Local\Temp\_MEI75162\select.pyd

                                                      Download File
                                                      Process:C:\Users\user\Desktop\oneDrive.exe
                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):21744
                                                      Entropy (8bit):7.246215527153422
                                                      Encrypted:false
                                                      SSDEEP:384:fliRfircQWhIRkgnNU3frZa7gJXp+zhIAmGT6UDG4y8JAgwhp:flGCcQWyR1gp5+zhIAmGTxDG4yMwh
                                                      MD5:6706A624334444775C2919E761B79852
                                                      SHA1:2CD002957A611C0C714A28AF085FA79D7DE300BD
                                                      SHA-256:37825176B35BA6835F779DEDCF1BAFD5B84AE05B525002811D7B30CD8D8FDC61
                                                      SHA-512:FA3842089DC70FA9916EFCD40D33804989B198EF7A0AFB75BE3DB5ECDF9DEEFB03AC32CBEC4C5AC1035CF2079BA8B1A6A510447A2571DEF2A03D2EED8014C612
                                                      Malicious:false
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........f ...N...N...N.......N..rO...N..rK...N..rJ...N..rM...N..rO...N..lO...N...O...N..rC...N..rN...N..r....N..rL...N.Rich..N.........................PE..d....O[a.........." .....0................................................................`......................................... ...L....................`..............l...........................................8...........................................UPX0....................................UPX1.....0.......(..................@....rsrc................,..............@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                      C:\Users\user\AppData\Local\Temp\_MEI75162\unicodedata.pyd

                                                      Download File
                                                      Process:C:\Users\user\Desktop\oneDrive.exe
                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):292080
                                                      Entropy (8bit):7.984827890087239
                                                      Encrypted:false
                                                      SSDEEP:6144:h9pWfzi7fiLvelz/zPkE9V/IGti/soJKmDh25ncxN//k1eIuxUyWHaxuf:g+fnz/zcuVQIklJjKcxN/Me+yhuf
                                                      MD5:C82E111F974B574899395A75A01BEEC6
                                                      SHA1:2D55CE3F5F871C617086E4ED3010B57A9D499E7A
                                                      SHA-256:57DFC216E9D0B94A8426CA3B49A1D0BE4FFEC672330D9092B1875571A202E99D
                                                      SHA-512:14B958FDCBA90D743C9E512BBEE03FB1415866AE0E10BF5BCEC6C2F16BE6B31ADC8190BB1B96BE7445607C2CAFFD197D40957F28D48B7FA0CBE7F39D7C62AB7A
                                                      Malicious:false
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........N$z./J)./J)./J).W.)./J).ZK(./J).ZO(./J).ZN(./J).ZI(./J)YZK(./J).DK(./J)./K)./J)YZG(./J)YZJ(./J)YZ.)./J)YZH(./J)Rich./J)................PE..d....O[a.........." .....P...........V... ................................................`..........................................{..X....y.......p.......................{.......................................b..8...........................................UPX0....................................UPX1.....P... ...F..................@....rsrc........p.......J..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                      Static File Info

                                                      General

                                                      File type:PE32+ executable (GUI) x86-64, for MS Windows
                                                      Entropy (8bit):7.9851804812646066
                                                      TrID:
                                                      • Win64 Executable GUI (202006/5) 92.65%
                                                      • Win64 Executable (generic) (12005/4) 5.51%
                                                      • Generic Win/DOS Executable (2004/3) 0.92%
                                                      • DOS Executable Generic (2002/1) 0.92%
                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                      File name:oneDrive.exe
                                                      File size:4'802'649 bytes
                                                      MD5:8509691d37f05049067df88592964a4b
                                                      SHA1:37db71172ab64c108fedca85e5be51a499b2ba12
                                                      SHA256:451ee465675e674cebe3c42ed41356ae2c972703e1dc7800a187426a6b34efdc
                                                      SHA512:d023e939b7eb96837c1ea1a0ccb9479a82b4cbb5d1a195927f0e3ca28ed281c93dff5aaf726027d4598152693629872880d6343b46aa932120350e49f8343783
                                                      SSDEEP:98304:I2XvRHtJQi9UWvGf//PuIsLR5l0XnwQXuerDkRTrJD:IMvRHvUWvoXPu0X7roRTt
                                                      TLSH:5826335835A494FAFDB7C03EC880981AEA71B4321765E7CF13B044624F3B6925C7ABD6
                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........6...W...W...W.../...W.../...W.../...W...+l..W...+...W...+...W...+...W.../...W...W..)W..e+...W..e+...W..Rich.W.................

                                                      File Icon

                                                      Icon Hash:1fe731b1b131f02f

                                                      Static PE Info

                                                      General

                                                      Entrypoint:0x14000b310
                                                      Entrypoint Section:.text
                                                      Digitally signed:false
                                                      Imagebase:0x140000000
                                                      Subsystem:windows gui
                                                      Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                      DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                                                      Time Stamp:0x64E5BE24 [Wed Aug 23 08:07:00 2023 UTC]
                                                      TLS Callbacks:
                                                      CLR (.Net) Version:
                                                      OS Version Major:5
                                                      OS Version Minor:2
                                                      File Version Major:5
                                                      File Version Minor:2
                                                      Subsystem Version Major:5
                                                      Subsystem Version Minor:2
                                                      Import Hash:0b5552dccd9d0a834cea55c0c8fc05be

                                                      Entrypoint Preview

                                                      Instruction
                                                      dec eax
                                                      sub esp, 28h
                                                      call 00007F8FCC8D780Ch
                                                      dec eax
                                                      add esp, 28h
                                                      jmp 00007F8FCC8D741Fh
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      dec eax
                                                      sub esp, 28h
                                                      call 00007F8FCC8D7D84h
                                                      test eax, eax
                                                      je 00007F8FCC8D75C3h
                                                      dec eax
                                                      mov eax, dword ptr [00000030h]
                                                      dec eax
                                                      mov ecx, dword ptr [eax+08h]
                                                      jmp 00007F8FCC8D75A7h
                                                      dec eax
                                                      cmp ecx, eax
                                                      je 00007F8FCC8D75B6h
                                                      xor eax, eax
                                                      dec eax
                                                      cmpxchg dword ptr [0004121Ch], ecx
                                                      jne 00007F8FCC8D7590h
                                                      xor al, al
                                                      dec eax
                                                      add esp, 28h
                                                      ret
                                                      mov al, 01h
                                                      jmp 00007F8FCC8D7599h
                                                      int3
                                                      int3
                                                      int3
                                                      inc eax
                                                      push ebx
                                                      dec eax
                                                      sub esp, 20h
                                                      movzx eax, byte ptr [00041207h]
                                                      test ecx, ecx
                                                      mov ebx, 00000001h
                                                      cmove eax, ebx
                                                      mov byte ptr [000411F7h], al
                                                      call 00007F8FCC8D7B83h
                                                      call 00007F8FCC8D8CB2h
                                                      test al, al
                                                      jne 00007F8FCC8D75A6h
                                                      xor al, al
                                                      jmp 00007F8FCC8D75B6h
                                                      call 00007F8FCC8E5291h
                                                      test al, al
                                                      jne 00007F8FCC8D75ABh
                                                      xor ecx, ecx
                                                      call 00007F8FCC8D8CC2h
                                                      jmp 00007F8FCC8D758Ch
                                                      mov al, bl
                                                      dec eax
                                                      add esp, 20h
                                                      pop ebx
                                                      ret
                                                      int3
                                                      int3
                                                      int3
                                                      inc eax
                                                      push ebx
                                                      dec eax
                                                      sub esp, 20h
                                                      cmp byte ptr [000411BCh], 00000000h
                                                      mov ebx, ecx
                                                      jne 00007F8FCC8D7609h
                                                      cmp ecx, 01h
                                                      jnbe 00007F8FCC8D760Ch
                                                      call 00007F8FCC8D7CEAh
                                                      test eax, eax
                                                      je 00007F8FCC8D75CAh

                                                      Data Directories

                                                      NameVirtual AddressVirtual Size Is in Section
                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x3bd0c0x78.rdata
                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x520000x13ac.rsrc
                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x4e0000x20c4.pdata
                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x540000x758.reloc
                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x394800x1c.rdata
                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x393400x140.rdata
                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IAT0x2a0000x418.rdata
                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                      Sections

                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                      .text0x10000x288000x28800443d51fb84559b563832949912f06b00False0.5583465952932098data6.488023200564254IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                      .rdata0x2a0000x12b160x12c0031d3f3f02dca1cad12d52351b53207deFalse0.5154817708333334data5.8246724563252075IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                      .data0x3d0000x103f80xe00afabb66fdcd2825de5909f10c900fca7False0.13309151785714285DOS executable (block device driver \377\3)1.8096886543499544IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                      .pdata0x4e0000x20c40x22007b210ceebebc00c96d1c55c2b456bbb4False0.47794117647058826data5.274096406482418IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                      _RDATA0x510000x15c0x200c059b775abce97446903f3597b027faeFalse0.384765625data2.808567494642619IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                      .rsrc0x520000x13ac0x14002293c301736cb09e6f08486e35624f8dFalse0.71171875data6.938870651173487IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                      .reloc0x540000x7580x80011aaafc72361ec8886a740c3e209ceb3False0.544921875data5.2576643703968475IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                      Resources

                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                      RT_ICON0x520e80xd24PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.8341260404280618
                                                      RT_GROUP_ICON0x52e0c0x14data1.05
                                                      RT_MANIFEST0x52e200x58cXML 1.0 document, ASCII text, with CRLF line terminators0.44577464788732396

                                                      Imports

                                                      DLLImport
                                                      USER32.dllCreateWindowExW, MessageBoxW, MessageBoxA, SystemParametersInfoW, DestroyIcon, SetWindowLongPtrW, GetWindowLongPtrW, GetClientRect, InvalidateRect, ReleaseDC, GetDC, DrawTextW, GetDialogBaseUnits, EndDialog, DialogBoxIndirectParamW, MoveWindow, SendMessageW
                                                      COMCTL32.dll
                                                      KERNEL32.dllGetStringTypeW, GetFileAttributesExW, HeapReAlloc, FlushFileBuffers, GetCurrentDirectoryW, IsValidCodePage, GetACP, GetModuleHandleW, MulDiv, GetLastError, SetDllDirectoryW, GetModuleFileNameW, GetProcAddress, GetCommandLineW, GetEnvironmentVariableW, GetOEMCP, ExpandEnvironmentStringsW, CreateDirectoryW, GetTempPathW, WaitForSingleObject, Sleep, GetExitCodeProcess, CreateProcessW, GetStartupInfoW, FreeLibrary, LoadLibraryExW, SetConsoleCtrlHandler, FindClose, FindFirstFileExW, CloseHandle, GetCurrentProcess, LocalFree, FormatMessageW, MultiByteToWideChar, WideCharToMultiByte, GetCPInfo, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetProcessHeap, GetTimeZoneInformation, HeapSize, WriteConsoleW, SetEnvironmentVariableW, RtlUnwindEx, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, SetEndOfFile, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, RaiseException, RtlPcToFileHeader, GetCommandLineA, CreateFileW, GetDriveTypeW, GetFileInformationByHandle, GetFileType, PeekNamedPipe, SystemTimeToTzSpecificLocalTime, FileTimeToSystemTime, GetFullPathNameW, RemoveDirectoryW, FindNextFileW, SetStdHandle, DeleteFileW, ReadFile, GetStdHandle, WriteFile, ExitProcess, GetModuleHandleExW, HeapFree, GetConsoleMode, ReadConsoleW, SetFilePointerEx, GetConsoleOutputCP, GetFileSizeEx, HeapAlloc, FlsAlloc, FlsGetValue, FlsSetValue, FlsFree, CompareStringW, LCMapStringW
                                                      ADVAPI32.dllOpenProcessToken, GetTokenInformation, ConvertStringSecurityDescriptorToSecurityDescriptorW, ConvertSidToStringSidW
                                                      GDI32.dllSelectObject, DeleteObject, CreateFontIndirectW

                                                      Network Behavior

                                                      UDP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Oct 2, 2024 18:10:35.820175886 CEST53584831.1.1.1192.168.2.7

                                                      Statistics

                                                      CPU Usage

                                                      Click to jump to process

                                                      Memory Usage

                                                      Click to jump to process

                                                      Behavior

                                                      Click to jump to process

                                                      System Behavior

                                                      General

                                                      Target ID:1
                                                      Start time:12:10:16
                                                      Start date:02/10/2024
                                                      Path:C:\Users\user\Desktop\oneDrive.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Users\user\Desktop\oneDrive.exe"
                                                      Imagebase:0x7ff6869c0000
                                                      File size:4'802'649 bytes
                                                      MD5 hash:8509691D37F05049067DF88592964A4B
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:low
                                                      Has exited:true

                                                      General

                                                      Target ID:2
                                                      Start time:12:10:17
                                                      Start date:02/10/2024
                                                      Path:C:\Users\user\Desktop\oneDrive.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Users\user\Desktop\oneDrive.exe"
                                                      Imagebase:0x7ff6869c0000
                                                      File size:4'802'649 bytes
                                                      MD5 hash:8509691D37F05049067DF88592964A4B
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:low
                                                      Has exited:true

                                                      General

                                                      Target ID:3
                                                      Start time:12:10:18
                                                      Start date:02/10/2024
                                                      Path:C:\Windows\System32\cmd.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\cmd.exe /c "del C:\Windows\Help\en-us\*.rar"
                                                      Imagebase:0x7ff70f680000
                                                      File size:289'792 bytes
                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:4
                                                      Start time:12:10:18
                                                      Start date:02/10/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff75da10000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:6
                                                      Start time:12:10:28
                                                      Start date:02/10/2024
                                                      Path:C:\Windows\System32\cmd.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\cmd.exe /c "hostname"
                                                      Imagebase:0x7ff70f680000
                                                      File size:289'792 bytes
                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:7
                                                      Start time:12:10:28
                                                      Start date:02/10/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff75da10000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:8
                                                      Start time:12:10:28
                                                      Start date:02/10/2024
                                                      Path:C:\Windows\System32\HOSTNAME.EXE
                                                      Wow64 process (32bit):false
                                                      Commandline:hostname
                                                      Imagebase:0x7ff719ff0000
                                                      File size:14'848 bytes
                                                      MD5 hash:33AFAA43B84BDEAB12E02F9DBD2B2EE0
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:moderate
                                                      Has exited:true

                                                      General

                                                      Target ID:9
                                                      Start time:12:10:28
                                                      Start date:02/10/2024
                                                      Path:C:\Windows\System32\cmd.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\cmd.exe /c "C:\ProgramData\Microsoft\Rar.exe a -r -v1m -n@C:\Windows\media\check.wav -ta20240929000000 -hpN@991li#S!@# C:\Windows\Help\en-us\87072c.rar C:\users\*.*"
                                                      Imagebase:0x7ff70f680000
                                                      File size:289'792 bytes
                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:10
                                                      Start time:12:10:28
                                                      Start date:02/10/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff75da10000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:11
                                                      Start time:12:10:48
                                                      Start date:02/10/2024
                                                      Path:C:\Windows\System32\cmd.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\cmd.exe /c "tasklist"
                                                      Imagebase:0x7ff70f680000
                                                      File size:289'792 bytes
                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:12
                                                      Start time:12:10:48
                                                      Start date:02/10/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff75da10000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:13
                                                      Start time:12:10:48
                                                      Start date:02/10/2024
                                                      Path:C:\Windows\System32\tasklist.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:tasklist
                                                      Imagebase:0x7ff73b6a0000
                                                      File size:106'496 bytes
                                                      MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:moderate
                                                      Has exited:true

                                                      General

                                                      Target ID:14
                                                      Start time:12:10:49
                                                      Start date:02/10/2024
                                                      Path:C:\Windows\System32\cmd.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\cmd.exe /c "hostname"
                                                      Imagebase:0x7ff70f680000
                                                      File size:289'792 bytes
                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:15
                                                      Start time:12:10:49
                                                      Start date:02/10/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff75da10000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:16
                                                      Start time:12:10:49
                                                      Start date:02/10/2024
                                                      Path:C:\Windows\System32\HOSTNAME.EXE
                                                      Wow64 process (32bit):false
                                                      Commandline:hostname
                                                      Imagebase:0x7ff719ff0000
                                                      File size:14'848 bytes
                                                      MD5 hash:33AFAA43B84BDEAB12E02F9DBD2B2EE0
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:17
                                                      Start time:12:10:49
                                                      Start date:02/10/2024
                                                      Path:C:\Windows\System32\cmd.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\cmd.exe /c "C:\ProgramData\Microsoft\Rar.exe a -r -v1m -n@C:\Windows\media\check.wav -ta20240929000000 -hpN@991li#S!@# C:\Windows\Help\en-us\87072D.rar D:\\*.*"
                                                      Imagebase:0x7ff70f680000
                                                      File size:289'792 bytes
                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:18
                                                      Start time:12:10:49
                                                      Start date:02/10/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff75da10000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:21
                                                      Start time:12:11:09
                                                      Start date:02/10/2024
                                                      Path:C:\Windows\System32\cmd.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\cmd.exe /c "tasklist"
                                                      Imagebase:0x7ff70f680000
                                                      File size:289'792 bytes
                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:22
                                                      Start time:12:11:09
                                                      Start date:02/10/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff75da10000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:23
                                                      Start time:12:11:09
                                                      Start date:02/10/2024
                                                      Path:C:\Windows\System32\tasklist.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:tasklist
                                                      Imagebase:0x7ff73b6a0000
                                                      File size:106'496 bytes
                                                      MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      Disassembly

                                                      Reset < >

                                                        Execution Graph

                                                        Execution Coverage:10.9%
                                                        Dynamic/Decrypted Code Coverage:0%
                                                        Signature Coverage:17.2%
                                                        Total number of Nodes:2000
                                                        Total number of Limit Nodes:50
                                                        execution_graph 18618 7ff6869e9664 18621 7ff6869d42f8 LeaveCriticalSection 18618->18621 17805 7ff6869e94de 17806 7ff6869e94ee 17805->17806 17809 7ff6869d42f8 LeaveCriticalSection 17806->17809 17704 7ff6869de8dc 17705 7ff6869deace 17704->17705 17707 7ff6869de91e _isindst 17704->17707 17706 7ff6869d4444 _wfindfirst32i64 11 API calls 17705->17706 17724 7ff6869deabe 17706->17724 17707->17705 17710 7ff6869de99e _isindst 17707->17710 17708 7ff6869cad80 _wfindfirst32i64 8 API calls 17709 7ff6869deae9 17708->17709 17725 7ff6869e53b4 17710->17725 17715 7ff6869deafa 17716 7ff6869d9dd0 _wfindfirst32i64 17 API calls 17715->17716 17718 7ff6869deb0e 17716->17718 17722 7ff6869de9fb 17722->17724 17749 7ff6869e53f8 17722->17749 17724->17708 17726 7ff6869e53c3 17725->17726 17728 7ff6869de9bc 17725->17728 17756 7ff6869df788 EnterCriticalSection 17726->17756 17731 7ff6869e47b8 17728->17731 17732 7ff6869e47c1 17731->17732 17736 7ff6869de9d1 17731->17736 17733 7ff6869d4444 _wfindfirst32i64 11 API calls 17732->17733 17734 7ff6869e47c6 17733->17734 17735 7ff6869d9db0 _invalid_parameter_noinfo 37 API calls 17734->17735 17735->17736 17736->17715 17737 7ff6869e47e8 17736->17737 17738 7ff6869e47f1 17737->17738 17739 7ff6869de9e2 17737->17739 17740 7ff6869d4444 _wfindfirst32i64 11 API calls 17738->17740 17739->17715 17743 7ff6869e4818 17739->17743 17741 7ff6869e47f6 17740->17741 17742 7ff6869d9db0 _invalid_parameter_noinfo 37 API calls 17741->17742 17742->17739 17744 7ff6869e4821 17743->17744 17748 7ff6869de9f3 17743->17748 17745 7ff6869d4444 _wfindfirst32i64 11 API calls 17744->17745 17746 7ff6869e4826 17745->17746 17747 7ff6869d9db0 _invalid_parameter_noinfo 37 API calls 17746->17747 17747->17748 17748->17715 17748->17722 17757 7ff6869df788 EnterCriticalSection 17749->17757 17810 7ff6869e07f0 17821 7ff6869e6764 17810->17821 17822 7ff6869e6771 17821->17822 17823 7ff6869d9e18 __free_lconv_num 11 API calls 17822->17823 17824 7ff6869e678d 17822->17824 17823->17822 17825 7ff6869d9e18 __free_lconv_num 11 API calls 17824->17825 17826 7ff6869e07f9 17824->17826 17825->17824 17827 7ff6869df788 EnterCriticalSection 17826->17827 17832 7ff6869db9f0 17843 7ff6869df788 EnterCriticalSection 17832->17843 17758 7ff6869d87b9 17759 7ff6869d90d8 45 API calls 17758->17759 17760 7ff6869d87be 17759->17760 17761 7ff6869d87e5 GetModuleHandleW 17760->17761 17762 7ff6869d882f 17760->17762 17761->17762 17768 7ff6869d87f2 17761->17768 17770 7ff6869d86bc 17762->17770 17768->17762 17784 7ff6869d88e0 GetModuleHandleExW 17768->17784 17790 7ff6869df788 EnterCriticalSection 17770->17790 17785 7ff6869d8914 GetProcAddress 17784->17785 17786 7ff6869d893d 17784->17786 17787 7ff6869d8926 17785->17787 17788 7ff6869d8942 FreeLibrary 17786->17788 17789 7ff6869d8949 17786->17789 17787->17786 17788->17789 17789->17762 18974 7ff6869d8a50 18977 7ff6869d89d0 18974->18977 18984 7ff6869df788 EnterCriticalSection 18977->18984 19070 7ff6869da4a0 19071 7ff6869da4a5 19070->19071 19072 7ff6869da4ba 19070->19072 19076 7ff6869da4c0 19071->19076 19077 7ff6869da502 19076->19077 19080 7ff6869da50a 19076->19080 19078 7ff6869d9e18 __free_lconv_num 11 API calls 19077->19078 19078->19080 19079 7ff6869d9e18 __free_lconv_num 11 API calls 19081 7ff6869da517 19079->19081 19080->19079 19082 7ff6869d9e18 __free_lconv_num 11 API calls 19081->19082 19083 7ff6869da524 19082->19083 19084 7ff6869d9e18 __free_lconv_num 11 API calls 19083->19084 19085 7ff6869da531 19084->19085 19086 7ff6869d9e18 __free_lconv_num 11 API calls 19085->19086 19087 7ff6869da53e 19086->19087 19088 7ff6869d9e18 __free_lconv_num 11 API calls 19087->19088 19089 7ff6869da54b 19088->19089 19090 7ff6869d9e18 __free_lconv_num 11 API calls 19089->19090 19091 7ff6869da558 19090->19091 19092 7ff6869d9e18 __free_lconv_num 11 API calls 19091->19092 19093 7ff6869da565 19092->19093 19094 7ff6869d9e18 __free_lconv_num 11 API calls 19093->19094 19095 7ff6869da575 19094->19095 19096 7ff6869d9e18 __free_lconv_num 11 API calls 19095->19096 19097 7ff6869da585 19096->19097 19102 7ff6869da364 19097->19102 19116 7ff6869df788 EnterCriticalSection 19102->19116 14887 7ff6869cb19c 14908 7ff6869cb36c 14887->14908 14890 7ff6869cb2e8 15010 7ff6869cb69c IsProcessorFeaturePresent 14890->15010 14891 7ff6869cb1b8 __scrt_acquire_startup_lock 14893 7ff6869cb2f2 14891->14893 14900 7ff6869cb1d6 __scrt_release_startup_lock 14891->14900 14894 7ff6869cb69c 7 API calls 14893->14894 14896 7ff6869cb2fd _CreateFrameInfo 14894->14896 14895 7ff6869cb1fb 14897 7ff6869cb281 14914 7ff6869cb7e8 14897->14914 14899 7ff6869cb286 14917 7ff6869c1000 14899->14917 14900->14895 14900->14897 14999 7ff6869d8984 14900->14999 14905 7ff6869cb2a9 14905->14896 15006 7ff6869cb500 14905->15006 15017 7ff6869cb96c 14908->15017 14911 7ff6869cb39b __scrt_initialize_crt 14913 7ff6869cb1b0 14911->14913 15019 7ff6869ccac8 14911->15019 14913->14890 14913->14891 15046 7ff6869cc210 14914->15046 14918 7ff6869c100b 14917->14918 15048 7ff6869c7600 14918->15048 14920 7ff6869c101d 15055 7ff6869d4f14 14920->15055 14922 7ff6869c367b 15062 7ff6869c1af0 14922->15062 14926 7ff6869cad80 _wfindfirst32i64 8 API calls 14927 7ff6869c37ae 14926->14927 15004 7ff6869cb82c GetModuleHandleW 14927->15004 14928 7ff6869c3699 14998 7ff6869c379a 14928->14998 15078 7ff6869c3b20 14928->15078 14930 7ff6869c36cb 14930->14998 15081 7ff6869c6990 14930->15081 14932 7ff6869c36e7 14933 7ff6869c6990 61 API calls 14932->14933 14948 7ff6869c3733 14932->14948 14938 7ff6869c3708 __std_exception_copy 14933->14938 14935 7ff6869c3748 15100 7ff6869c19d0 14935->15100 14943 7ff6869c6f90 58 API calls 14938->14943 14938->14948 14939 7ff6869c383d 14941 7ff6869c3868 14939->14941 15229 7ff6869c3280 14939->15229 14940 7ff6869c19d0 121 API calls 14942 7ff6869c377e 14940->14942 14951 7ff6869c38ab 14941->14951 15111 7ff6869c7a30 14941->15111 14946 7ff6869c37c0 14942->14946 14947 7ff6869c3782 14942->14947 14943->14948 14946->14939 15206 7ff6869c3cb0 14946->15206 15193 7ff6869c2770 14947->15193 15096 7ff6869c6f90 14948->15096 14949 7ff6869c3888 14952 7ff6869c389e SetDllDirectoryW 14949->14952 14953 7ff6869c388d 14949->14953 15125 7ff6869c5e40 14951->15125 14952->14951 14954 7ff6869c2770 59 API calls 14953->14954 14954->14998 14959 7ff6869c3906 14967 7ff6869c39c6 14959->14967 14973 7ff6869c3919 14959->14973 14960 7ff6869c37e2 14963 7ff6869c2770 59 API calls 14960->14963 14963->14998 14964 7ff6869c38c8 14964->14959 15243 7ff6869c5640 14964->15243 14965 7ff6869c3810 14965->14939 14966 7ff6869c3815 14965->14966 15225 7ff6869cf2ac 14966->15225 15129 7ff6869c3110 14967->15129 14981 7ff6869c3965 14973->14981 15337 7ff6869c1b30 14973->15337 14974 7ff6869c38dd 15263 7ff6869c55d0 14974->15263 14975 7ff6869c38fc 14976 7ff6869c5890 FreeLibrary 14975->14976 14976->14959 14980 7ff6869c39fb 14983 7ff6869c6990 61 API calls 14980->14983 14981->14998 15341 7ff6869c30b0 14981->15341 14982 7ff6869c38e7 14982->14975 14985 7ff6869c38eb 14982->14985 14989 7ff6869c3a07 14983->14989 15331 7ff6869c5c90 14985->15331 14987 7ff6869c39a1 14990 7ff6869c5890 FreeLibrary 14987->14990 14989->14998 15146 7ff6869c6fd0 14989->15146 14990->14998 14998->14926 15000 7ff6869d899b 14999->15000 15001 7ff6869d89bc 14999->15001 15000->14897 17699 7ff6869d90d8 15001->17699 15005 7ff6869cb83d 15004->15005 15005->14905 15007 7ff6869cb511 15006->15007 15008 7ff6869cb2c0 15007->15008 15009 7ff6869ccac8 __scrt_initialize_crt 7 API calls 15007->15009 15008->14895 15009->15008 15011 7ff6869cb6c2 _wfindfirst32i64 __scrt_get_show_window_mode 15010->15011 15012 7ff6869cb6e1 RtlCaptureContext RtlLookupFunctionEntry 15011->15012 15013 7ff6869cb70a RtlVirtualUnwind 15012->15013 15014 7ff6869cb746 __scrt_get_show_window_mode 15012->15014 15013->15014 15015 7ff6869cb778 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 15014->15015 15016 7ff6869cb7ca _wfindfirst32i64 15015->15016 15016->14893 15018 7ff6869cb38e __scrt_dllmain_crt_thread_attach 15017->15018 15018->14911 15018->14913 15020 7ff6869ccad0 15019->15020 15021 7ff6869ccada 15019->15021 15025 7ff6869cce44 15020->15025 15021->14913 15026 7ff6869cce53 15025->15026 15027 7ff6869ccad5 15025->15027 15033 7ff6869cd080 15026->15033 15029 7ff6869cceb0 15027->15029 15030 7ff6869ccedb 15029->15030 15031 7ff6869ccebe DeleteCriticalSection 15030->15031 15032 7ff6869ccedf 15030->15032 15031->15030 15032->15021 15037 7ff6869ccee8 15033->15037 15038 7ff6869cd002 TlsFree 15037->15038 15043 7ff6869ccf2c __vcrt_FlsAlloc 15037->15043 15039 7ff6869ccf5a LoadLibraryExW 15040 7ff6869ccfd1 15039->15040 15041 7ff6869ccf7b GetLastError 15039->15041 15042 7ff6869ccff1 GetProcAddress 15040->15042 15044 7ff6869ccfe8 FreeLibrary 15040->15044 15041->15043 15042->15038 15043->15038 15043->15039 15043->15042 15045 7ff6869ccf9d LoadLibraryExW 15043->15045 15044->15042 15045->15040 15045->15043 15047 7ff6869cb7ff GetStartupInfoW 15046->15047 15047->14899 15050 7ff6869c761f 15048->15050 15049 7ff6869c7627 __std_exception_copy 15049->14920 15050->15049 15051 7ff6869c7670 WideCharToMultiByte 15050->15051 15052 7ff6869c7718 15050->15052 15053 7ff6869c76c6 WideCharToMultiByte 15050->15053 15051->15050 15051->15052 15378 7ff6869c2620 15052->15378 15053->15050 15053->15052 15058 7ff6869dec40 15055->15058 15056 7ff6869dec93 15057 7ff6869d9ce4 _invalid_parameter_noinfo 37 API calls 15056->15057 15061 7ff6869decbc 15057->15061 15058->15056 15059 7ff6869dece6 15058->15059 15775 7ff6869deb18 15059->15775 15061->14922 15063 7ff6869c1b05 15062->15063 15064 7ff6869c1b20 15063->15064 15783 7ff6869c24d0 15063->15783 15064->14998 15066 7ff6869c3ba0 15064->15066 15067 7ff6869cadb0 15066->15067 15068 7ff6869c3bac GetModuleFileNameW 15067->15068 15069 7ff6869c3bf2 15068->15069 15070 7ff6869c3bdb 15068->15070 15823 7ff6869c7b40 15069->15823 15071 7ff6869c2620 57 API calls 15070->15071 15073 7ff6869c3bee 15071->15073 15076 7ff6869cad80 _wfindfirst32i64 8 API calls 15073->15076 15075 7ff6869c2770 59 API calls 15075->15073 15077 7ff6869c3c2f 15076->15077 15077->14928 15079 7ff6869c1b30 49 API calls 15078->15079 15080 7ff6869c3b3d 15079->15080 15080->14930 15082 7ff6869c699a 15081->15082 15083 7ff6869c7a30 57 API calls 15082->15083 15084 7ff6869c69bc GetEnvironmentVariableW 15083->15084 15085 7ff6869c69d4 ExpandEnvironmentStringsW 15084->15085 15086 7ff6869c6a26 15084->15086 15088 7ff6869c7b40 59 API calls 15085->15088 15087 7ff6869cad80 _wfindfirst32i64 8 API calls 15086->15087 15089 7ff6869c6a38 15087->15089 15090 7ff6869c69fc 15088->15090 15089->14932 15090->15086 15091 7ff6869c6a06 15090->15091 15834 7ff6869d910c 15091->15834 15094 7ff6869cad80 _wfindfirst32i64 8 API calls 15095 7ff6869c6a1e 15094->15095 15095->14932 15097 7ff6869c7a30 57 API calls 15096->15097 15098 7ff6869c6fa7 SetEnvironmentVariableW 15097->15098 15099 7ff6869c6fbf __std_exception_copy 15098->15099 15099->14935 15101 7ff6869c1b30 49 API calls 15100->15101 15102 7ff6869c1a00 15101->15102 15103 7ff6869c1b30 49 API calls 15102->15103 15109 7ff6869c1a7a 15102->15109 15104 7ff6869c1a22 15103->15104 15105 7ff6869c3b20 49 API calls 15104->15105 15104->15109 15106 7ff6869c1a3b 15105->15106 15841 7ff6869c17b0 15106->15841 15109->14939 15109->14940 15110 7ff6869cf2ac 74 API calls 15110->15109 15112 7ff6869c7a51 MultiByteToWideChar 15111->15112 15113 7ff6869c7ad7 MultiByteToWideChar 15111->15113 15114 7ff6869c7a77 15112->15114 15119 7ff6869c7a9c 15112->15119 15115 7ff6869c7b1f 15113->15115 15116 7ff6869c7afa 15113->15116 15118 7ff6869c2620 55 API calls 15114->15118 15115->14949 15117 7ff6869c2620 55 API calls 15116->15117 15120 7ff6869c7b0d 15117->15120 15121 7ff6869c7a8a 15118->15121 15119->15113 15122 7ff6869c7ab2 15119->15122 15120->14949 15121->14949 15123 7ff6869c2620 55 API calls 15122->15123 15124 7ff6869c7ac5 15123->15124 15124->14949 15126 7ff6869c5e55 15125->15126 15127 7ff6869c24d0 59 API calls 15126->15127 15128 7ff6869c38b0 15126->15128 15127->15128 15128->14959 15233 7ff6869c5ae0 15128->15233 15130 7ff6869c31c4 15129->15130 15136 7ff6869c3183 15129->15136 15131 7ff6869c3203 15130->15131 15132 7ff6869c1ab0 74 API calls 15130->15132 15133 7ff6869cad80 _wfindfirst32i64 8 API calls 15131->15133 15132->15130 15134 7ff6869c3215 15133->15134 15134->14998 15139 7ff6869c6f20 15134->15139 15136->15130 15914 7ff6869c1440 15136->15914 15948 7ff6869c2990 15136->15948 16003 7ff6869c1780 15136->16003 15140 7ff6869c7a30 57 API calls 15139->15140 15141 7ff6869c6f3f 15140->15141 15142 7ff6869c7a30 57 API calls 15141->15142 15143 7ff6869c6f4f 15142->15143 15144 7ff6869d66b4 38 API calls 15143->15144 15145 7ff6869c6f5d __std_exception_copy 15144->15145 15145->14980 15147 7ff6869c6fe0 15146->15147 15148 7ff6869c7a30 57 API calls 15147->15148 15149 7ff6869c7011 SetConsoleCtrlHandler GetStartupInfoW 15148->15149 15150 7ff6869c7072 15149->15150 16871 7ff6869d9184 15150->16871 15194 7ff6869c2790 15193->15194 15195 7ff6869d3be4 49 API calls 15194->15195 15196 7ff6869c27dd __scrt_get_show_window_mode 15195->15196 15197 7ff6869c7a30 57 API calls 15196->15197 15198 7ff6869c280a 15197->15198 15199 7ff6869c280f 15198->15199 15200 7ff6869c2849 MessageBoxA 15198->15200 15201 7ff6869c7a30 57 API calls 15199->15201 15202 7ff6869c2863 15200->15202 15203 7ff6869c2829 MessageBoxW 15201->15203 15204 7ff6869cad80 _wfindfirst32i64 8 API calls 15202->15204 15203->15202 15205 7ff6869c2873 15204->15205 15205->14998 15207 7ff6869c3cbc 15206->15207 15208 7ff6869c7a30 57 API calls 15207->15208 15209 7ff6869c3ce7 15208->15209 15210 7ff6869c7a30 57 API calls 15209->15210 15211 7ff6869c3cfa 15210->15211 16927 7ff6869d54c8 15211->16927 15214 7ff6869cad80 _wfindfirst32i64 8 API calls 15215 7ff6869c37da 15214->15215 15215->14960 15216 7ff6869c7200 15215->15216 15217 7ff6869c7224 15216->15217 15218 7ff6869c72fb __std_exception_copy 15217->15218 15219 7ff6869cf934 73 API calls 15217->15219 15218->14965 15220 7ff6869c723e 15219->15220 15220->15218 17306 7ff6869d7938 15220->17306 15222 7ff6869c7253 15222->15218 15223 7ff6869cf934 73 API calls 15222->15223 15224 7ff6869cf5fc _fread_nolock 53 API calls 15222->15224 15223->15222 15224->15222 15226 7ff6869cf2dc 15225->15226 17321 7ff6869cf088 15226->17321 15228 7ff6869cf2f5 15228->14960 15230 7ff6869c3297 15229->15230 15231 7ff6869c32c0 15229->15231 15230->15231 15232 7ff6869c1780 59 API calls 15230->15232 15231->14941 15232->15230 15234 7ff6869c5b04 15233->15234 15239 7ff6869c5b31 15233->15239 15235 7ff6869c5b2c 15234->15235 15236 7ff6869c1780 59 API calls 15234->15236 15238 7ff6869c5b27 __std_exception_copy memcpy_s 15234->15238 15234->15239 17332 7ff6869c12b0 15235->17332 15236->15234 15238->14964 15239->15238 17358 7ff6869c3d30 15239->17358 15241 7ff6869c5b97 15241->15238 15242 7ff6869c2770 59 API calls 15241->15242 15242->15238 15253 7ff6869c565a memcpy_s 15243->15253 15245 7ff6869c577f 15247 7ff6869c3d30 49 API calls 15245->15247 15246 7ff6869c579b 15248 7ff6869c2770 59 API calls 15246->15248 15249 7ff6869c57f8 15247->15249 15256 7ff6869c5791 __std_exception_copy 15248->15256 15252 7ff6869c3d30 49 API calls 15249->15252 15250 7ff6869c3d30 49 API calls 15250->15253 15251 7ff6869c5760 15251->15245 15254 7ff6869c3d30 49 API calls 15251->15254 15255 7ff6869c5828 15252->15255 15253->15245 15253->15246 15253->15250 15253->15251 15253->15253 15260 7ff6869c1440 161 API calls 15253->15260 15261 7ff6869c5781 15253->15261 17361 7ff6869c1650 15253->17361 15254->15245 15259 7ff6869c3d30 49 API calls 15255->15259 15257 7ff6869cad80 _wfindfirst32i64 8 API calls 15256->15257 15258 7ff6869c38d9 15257->15258 15258->14974 15258->14975 15259->15256 15260->15253 15262 7ff6869c2770 59 API calls 15261->15262 15262->15256 17366 7ff6869c71b0 15263->17366 15265 7ff6869c55e2 15266 7ff6869c71b0 58 API calls 15265->15266 15267 7ff6869c55f5 15266->15267 15268 7ff6869c561a 15267->15268 15269 7ff6869c560d GetProcAddress 15267->15269 15270 7ff6869c2770 59 API calls 15268->15270 15273 7ff6869c5f79 15269->15273 15274 7ff6869c5f9c GetProcAddress 15269->15274 15272 7ff6869c5626 15270->15272 15272->14982 15277 7ff6869c2620 57 API calls 15273->15277 15274->15273 15275 7ff6869c5fc1 GetProcAddress 15274->15275 15275->15273 15276 7ff6869c5fe6 GetProcAddress 15275->15276 15276->15273 15278 7ff6869c600e GetProcAddress 15276->15278 15279 7ff6869c5f8c 15277->15279 15278->15273 15280 7ff6869c6036 GetProcAddress 15278->15280 15279->14982 15280->15273 15338 7ff6869c1b55 15337->15338 15339 7ff6869d3be4 49 API calls 15338->15339 15340 7ff6869c1b78 15339->15340 15340->14981 17370 7ff6869c4960 15341->17370 15344 7ff6869c30fd 15344->14987 15346 7ff6869c30d4 15346->15344 17426 7ff6869c46e0 15346->17426 15397 7ff6869cadb0 15378->15397 15380 7ff6869c263c GetLastError 15381 7ff6869c2669 15380->15381 15399 7ff6869d3be4 15381->15399 15386 7ff6869c1b30 49 API calls 15387 7ff6869c26c8 __scrt_get_show_window_mode 15386->15387 15388 7ff6869c7a30 54 API calls 15387->15388 15389 7ff6869c26f5 15388->15389 15390 7ff6869c2734 MessageBoxA 15389->15390 15391 7ff6869c26fa 15389->15391 15393 7ff6869c274e 15390->15393 15392 7ff6869c7a30 54 API calls 15391->15392 15394 7ff6869c2714 MessageBoxW 15392->15394 15395 7ff6869cad80 _wfindfirst32i64 8 API calls 15393->15395 15394->15393 15396 7ff6869c275e 15395->15396 15396->15049 15398 7ff6869cadda 15397->15398 15398->15380 15398->15398 15402 7ff6869d3c3e 15399->15402 15400 7ff6869d3c63 15403 7ff6869d9ce4 _invalid_parameter_noinfo 37 API calls 15400->15403 15401 7ff6869d3c9f 15429 7ff6869d1e70 15401->15429 15402->15400 15402->15401 15405 7ff6869d3c8d 15403->15405 15408 7ff6869cad80 _wfindfirst32i64 8 API calls 15405->15408 15406 7ff6869d3d7c 15407 7ff6869d9e18 __free_lconv_num 11 API calls 15406->15407 15407->15405 15410 7ff6869c2699 15408->15410 15417 7ff6869c74b0 15410->15417 15411 7ff6869d3da0 15411->15406 15414 7ff6869d3daa 15411->15414 15412 7ff6869d3d51 15415 7ff6869d9e18 __free_lconv_num 11 API calls 15412->15415 15413 7ff6869d3d48 15413->15406 15413->15412 15416 7ff6869d9e18 __free_lconv_num 11 API calls 15414->15416 15415->15405 15416->15405 15418 7ff6869c74bc 15417->15418 15419 7ff6869c74d7 GetLastError 15418->15419 15420 7ff6869c74dd FormatMessageW 15418->15420 15419->15420 15421 7ff6869c7510 15420->15421 15422 7ff6869c752c WideCharToMultiByte 15420->15422 15423 7ff6869c2620 54 API calls 15421->15423 15424 7ff6869c7523 15422->15424 15425 7ff6869c7566 15422->15425 15423->15424 15427 7ff6869cad80 _wfindfirst32i64 8 API calls 15424->15427 15426 7ff6869c2620 54 API calls 15425->15426 15426->15424 15428 7ff6869c26a0 15427->15428 15428->15386 15430 7ff6869d1eae 15429->15430 15431 7ff6869d1e9e 15429->15431 15432 7ff6869d1eb7 15430->15432 15436 7ff6869d1ee5 15430->15436 15434 7ff6869d9ce4 _invalid_parameter_noinfo 37 API calls 15431->15434 15435 7ff6869d9ce4 _invalid_parameter_noinfo 37 API calls 15432->15435 15433 7ff6869d1edd 15433->15406 15433->15411 15433->15412 15433->15413 15434->15433 15435->15433 15436->15431 15436->15433 15439 7ff6869d2194 15436->15439 15443 7ff6869d2800 15436->15443 15469 7ff6869d24c8 15436->15469 15499 7ff6869d1d50 15436->15499 15502 7ff6869d3a20 15436->15502 15441 7ff6869d9ce4 _invalid_parameter_noinfo 37 API calls 15439->15441 15441->15431 15444 7ff6869d2842 15443->15444 15445 7ff6869d28b5 15443->15445 15446 7ff6869d28df 15444->15446 15447 7ff6869d2848 15444->15447 15448 7ff6869d290f 15445->15448 15449 7ff6869d28ba 15445->15449 15526 7ff6869d0db0 15446->15526 15452 7ff6869d291e 15447->15452 15453 7ff6869d284d 15447->15453 15448->15446 15448->15452 15467 7ff6869d2878 15448->15467 15450 7ff6869d28ef 15449->15450 15451 7ff6869d28bc 15449->15451 15533 7ff6869d09a0 15450->15533 15457 7ff6869d28cb 15451->15457 15460 7ff6869d285d 15451->15460 15468 7ff6869d294d 15452->15468 15540 7ff6869d11c0 15452->15540 15458 7ff6869d2890 15453->15458 15453->15460 15453->15467 15457->15446 15461 7ff6869d28d0 15457->15461 15458->15468 15518 7ff6869d3620 15458->15518 15460->15468 15508 7ff6869d3164 15460->15508 15461->15468 15522 7ff6869d37b8 15461->15522 15463 7ff6869cad80 _wfindfirst32i64 8 API calls 15465 7ff6869d2be3 15463->15465 15465->15436 15467->15468 15547 7ff6869dda00 15467->15547 15468->15463 15470 7ff6869d24d3 15469->15470 15471 7ff6869d24e9 15469->15471 15472 7ff6869d2527 15470->15472 15473 7ff6869d2842 15470->15473 15474 7ff6869d28b5 15470->15474 15471->15472 15475 7ff6869d9ce4 _invalid_parameter_noinfo 37 API calls 15471->15475 15472->15436 15476 7ff6869d28df 15473->15476 15477 7ff6869d2848 15473->15477 15478 7ff6869d290f 15474->15478 15479 7ff6869d28ba 15474->15479 15475->15472 15483 7ff6869d0db0 38 API calls 15476->15483 15486 7ff6869d284d 15477->15486 15489 7ff6869d291e 15477->15489 15478->15476 15478->15489 15494 7ff6869d2878 15478->15494 15480 7ff6869d28ef 15479->15480 15481 7ff6869d28bc 15479->15481 15484 7ff6869d09a0 38 API calls 15480->15484 15482 7ff6869d285d 15481->15482 15487 7ff6869d28cb 15481->15487 15485 7ff6869d3164 47 API calls 15482->15485 15498 7ff6869d294d 15482->15498 15483->15494 15484->15494 15485->15494 15486->15482 15488 7ff6869d2890 15486->15488 15486->15494 15487->15476 15491 7ff6869d28d0 15487->15491 15492 7ff6869d3620 47 API calls 15488->15492 15488->15498 15490 7ff6869d11c0 38 API calls 15489->15490 15489->15498 15490->15494 15495 7ff6869d37b8 37 API calls 15491->15495 15491->15498 15492->15494 15493 7ff6869cad80 _wfindfirst32i64 8 API calls 15496 7ff6869d2be3 15493->15496 15497 7ff6869dda00 47 API calls 15494->15497 15494->15498 15495->15494 15496->15436 15497->15494 15498->15493 15703 7ff6869cff74 15499->15703 15503 7ff6869d3a37 15502->15503 15720 7ff6869dcb60 15503->15720 15509 7ff6869d3186 15508->15509 15557 7ff6869cfde0 15509->15557 15513 7ff6869d32c3 15516 7ff6869d334c 15513->15516 15517 7ff6869d3a20 45 API calls 15513->15517 15515 7ff6869d3a20 45 API calls 15515->15513 15516->15467 15517->15516 15519 7ff6869d3638 15518->15519 15521 7ff6869d36a0 15518->15521 15520 7ff6869dda00 47 API calls 15519->15520 15519->15521 15520->15521 15521->15467 15525 7ff6869d37d9 15522->15525 15523 7ff6869d9ce4 _invalid_parameter_noinfo 37 API calls 15524 7ff6869d380a 15523->15524 15524->15467 15525->15523 15525->15524 15527 7ff6869d0de3 15526->15527 15528 7ff6869d0e12 15527->15528 15530 7ff6869d0ecf 15527->15530 15529 7ff6869cfde0 12 API calls 15528->15529 15532 7ff6869d0e4f 15528->15532 15529->15532 15531 7ff6869d9ce4 _invalid_parameter_noinfo 37 API calls 15530->15531 15531->15532 15532->15467 15534 7ff6869d09d3 15533->15534 15535 7ff6869d0a02 15534->15535 15537 7ff6869d0abf 15534->15537 15536 7ff6869cfde0 12 API calls 15535->15536 15539 7ff6869d0a3f 15535->15539 15536->15539 15538 7ff6869d9ce4 _invalid_parameter_noinfo 37 API calls 15537->15538 15538->15539 15539->15467 15541 7ff6869d11f3 15540->15541 15542 7ff6869d1222 15541->15542 15544 7ff6869d12df 15541->15544 15543 7ff6869cfde0 12 API calls 15542->15543 15546 7ff6869d125f 15542->15546 15543->15546 15545 7ff6869d9ce4 _invalid_parameter_noinfo 37 API calls 15544->15545 15545->15546 15546->15467 15549 7ff6869dda28 15547->15549 15548 7ff6869dda6d 15552 7ff6869dda56 __scrt_get_show_window_mode 15548->15552 15554 7ff6869dda2d __scrt_get_show_window_mode 15548->15554 15700 7ff6869df0b8 15548->15700 15549->15548 15550 7ff6869d3a20 45 API calls 15549->15550 15549->15552 15549->15554 15550->15548 15551 7ff6869d9ce4 _invalid_parameter_noinfo 37 API calls 15551->15554 15552->15551 15552->15554 15554->15467 15558 7ff6869cfe17 15557->15558 15564 7ff6869cfe06 15557->15564 15558->15564 15587 7ff6869dcacc 15558->15587 15561 7ff6869d9e18 __free_lconv_num 11 API calls 15563 7ff6869cfe58 15561->15563 15562 7ff6869d9e18 __free_lconv_num 11 API calls 15562->15564 15563->15562 15565 7ff6869dd718 15564->15565 15566 7ff6869dd735 15565->15566 15567 7ff6869dd768 15565->15567 15568 7ff6869d9ce4 _invalid_parameter_noinfo 37 API calls 15566->15568 15567->15566 15569 7ff6869dd79a 15567->15569 15578 7ff6869d32a1 15568->15578 15574 7ff6869dd8ad 15569->15574 15582 7ff6869dd7e2 15569->15582 15570 7ff6869dd99f 15627 7ff6869dcc04 15570->15627 15572 7ff6869dd965 15620 7ff6869dcf9c 15572->15620 15573 7ff6869dd934 15613 7ff6869dd27c 15573->15613 15574->15570 15574->15572 15574->15573 15576 7ff6869dd8f7 15574->15576 15579 7ff6869dd8ed 15574->15579 15603 7ff6869dd4ac 15576->15603 15578->15513 15578->15515 15579->15572 15581 7ff6869dd8f2 15579->15581 15581->15573 15581->15576 15582->15578 15594 7ff6869d91ac 15582->15594 15585 7ff6869d9dd0 _wfindfirst32i64 17 API calls 15586 7ff6869dd9fc 15585->15586 15588 7ff6869dcb17 15587->15588 15593 7ff6869dcadb _wfindfirst32i64 15587->15593 15590 7ff6869d4444 _wfindfirst32i64 11 API calls 15588->15590 15589 7ff6869dcafe HeapAlloc 15591 7ff6869cfe44 15589->15591 15589->15593 15590->15591 15591->15561 15591->15563 15592 7ff6869e26b0 _wfindfirst32i64 2 API calls 15592->15593 15593->15588 15593->15589 15593->15592 15595 7ff6869d91c3 15594->15595 15596 7ff6869d91b9 15594->15596 15597 7ff6869d4444 _wfindfirst32i64 11 API calls 15595->15597 15596->15595 15598 7ff6869d91de 15596->15598 15602 7ff6869d91ca 15597->15602 15599 7ff6869d91d6 15598->15599 15601 7ff6869d4444 _wfindfirst32i64 11 API calls 15598->15601 15599->15578 15599->15585 15600 7ff6869d9db0 _invalid_parameter_noinfo 37 API calls 15600->15599 15601->15602 15602->15600 15636 7ff6869e31cc 15603->15636 15607 7ff6869dd554 15608 7ff6869dd5a9 15607->15608 15610 7ff6869dd574 15607->15610 15612 7ff6869dd558 15607->15612 15689 7ff6869dd098 15608->15689 15610->15610 15685 7ff6869dd354 15610->15685 15612->15578 15614 7ff6869e31cc 38 API calls 15613->15614 15615 7ff6869dd2c6 15614->15615 15616 7ff6869e2c14 37 API calls 15615->15616 15617 7ff6869dd316 15616->15617 15618 7ff6869dd31a 15617->15618 15619 7ff6869dd354 45 API calls 15617->15619 15618->15578 15619->15618 15621 7ff6869e31cc 38 API calls 15620->15621 15622 7ff6869dcfe7 15621->15622 15623 7ff6869e2c14 37 API calls 15622->15623 15624 7ff6869dd03f 15623->15624 15625 7ff6869dd043 15624->15625 15626 7ff6869dd098 45 API calls 15624->15626 15625->15578 15626->15625 15628 7ff6869dcc7c 15627->15628 15629 7ff6869dcc49 15627->15629 15631 7ff6869dcc94 15628->15631 15634 7ff6869dcd15 15628->15634 15630 7ff6869d9ce4 _invalid_parameter_noinfo 37 API calls 15629->15630 15633 7ff6869dcc75 __scrt_get_show_window_mode 15630->15633 15632 7ff6869dcf9c 46 API calls 15631->15632 15632->15633 15633->15578 15634->15633 15635 7ff6869d3a20 45 API calls 15634->15635 15635->15633 15637 7ff6869e321f fegetenv 15636->15637 15638 7ff6869e712c 37 API calls 15637->15638 15642 7ff6869e3272 15638->15642 15639 7ff6869e329f 15644 7ff6869d91ac __std_exception_copy 37 API calls 15639->15644 15640 7ff6869e3362 15641 7ff6869e712c 37 API calls 15640->15641 15643 7ff6869e338c 15641->15643 15642->15640 15645 7ff6869e333c 15642->15645 15646 7ff6869e328d 15642->15646 15647 7ff6869e712c 37 API calls 15643->15647 15648 7ff6869e331d 15644->15648 15651 7ff6869d91ac __std_exception_copy 37 API calls 15645->15651 15646->15639 15646->15640 15649 7ff6869e339d 15647->15649 15650 7ff6869e4444 15648->15650 15655 7ff6869e3325 15648->15655 15652 7ff6869e7320 20 API calls 15649->15652 15653 7ff6869d9dd0 _wfindfirst32i64 17 API calls 15650->15653 15651->15648 15664 7ff6869e3406 __scrt_get_show_window_mode 15652->15664 15654 7ff6869e4459 15653->15654 15656 7ff6869cad80 _wfindfirst32i64 8 API calls 15655->15656 15657 7ff6869dd4f9 15656->15657 15681 7ff6869e2c14 15657->15681 15658 7ff6869e37af __scrt_get_show_window_mode 15659 7ff6869e3aef 15661 7ff6869e2d30 37 API calls 15659->15661 15660 7ff6869e3d8b memcpy_s __scrt_get_show_window_mode 15660->15659 15662 7ff6869e3a9b 15660->15662 15673 7ff6869d4444 11 API calls _wfindfirst32i64 15660->15673 15678 7ff6869d9db0 37 API calls _invalid_parameter_noinfo 15660->15678 15665 7ff6869e4207 15661->15665 15662->15659 15662->15662 15666 7ff6869e445c memcpy_s 37 API calls 15662->15666 15663 7ff6869e3447 memcpy_s 15663->15660 15676 7ff6869e38a3 memcpy_s __scrt_get_show_window_mode 15663->15676 15664->15658 15664->15663 15667 7ff6869d4444 _wfindfirst32i64 11 API calls 15664->15667 15665->15665 15671 7ff6869e445c memcpy_s 37 API calls 15665->15671 15680 7ff6869e4262 15665->15680 15666->15659 15668 7ff6869e3880 15667->15668 15670 7ff6869d9db0 _invalid_parameter_noinfo 37 API calls 15668->15670 15669 7ff6869e43e8 15672 7ff6869e712c 37 API calls 15669->15672 15670->15663 15671->15680 15672->15655 15673->15660 15674 7ff6869d4444 11 API calls _wfindfirst32i64 15674->15676 15675 7ff6869d9db0 37 API calls _invalid_parameter_noinfo 15675->15676 15676->15662 15676->15674 15676->15675 15677 7ff6869e2d30 37 API calls 15677->15680 15678->15660 15679 7ff6869e445c memcpy_s 37 API calls 15679->15680 15680->15669 15680->15677 15680->15679 15682 7ff6869e2c33 15681->15682 15683 7ff6869d9ce4 _invalid_parameter_noinfo 37 API calls 15682->15683 15684 7ff6869e2c5e memcpy_s 15682->15684 15683->15684 15684->15607 15686 7ff6869dd380 memcpy_s 15685->15686 15687 7ff6869d3a20 45 API calls 15686->15687 15688 7ff6869dd43a memcpy_s __scrt_get_show_window_mode 15686->15688 15687->15688 15688->15612 15690 7ff6869dd0d3 15689->15690 15694 7ff6869dd120 memcpy_s 15689->15694 15691 7ff6869d9ce4 _invalid_parameter_noinfo 37 API calls 15690->15691 15692 7ff6869dd0ff 15691->15692 15692->15612 15693 7ff6869dd18b 15695 7ff6869d91ac __std_exception_copy 37 API calls 15693->15695 15694->15693 15696 7ff6869d3a20 45 API calls 15694->15696 15699 7ff6869dd1cd memcpy_s 15695->15699 15696->15693 15697 7ff6869d9dd0 _wfindfirst32i64 17 API calls 15698 7ff6869dd278 15697->15698 15699->15697 15702 7ff6869df0dc WideCharToMultiByte 15700->15702 15704 7ff6869cffb3 15703->15704 15705 7ff6869cffa1 15703->15705 15708 7ff6869cffc0 15704->15708 15711 7ff6869cfffd 15704->15711 15706 7ff6869d4444 _wfindfirst32i64 11 API calls 15705->15706 15707 7ff6869cffa6 15706->15707 15709 7ff6869d9db0 _invalid_parameter_noinfo 37 API calls 15707->15709 15710 7ff6869d9ce4 _invalid_parameter_noinfo 37 API calls 15708->15710 15716 7ff6869cffb1 15709->15716 15710->15716 15712 7ff6869d00a6 15711->15712 15714 7ff6869d4444 _wfindfirst32i64 11 API calls 15711->15714 15713 7ff6869d4444 _wfindfirst32i64 11 API calls 15712->15713 15712->15716 15715 7ff6869d0150 15713->15715 15717 7ff6869d009b 15714->15717 15719 7ff6869d9db0 _invalid_parameter_noinfo 37 API calls 15715->15719 15716->15436 15718 7ff6869d9db0 _invalid_parameter_noinfo 37 API calls 15717->15718 15718->15712 15719->15716 15721 7ff6869d3a5f 15720->15721 15722 7ff6869dcb79 15720->15722 15724 7ff6869dcbcc 15721->15724 15722->15721 15728 7ff6869e2424 15722->15728 15725 7ff6869dcbe5 15724->15725 15726 7ff6869d3a6f 15724->15726 15725->15726 15772 7ff6869e1790 15725->15772 15726->15436 15740 7ff6869da620 GetLastError 15728->15740 15731 7ff6869e247e 15731->15721 15741 7ff6869da644 FlsGetValue 15740->15741 15742 7ff6869da661 FlsSetValue 15740->15742 15743 7ff6869da65b 15741->15743 15760 7ff6869da651 15741->15760 15744 7ff6869da673 15742->15744 15742->15760 15743->15742 15746 7ff6869ddd40 _wfindfirst32i64 11 API calls 15744->15746 15745 7ff6869da6cd SetLastError 15747 7ff6869da6da 15745->15747 15748 7ff6869da6ed 15745->15748 15749 7ff6869da682 15746->15749 15747->15731 15762 7ff6869df788 EnterCriticalSection 15747->15762 15763 7ff6869d920c 15748->15763 15751 7ff6869da6a0 FlsSetValue 15749->15751 15752 7ff6869da690 FlsSetValue 15749->15752 15755 7ff6869da6be 15751->15755 15756 7ff6869da6ac FlsSetValue 15751->15756 15754 7ff6869da699 15752->15754 15757 7ff6869d9e18 __free_lconv_num 11 API calls 15754->15757 15758 7ff6869da3c4 _wfindfirst32i64 11 API calls 15755->15758 15756->15754 15757->15760 15759 7ff6869da6c6 15758->15759 15761 7ff6869d9e18 __free_lconv_num 11 API calls 15759->15761 15760->15745 15761->15745 15764 7ff6869e2770 _CreateFrameInfo EnterCriticalSection LeaveCriticalSection 15763->15764 15765 7ff6869d9215 15764->15765 15766 7ff6869d9224 15765->15766 15767 7ff6869e27c0 _CreateFrameInfo 44 API calls 15765->15767 15768 7ff6869d922d IsProcessorFeaturePresent 15766->15768 15769 7ff6869d9257 _CreateFrameInfo 15766->15769 15767->15766 15770 7ff6869d923c 15768->15770 15771 7ff6869d9ae4 _wfindfirst32i64 14 API calls 15770->15771 15771->15769 15773 7ff6869da620 _CreateFrameInfo 45 API calls 15772->15773 15774 7ff6869e1799 15773->15774 15782 7ff6869d42ec EnterCriticalSection 15775->15782 15784 7ff6869c24ec 15783->15784 15785 7ff6869d3be4 49 API calls 15784->15785 15786 7ff6869c253f 15785->15786 15787 7ff6869d4444 _wfindfirst32i64 11 API calls 15786->15787 15788 7ff6869c2544 15787->15788 15802 7ff6869d4464 15788->15802 15791 7ff6869c1b30 49 API calls 15792 7ff6869c2573 __scrt_get_show_window_mode 15791->15792 15793 7ff6869c7a30 57 API calls 15792->15793 15794 7ff6869c25a0 15793->15794 15795 7ff6869c25df MessageBoxA 15794->15795 15796 7ff6869c25a5 15794->15796 15798 7ff6869c25f9 15795->15798 15797 7ff6869c7a30 57 API calls 15796->15797 15799 7ff6869c25bf MessageBoxW 15797->15799 15800 7ff6869cad80 _wfindfirst32i64 8 API calls 15798->15800 15799->15798 15801 7ff6869c2609 15800->15801 15801->15064 15803 7ff6869da798 _wfindfirst32i64 11 API calls 15802->15803 15804 7ff6869d447b 15803->15804 15805 7ff6869c254b 15804->15805 15806 7ff6869ddd40 _wfindfirst32i64 11 API calls 15804->15806 15808 7ff6869d44bb 15804->15808 15805->15791 15807 7ff6869d44b0 15806->15807 15809 7ff6869d9e18 __free_lconv_num 11 API calls 15807->15809 15808->15805 15814 7ff6869de418 15808->15814 15809->15808 15812 7ff6869d9dd0 _wfindfirst32i64 17 API calls 15813 7ff6869d4500 15812->15813 15818 7ff6869de435 15814->15818 15815 7ff6869de43a 15816 7ff6869d44e1 15815->15816 15817 7ff6869d4444 _wfindfirst32i64 11 API calls 15815->15817 15816->15805 15816->15812 15819 7ff6869de444 15817->15819 15818->15815 15818->15816 15821 7ff6869de484 15818->15821 15820 7ff6869d9db0 _invalid_parameter_noinfo 37 API calls 15819->15820 15820->15816 15821->15816 15822 7ff6869d4444 _wfindfirst32i64 11 API calls 15821->15822 15822->15819 15824 7ff6869c7b64 WideCharToMultiByte 15823->15824 15825 7ff6869c7bd2 WideCharToMultiByte 15823->15825 15826 7ff6869c7b8e 15824->15826 15830 7ff6869c7ba5 15824->15830 15827 7ff6869c7bff 15825->15827 15828 7ff6869c3c05 15825->15828 15829 7ff6869c2620 57 API calls 15826->15829 15831 7ff6869c2620 57 API calls 15827->15831 15828->15073 15828->15075 15829->15828 15830->15825 15832 7ff6869c7bbb 15830->15832 15831->15828 15833 7ff6869c2620 57 API calls 15832->15833 15833->15828 15835 7ff6869c6a0e 15834->15835 15836 7ff6869d9123 15834->15836 15835->15094 15836->15835 15837 7ff6869d91ac __std_exception_copy 37 API calls 15836->15837 15838 7ff6869d9150 15837->15838 15838->15835 15839 7ff6869d9dd0 _wfindfirst32i64 17 API calls 15838->15839 15840 7ff6869d9180 15839->15840 15842 7ff6869c17e4 15841->15842 15843 7ff6869c17d4 15841->15843 15845 7ff6869c7200 83 API calls 15842->15845 15873 7ff6869c1842 15842->15873 15844 7ff6869c3cb0 116 API calls 15843->15844 15844->15842 15846 7ff6869c1815 15845->15846 15846->15873 15875 7ff6869cf934 15846->15875 15848 7ff6869cad80 _wfindfirst32i64 8 API calls 15850 7ff6869c19c0 15848->15850 15849 7ff6869c182b 15851 7ff6869c182f 15849->15851 15852 7ff6869c184c 15849->15852 15850->15109 15850->15110 15853 7ff6869c24d0 59 API calls 15851->15853 15879 7ff6869cf5fc 15852->15879 15853->15873 15856 7ff6869cf934 73 API calls 15858 7ff6869c18d1 15856->15858 15857 7ff6869c24d0 59 API calls 15857->15873 15859 7ff6869c18fe 15858->15859 15860 7ff6869c18e3 15858->15860 15862 7ff6869cf5fc _fread_nolock 53 API calls 15859->15862 15861 7ff6869c24d0 59 API calls 15860->15861 15861->15873 15863 7ff6869c1913 15862->15863 15864 7ff6869c1925 15863->15864 15865 7ff6869c1867 15863->15865 15882 7ff6869cf370 15864->15882 15865->15857 15868 7ff6869c193d 15869 7ff6869c2770 59 API calls 15868->15869 15869->15873 15870 7ff6869c1993 15872 7ff6869cf2ac 74 API calls 15870->15872 15870->15873 15871 7ff6869c1950 15871->15870 15874 7ff6869c2770 59 API calls 15871->15874 15872->15873 15873->15848 15874->15870 15876 7ff6869cf964 15875->15876 15888 7ff6869cf6c4 15876->15888 15878 7ff6869cf97d 15878->15849 15900 7ff6869cf61c 15879->15900 15883 7ff6869c1939 15882->15883 15884 7ff6869cf379 15882->15884 15883->15868 15883->15871 15885 7ff6869d4444 _wfindfirst32i64 11 API calls 15884->15885 15886 7ff6869cf37e 15885->15886 15887 7ff6869d9db0 _invalid_parameter_noinfo 37 API calls 15886->15887 15887->15883 15889 7ff6869cf72e 15888->15889 15890 7ff6869cf6ee 15888->15890 15889->15890 15892 7ff6869cf73a 15889->15892 15891 7ff6869d9ce4 _invalid_parameter_noinfo 37 API calls 15890->15891 15898 7ff6869cf715 15891->15898 15899 7ff6869d42ec EnterCriticalSection 15892->15899 15898->15878 15901 7ff6869cf646 15900->15901 15912 7ff6869c1861 15900->15912 15902 7ff6869cf692 15901->15902 15904 7ff6869cf655 __scrt_get_show_window_mode 15901->15904 15901->15912 15913 7ff6869d42ec EnterCriticalSection 15902->15913 15906 7ff6869d4444 _wfindfirst32i64 11 API calls 15904->15906 15908 7ff6869cf66a 15906->15908 15909 7ff6869d9db0 _invalid_parameter_noinfo 37 API calls 15908->15909 15909->15912 15912->15856 15912->15865 16007 7ff6869c6720 15914->16007 15916 7ff6869c1454 15917 7ff6869c1459 15916->15917 16016 7ff6869c6a40 15916->16016 15917->15136 15920 7ff6869c14a7 15923 7ff6869c14e0 15920->15923 15924 7ff6869c3cb0 116 API calls 15920->15924 15921 7ff6869c1487 15922 7ff6869c24d0 59 API calls 15921->15922 15926 7ff6869c149d 15922->15926 15925 7ff6869cf934 73 API calls 15923->15925 15927 7ff6869c14bf 15924->15927 15928 7ff6869c14f2 15925->15928 15926->15136 15927->15923 15929 7ff6869c14c7 15927->15929 15930 7ff6869c1516 15928->15930 15931 7ff6869c14f6 15928->15931 15932 7ff6869c2770 59 API calls 15929->15932 15934 7ff6869c1534 15930->15934 15935 7ff6869c151c 15930->15935 15933 7ff6869c24d0 59 API calls 15931->15933 15942 7ff6869c14d6 __std_exception_copy 15932->15942 15933->15942 15937 7ff6869c1556 15934->15937 15947 7ff6869c1575 15934->15947 16041 7ff6869c1050 15935->16041 15939 7ff6869c24d0 59 API calls 15937->15939 15938 7ff6869c1624 15941 7ff6869cf2ac 74 API calls 15938->15941 15939->15942 15940 7ff6869cf2ac 74 API calls 15940->15938 15941->15926 15942->15938 15942->15940 15943 7ff6869cf5fc _fread_nolock 53 API calls 15943->15947 15944 7ff6869c15d5 15946 7ff6869c24d0 59 API calls 15944->15946 15946->15942 15947->15942 15947->15943 15947->15944 16059 7ff6869cfd3c 15947->16059 15949 7ff6869c29a6 15948->15949 15950 7ff6869c1b30 49 API calls 15949->15950 15952 7ff6869c29db 15950->15952 15951 7ff6869c2de1 15952->15951 15953 7ff6869c3b20 49 API calls 15952->15953 15954 7ff6869c2a4f 15953->15954 16629 7ff6869c2e00 15954->16629 15957 7ff6869c2a91 15959 7ff6869c6720 98 API calls 15957->15959 15958 7ff6869c2aca 15960 7ff6869c2e00 75 API calls 15958->15960 15961 7ff6869c2a99 15959->15961 15962 7ff6869c2b1c 15960->15962 15965 7ff6869c2aba 15961->15965 16637 7ff6869c6600 15961->16637 15963 7ff6869c2b20 15962->15963 15964 7ff6869c2b86 15962->15964 15966 7ff6869c6720 98 API calls 15963->15966 15969 7ff6869c2e00 75 API calls 15964->15969 15967 7ff6869c2770 59 API calls 15965->15967 15971 7ff6869c2ac3 15965->15971 15970 7ff6869c2b28 15966->15970 15967->15971 15972 7ff6869c2bb2 15969->15972 15970->15965 15975 7ff6869c6600 138 API calls 15970->15975 15977 7ff6869cad80 _wfindfirst32i64 8 API calls 15971->15977 15973 7ff6869c2c12 15972->15973 15974 7ff6869c2e00 75 API calls 15972->15974 15973->15951 15976 7ff6869c6720 98 API calls 15973->15976 15978 7ff6869c2be2 15974->15978 15979 7ff6869c2b45 15975->15979 15984 7ff6869c2c22 15976->15984 15980 7ff6869c2b7b 15977->15980 15978->15973 15982 7ff6869c2e00 75 API calls 15978->15982 15979->15965 15981 7ff6869c2dc6 15979->15981 15980->15136 15982->15973 15984->15951 16004 7ff6869c17a1 16003->16004 16005 7ff6869c1795 16003->16005 16004->15136 16006 7ff6869c2770 59 API calls 16005->16006 16006->16004 16008 7ff6869c6768 16007->16008 16009 7ff6869c6732 16007->16009 16008->15916 16063 7ff6869c16d0 16009->16063 16017 7ff6869c6a50 16016->16017 16018 7ff6869c1b30 49 API calls 16017->16018 16019 7ff6869c6a81 16018->16019 16020 7ff6869c6c4b 16019->16020 16021 7ff6869c1b30 49 API calls 16019->16021 16022 7ff6869cad80 _wfindfirst32i64 8 API calls 16020->16022 16024 7ff6869c6aa8 16021->16024 16023 7ff6869c147f 16022->16023 16023->15920 16023->15921 16024->16020 16579 7ff6869d50e8 16024->16579 16026 7ff6869c6bb9 16027 7ff6869c7a30 57 API calls 16026->16027 16029 7ff6869c6bd1 16027->16029 16028 7ff6869c6add 16028->16020 16028->16026 16028->16028 16038 7ff6869d50e8 49 API calls 16028->16038 16039 7ff6869c7a30 57 API calls 16028->16039 16040 7ff6869c78a0 58 API calls 16028->16040 16030 7ff6869c6c7a 16029->16030 16034 7ff6869c6990 61 API calls 16029->16034 16037 7ff6869c6c02 __std_exception_copy 16029->16037 16031 7ff6869c3cb0 116 API calls 16030->16031 16031->16020 16032 7ff6869c6c3f 16033 7ff6869c6c6e 16034->16037 16037->16032 16037->16033 16038->16028 16039->16028 16040->16028 16042 7ff6869c10a6 16041->16042 16043 7ff6869c10d3 16042->16043 16044 7ff6869c10ad 16042->16044 16047 7ff6869c1109 16043->16047 16048 7ff6869c10ed 16043->16048 16045 7ff6869c2770 59 API calls 16044->16045 16046 7ff6869c10c0 16045->16046 16046->15942 16060 7ff6869cfd6c 16059->16060 16614 7ff6869cfa8c 16060->16614 16065 7ff6869c16f5 16063->16065 16064 7ff6869c1738 16067 7ff6869c6780 16064->16067 16065->16064 16066 7ff6869c2770 59 API calls 16065->16066 16066->16064 16068 7ff6869c6798 16067->16068 16069 7ff6869c67b8 16068->16069 16070 7ff6869c680b 16068->16070 16072 7ff6869c6990 61 API calls 16069->16072 16071 7ff6869c6810 GetTempPathW 16070->16071 16073 7ff6869c6825 16071->16073 16074 7ff6869c67c4 16072->16074 16107 7ff6869c2470 16073->16107 16131 7ff6869c6480 16074->16131 16079 7ff6869cad80 _wfindfirst32i64 8 API calls 16085 7ff6869c683e __std_exception_copy 16086 7ff6869c68e6 16085->16086 16090 7ff6869c6871 16085->16090 16111 7ff6869d736c 16085->16111 16114 7ff6869c78a0 16085->16114 16106 7ff6869c68aa __std_exception_copy 16090->16106 16106->16079 16108 7ff6869c2495 16107->16108 16165 7ff6869d3e38 16108->16165 16132 7ff6869c648c 16131->16132 16133 7ff6869c7a30 57 API calls 16132->16133 16134 7ff6869c64ae 16133->16134 16135 7ff6869c64c9 ExpandEnvironmentStringsW 16134->16135 16136 7ff6869c64b6 16134->16136 16137 7ff6869c64ef __std_exception_copy 16135->16137 16138 7ff6869c2770 59 API calls 16136->16138 16139 7ff6869c64f3 16137->16139 16140 7ff6869c6506 16137->16140 16144 7ff6869c64c2 16138->16144 16142 7ff6869c2770 59 API calls 16139->16142 16145 7ff6869c6520 16140->16145 16146 7ff6869c6514 16140->16146 16141 7ff6869cad80 _wfindfirst32i64 8 API calls 16143 7ff6869c65e8 16141->16143 16142->16144 16143->16106 16155 7ff6869d66b4 16143->16155 16144->16141 16479 7ff6869d5348 16145->16479 16472 7ff6869d5f44 16146->16472 16149 7ff6869c651e 16156 7ff6869d66d4 16155->16156 16157 7ff6869d66c1 16155->16157 16167 7ff6869d3e92 16165->16167 16166 7ff6869d3eb7 16168 7ff6869d9ce4 _invalid_parameter_noinfo 37 API calls 16166->16168 16167->16166 16169 7ff6869d3ef3 16167->16169 16171 7ff6869d3ee1 16168->16171 16183 7ff6869d21f0 16169->16183 16173 7ff6869cad80 _wfindfirst32i64 8 API calls 16171->16173 16172 7ff6869d3fd4 16174 7ff6869d9e18 __free_lconv_num 11 API calls 16172->16174 16176 7ff6869c24b4 16173->16176 16174->16171 16176->16085 16177 7ff6869d3ffa 16177->16172 16178 7ff6869d3fa9 16181 7ff6869d3fa0 16181->16172 16181->16178 16184 7ff6869d222e 16183->16184 16185 7ff6869d221e 16183->16185 16186 7ff6869d2237 16184->16186 16191 7ff6869d2265 16184->16191 16189 7ff6869d9ce4 _invalid_parameter_noinfo 37 API calls 16185->16189 16187 7ff6869d9ce4 _invalid_parameter_noinfo 37 API calls 16186->16187 16188 7ff6869d225d 16187->16188 16188->16172 16188->16177 16188->16178 16188->16181 16189->16188 16191->16185 16191->16188 16194 7ff6869d2c04 16191->16194 16227 7ff6869d2650 16191->16227 16264 7ff6869d1de0 16191->16264 16195 7ff6869d2c46 16194->16195 16196 7ff6869d2cb7 16194->16196 16197 7ff6869d2ce1 16195->16197 16198 7ff6869d2c4c 16195->16198 16199 7ff6869d2d10 16196->16199 16200 7ff6869d2cbc 16196->16200 16228 7ff6869d2674 16227->16228 16229 7ff6869d265e 16227->16229 16232 7ff6869d9ce4 _invalid_parameter_noinfo 37 API calls 16228->16232 16233 7ff6869d26b4 16228->16233 16230 7ff6869d2c46 16229->16230 16231 7ff6869d2cb7 16229->16231 16229->16233 16232->16233 16233->16191 16320 7ff6869d0228 16264->16320 16321 7ff6869d026f 16320->16321 16322 7ff6869d025d 16320->16322 16473 7ff6869d5f95 16472->16473 16474 7ff6869d5f62 16472->16474 16473->16149 16474->16473 16475 7ff6869df924 _wfindfirst32i64 37 API calls 16474->16475 16480 7ff6869d53d2 16479->16480 16481 7ff6869d5364 16479->16481 16516 7ff6869df090 16480->16516 16481->16480 16483 7ff6869d5369 16481->16483 16580 7ff6869da620 _CreateFrameInfo 45 API calls 16579->16580 16582 7ff6869d50fd 16580->16582 16581 7ff6869dee97 16601 7ff6869caf14 16581->16601 16582->16581 16585 7ff6869dedb6 16582->16585 16586 7ff6869cad80 _wfindfirst32i64 8 API calls 16585->16586 16587 7ff6869dee8f 16586->16587 16587->16028 16604 7ff6869caf28 IsProcessorFeaturePresent 16601->16604 16605 7ff6869caf3f 16604->16605 16610 7ff6869cafc4 RtlCaptureContext RtlLookupFunctionEntry 16605->16610 16611 7ff6869caff4 RtlVirtualUnwind 16610->16611 16612 7ff6869caf53 16610->16612 16611->16612 16613 7ff6869cae00 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 16612->16613 16615 7ff6869cfaac 16614->16615 16620 7ff6869cfad9 16614->16620 16615->16620 16630 7ff6869c2e34 16629->16630 16631 7ff6869d3be4 49 API calls 16630->16631 16632 7ff6869c2e5a 16631->16632 16633 7ff6869c2e6b 16632->16633 16661 7ff6869d4e08 16632->16661 16635 7ff6869cad80 _wfindfirst32i64 8 API calls 16633->16635 16636 7ff6869c2a8d 16635->16636 16636->15957 16636->15958 16638 7ff6869c660e 16637->16638 16639 7ff6869c3cb0 116 API calls 16638->16639 16640 7ff6869c6635 16639->16640 16641 7ff6869c6a40 136 API calls 16640->16641 16642 7ff6869c6643 16641->16642 16662 7ff6869d4e25 16661->16662 16663 7ff6869d4e31 16661->16663 16678 7ff6869d4680 16662->16678 16703 7ff6869d4a1c 16663->16703 16666 7ff6869d4e2a 16666->16633 16669 7ff6869d4e69 16714 7ff6869d4504 16669->16714 16672 7ff6869d4ec5 16672->16666 16676 7ff6869d9e18 __free_lconv_num 11 API calls 16672->16676 16673 7ff6869d4ed9 16674 7ff6869d4680 69 API calls 16673->16674 16675 7ff6869d4ee5 16674->16675 16675->16666 16677 7ff6869d9e18 __free_lconv_num 11 API calls 16675->16677 16676->16666 16677->16666 16679 7ff6869d469a 16678->16679 16680 7ff6869d46b7 16678->16680 16682 7ff6869d4424 _fread_nolock 11 API calls 16679->16682 16680->16679 16681 7ff6869d46ca CreateFileW 16680->16681 16683 7ff6869d4734 16681->16683 16684 7ff6869d46fe 16681->16684 16685 7ff6869d469f 16682->16685 16762 7ff6869d4cf8 16683->16762 16736 7ff6869d47d4 GetFileType 16684->16736 16686 7ff6869d4444 _wfindfirst32i64 11 API calls 16685->16686 16689 7ff6869d46a7 16686->16689 16692 7ff6869d9db0 _invalid_parameter_noinfo 37 API calls 16689->16692 16698 7ff6869d46b2 16692->16698 16695 7ff6869d473d 16696 7ff6869d4768 16698->16666 16704 7ff6869d4a40 16703->16704 16710 7ff6869d4a3b 16703->16710 16705 7ff6869da620 _CreateFrameInfo 45 API calls 16704->16705 16704->16710 16706 7ff6869d4a5b 16705->16706 16824 7ff6869dcb2c 16706->16824 16710->16669 16711 7ff6869ddfcc 16710->16711 16832 7ff6869dddb8 16711->16832 16715 7ff6869d4552 16714->16715 16716 7ff6869d452e 16714->16716 16717 7ff6869d45ac 16715->16717 16718 7ff6869d4557 16715->16718 16720 7ff6869d9e18 __free_lconv_num 11 API calls 16716->16720 16725 7ff6869d453d 16716->16725 16842 7ff6869de7f0 16717->16842 16721 7ff6869d456c 16718->16721 16722 7ff6869d9e18 __free_lconv_num 11 API calls 16718->16722 16718->16725 16720->16725 16723 7ff6869dcacc _fread_nolock 12 API calls 16721->16723 16722->16721 16723->16725 16725->16672 16725->16673 16737 7ff6869d4822 16736->16737 16738 7ff6869d48df 16736->16738 16739 7ff6869d484e GetFileInformationByHandle 16737->16739 16743 7ff6869d4bf4 21 API calls 16737->16743 16740 7ff6869d48e7 16738->16740 16741 7ff6869d4909 16738->16741 16744 7ff6869d48fa GetLastError 16739->16744 16745 7ff6869d4877 16739->16745 16740->16744 16746 7ff6869d48eb 16740->16746 16742 7ff6869d492c PeekNamedPipe 16741->16742 16751 7ff6869d48ca 16741->16751 16742->16751 16748 7ff6869d483c 16743->16748 16747 7ff6869d43b8 _fread_nolock 11 API calls 16744->16747 16749 7ff6869d4ab8 51 API calls 16745->16749 16750 7ff6869d4444 _wfindfirst32i64 11 API calls 16746->16750 16747->16751 16748->16739 16748->16751 16753 7ff6869d4882 16749->16753 16750->16751 16752 7ff6869cad80 _wfindfirst32i64 8 API calls 16751->16752 16763 7ff6869d4d2e 16762->16763 16764 7ff6869d4dc6 __std_exception_copy 16763->16764 16765 7ff6869d4444 _wfindfirst32i64 11 API calls 16763->16765 16766 7ff6869cad80 _wfindfirst32i64 8 API calls 16764->16766 16767 7ff6869d4d40 16765->16767 16768 7ff6869d4739 16766->16768 16769 7ff6869d4444 _wfindfirst32i64 11 API calls 16767->16769 16768->16695 16768->16696 16770 7ff6869d4d48 16769->16770 16825 7ff6869dcb41 16824->16825 16826 7ff6869d4a7e 16824->16826 16825->16826 16827 7ff6869e2424 45 API calls 16825->16827 16828 7ff6869dcb98 16826->16828 16827->16826 16829 7ff6869dcbad 16828->16829 16831 7ff6869dcbc0 16828->16831 16830 7ff6869e1790 45 API calls 16829->16830 16829->16831 16830->16831 16831->16710 16833 7ff6869dde15 16832->16833 16835 7ff6869dde10 __vcrt_FlsAlloc 16832->16835 16833->16669 16834 7ff6869dde45 LoadLibraryExW 16837 7ff6869ddf1a 16834->16837 16838 7ff6869dde6a GetLastError 16834->16838 16835->16833 16835->16834 16836 7ff6869ddf3a GetProcAddress 16835->16836 16841 7ff6869ddea4 LoadLibraryExW 16835->16841 16836->16833 16840 7ff6869ddf4b 16836->16840 16837->16836 16839 7ff6869ddf31 FreeLibrary 16837->16839 16838->16835 16839->16836 16840->16833 16841->16835 16841->16837 16844 7ff6869de7f9 MultiByteToWideChar 16842->16844 16872 7ff6869c707a 16871->16872 16873 7ff6869d918d 16871->16873 16877 7ff6869d6ef8 16872->16877 16874 7ff6869d4444 _wfindfirst32i64 11 API calls 16873->16874 16875 7ff6869d9192 16874->16875 16878 7ff6869d6f01 16877->16878 16880 7ff6869d6f16 16877->16880 16928 7ff6869d53fc 16927->16928 16929 7ff6869d5422 16928->16929 16931 7ff6869d5455 16928->16931 16930 7ff6869d4444 _wfindfirst32i64 11 API calls 16929->16930 16932 7ff6869d5427 16930->16932 16933 7ff6869d545b 16931->16933 16934 7ff6869d5468 16931->16934 16935 7ff6869d9db0 _invalid_parameter_noinfo 37 API calls 16932->16935 16936 7ff6869d4444 _wfindfirst32i64 11 API calls 16933->16936 16946 7ff6869da0f8 16934->16946 16938 7ff6869c3d09 16935->16938 16936->16938 16938->15214 16959 7ff6869df788 EnterCriticalSection 16946->16959 17307 7ff6869d7968 17306->17307 17310 7ff6869d7444 17307->17310 17309 7ff6869d7981 17309->15222 17311 7ff6869d748e 17310->17311 17312 7ff6869d745f 17310->17312 17320 7ff6869d42ec EnterCriticalSection 17311->17320 17314 7ff6869d9ce4 _invalid_parameter_noinfo 37 API calls 17312->17314 17316 7ff6869d747f 17314->17316 17316->17309 17322 7ff6869cf0a3 17321->17322 17323 7ff6869cf0d1 17321->17323 17324 7ff6869d9ce4 _invalid_parameter_noinfo 37 API calls 17322->17324 17325 7ff6869cf0c3 17323->17325 17331 7ff6869d42ec EnterCriticalSection 17323->17331 17324->17325 17325->15228 17333 7ff6869c12f8 17332->17333 17334 7ff6869c12c6 17332->17334 17335 7ff6869cf934 73 API calls 17333->17335 17336 7ff6869c3cb0 116 API calls 17334->17336 17337 7ff6869c130a 17335->17337 17338 7ff6869c12d6 17336->17338 17339 7ff6869c132f 17337->17339 17340 7ff6869c130e 17337->17340 17338->17333 17341 7ff6869c12de 17338->17341 17346 7ff6869c1364 17339->17346 17347 7ff6869c1344 17339->17347 17342 7ff6869c24d0 59 API calls 17340->17342 17343 7ff6869c2770 59 API calls 17341->17343 17344 7ff6869c1325 17342->17344 17345 7ff6869c12ee 17343->17345 17344->15239 17345->15239 17349 7ff6869c137e 17346->17349 17355 7ff6869c1395 17346->17355 17348 7ff6869c24d0 59 API calls 17347->17348 17354 7ff6869c135f __std_exception_copy 17348->17354 17350 7ff6869c1050 98 API calls 17349->17350 17350->17354 17351 7ff6869cf5fc _fread_nolock 53 API calls 17351->17355 17352 7ff6869c1421 17352->15239 17353 7ff6869cf2ac 74 API calls 17353->17352 17354->17352 17354->17353 17355->17351 17355->17354 17356 7ff6869c13de 17355->17356 17357 7ff6869c24d0 59 API calls 17356->17357 17357->17354 17359 7ff6869c1b30 49 API calls 17358->17359 17360 7ff6869c3d60 17359->17360 17360->15241 17362 7ff6869c16aa 17361->17362 17363 7ff6869c1666 17361->17363 17362->15253 17363->17362 17364 7ff6869c2770 59 API calls 17363->17364 17365 7ff6869c16be 17364->17365 17365->15253 17367 7ff6869c7a30 57 API calls 17366->17367 17368 7ff6869c71c7 LoadLibraryExW 17367->17368 17369 7ff6869c71e4 __std_exception_copy 17368->17369 17369->15265 17371 7ff6869c4970 17370->17371 17372 7ff6869c1b30 49 API calls 17371->17372 17373 7ff6869c49a2 17372->17373 17374 7ff6869c49cb 17373->17374 17375 7ff6869c49ab 17373->17375 17376 7ff6869c4a22 17374->17376 17378 7ff6869c3d30 49 API calls 17374->17378 17377 7ff6869c2770 59 API calls 17375->17377 17379 7ff6869c3d30 49 API calls 17376->17379 17397 7ff6869c49c1 17377->17397 17380 7ff6869c49ec 17378->17380 17381 7ff6869c4a3b 17379->17381 17382 7ff6869c4a0a 17380->17382 17387 7ff6869c2770 59 API calls 17380->17387 17384 7ff6869c4a59 17381->17384 17385 7ff6869c2770 59 API calls 17381->17385 17455 7ff6869c3c40 17382->17455 17383 7ff6869cad80 _wfindfirst32i64 8 API calls 17389 7ff6869c30be 17383->17389 17386 7ff6869c71b0 58 API calls 17384->17386 17385->17384 17390 7ff6869c4a66 17386->17390 17387->17382 17389->15344 17398 7ff6869c4ce0 17389->17398 17392 7ff6869c4a8d 17390->17392 17393 7ff6869c4a6b 17390->17393 17461 7ff6869c3df0 GetProcAddress 17392->17461 17394 7ff6869c2620 57 API calls 17393->17394 17394->17397 17396 7ff6869c71b0 58 API calls 17396->17376 17397->17383 17399 7ff6869c6990 61 API calls 17398->17399 17401 7ff6869c4cf5 17399->17401 17400 7ff6869c4d10 17402 7ff6869c7a30 57 API calls 17400->17402 17401->17400 17403 7ff6869c2880 59 API calls 17401->17403 17404 7ff6869c4d54 17402->17404 17403->17400 17405 7ff6869c4d70 17404->17405 17406 7ff6869c4d59 17404->17406 17409 7ff6869c7a30 57 API calls 17405->17409 17407 7ff6869c2770 59 API calls 17406->17407 17408 7ff6869c4d65 17407->17408 17408->15346 17410 7ff6869c4da5 17409->17410 17412 7ff6869c1b30 49 API calls 17410->17412 17424 7ff6869c4daa __std_exception_copy 17410->17424 17411 7ff6869c2770 59 API calls 17413 7ff6869c4f51 17411->17413 17414 7ff6869c4e27 17412->17414 17413->15346 17415 7ff6869c4e2e 17414->17415 17416 7ff6869c4e53 17414->17416 17417 7ff6869c2770 59 API calls 17415->17417 17418 7ff6869c7a30 57 API calls 17416->17418 17424->17411 17425 7ff6869c4f3a 17424->17425 17425->15346 17427 7ff6869c46f7 17426->17427 17427->17427 17428 7ff6869c4720 17427->17428 17435 7ff6869c4737 __std_exception_copy 17427->17435 17456 7ff6869c3c4a 17455->17456 17457 7ff6869c7a30 57 API calls 17456->17457 17458 7ff6869c3c72 17457->17458 17459 7ff6869cad80 _wfindfirst32i64 8 API calls 17458->17459 17460 7ff6869c3c9a 17459->17460 17460->17376 17460->17396 17462 7ff6869c3e18 17461->17462 17463 7ff6869c3e3b GetProcAddress 17461->17463 17465 7ff6869c2620 57 API calls 17462->17465 17463->17462 17464 7ff6869c3e60 GetProcAddress 17463->17464 17464->17462 17466 7ff6869c3e85 GetProcAddress 17464->17466 17467 7ff6869c3e2b 17465->17467 17466->17462 17468 7ff6869c3ead GetProcAddress 17466->17468 17467->17397 17468->17462 17469 7ff6869c3ed5 GetProcAddress 17468->17469 17469->17462 17470 7ff6869c3efd GetProcAddress 17469->17470 17471 7ff6869c3f25 GetProcAddress 17470->17471 17472 7ff6869c3f19 17470->17472 17473 7ff6869c3f41 17471->17473 17474 7ff6869c3f4d GetProcAddress 17471->17474 17472->17471 17473->17474 17475 7ff6869c3f69 17474->17475 17700 7ff6869da620 _CreateFrameInfo 45 API calls 17699->17700 17701 7ff6869d90e1 17700->17701 17702 7ff6869d920c _CreateFrameInfo 45 API calls 17701->17702 17703 7ff6869d9101 17702->17703 19193 7ff6869cb0b0 19194 7ff6869cb0c0 19193->19194 19210 7ff6869d579c 19194->19210 19196 7ff6869cb0cc 19216 7ff6869cb3b8 19196->19216 19198 7ff6869cb69c 7 API calls 19200 7ff6869cb165 19198->19200 19199 7ff6869cb0e4 _RTC_Initialize 19208 7ff6869cb139 19199->19208 19221 7ff6869cb568 19199->19221 19202 7ff6869cb0f9 19224 7ff6869d7e6c 19202->19224 19208->19198 19209 7ff6869cb155 19208->19209 19211 7ff6869d57ad 19210->19211 19212 7ff6869d4444 _wfindfirst32i64 11 API calls 19211->19212 19213 7ff6869d57b5 19211->19213 19214 7ff6869d57c4 19212->19214 19213->19196 19215 7ff6869d9db0 _invalid_parameter_noinfo 37 API calls 19214->19215 19215->19213 19217 7ff6869cb3c9 19216->19217 19218 7ff6869cb3ce __scrt_release_startup_lock 19216->19218 19217->19218 19219 7ff6869cb69c 7 API calls 19217->19219 19218->19199 19220 7ff6869cb442 19219->19220 19249 7ff6869cb52c 19221->19249 19223 7ff6869cb571 19223->19202 19225 7ff6869d7e8c 19224->19225 19240 7ff6869cb105 19224->19240 19226 7ff6869d7e94 19225->19226 19227 7ff6869d7eaa GetModuleFileNameW 19225->19227 19228 7ff6869d4444 _wfindfirst32i64 11 API calls 19226->19228 19231 7ff6869d7ed5 19227->19231 19229 7ff6869d7e99 19228->19229 19230 7ff6869d9db0 _invalid_parameter_noinfo 37 API calls 19229->19230 19230->19240 19232 7ff6869d7e0c 11 API calls 19231->19232 19233 7ff6869d7f15 19232->19233 19234 7ff6869d7f1d 19233->19234 19237 7ff6869d7f35 19233->19237 19235 7ff6869d4444 _wfindfirst32i64 11 API calls 19234->19235 19236 7ff6869d7f22 19235->19236 19239 7ff6869d9e18 __free_lconv_num 11 API calls 19236->19239 19238 7ff6869d7f57 19237->19238 19242 7ff6869d7f83 19237->19242 19243 7ff6869d7f9c 19237->19243 19241 7ff6869d9e18 __free_lconv_num 11 API calls 19238->19241 19239->19240 19240->19208 19248 7ff6869cb63c InitializeSListHead 19240->19248 19241->19240 19244 7ff6869d9e18 __free_lconv_num 11 API calls 19242->19244 19246 7ff6869d9e18 __free_lconv_num 11 API calls 19243->19246 19245 7ff6869d7f8c 19244->19245 19247 7ff6869d9e18 __free_lconv_num 11 API calls 19245->19247 19246->19238 19247->19240 19250 7ff6869cb546 19249->19250 19252 7ff6869cb53f 19249->19252 19253 7ff6869d8eec 19250->19253 19252->19223 19256 7ff6869d8b28 19253->19256 19263 7ff6869df788 EnterCriticalSection 19256->19263 17976 7ff6869e96f9 17977 7ff6869e9712 17976->17977 17978 7ff6869e9708 17976->17978 17980 7ff6869df7e8 LeaveCriticalSection 17978->17980 14684 7ff6869d6714 14685 7ff6869d6742 14684->14685 14686 7ff6869d677b 14684->14686 14764 7ff6869d4444 14685->14764 14686->14685 14688 7ff6869d6780 FindFirstFileExW 14686->14688 14690 7ff6869d67a2 GetLastError 14688->14690 14691 7ff6869d67e9 14688->14691 14694 7ff6869d67ad 14690->14694 14695 7ff6869d67d9 14690->14695 14744 7ff6869d6984 14691->14744 14694->14695 14699 7ff6869d67b7 14694->14699 14700 7ff6869d67c9 14694->14700 14697 7ff6869d4444 _wfindfirst32i64 11 API calls 14695->14697 14696 7ff6869d6752 14769 7ff6869cad80 14696->14769 14697->14696 14699->14695 14702 7ff6869d67bc 14699->14702 14703 7ff6869d4444 _wfindfirst32i64 11 API calls 14700->14703 14701 7ff6869d6984 _wfindfirst32i64 10 API calls 14705 7ff6869d680f 14701->14705 14706 7ff6869d4444 _wfindfirst32i64 11 API calls 14702->14706 14703->14696 14708 7ff6869d6984 _wfindfirst32i64 10 API calls 14705->14708 14706->14696 14709 7ff6869d681d 14708->14709 14751 7ff6869df924 14709->14751 14712 7ff6869d6847 14760 7ff6869d9dd0 IsProcessorFeaturePresent 14712->14760 14745 7ff6869d69a2 FileTimeToSystemTime 14744->14745 14746 7ff6869d699c 14744->14746 14747 7ff6869d69b1 SystemTimeToTzSpecificLocalTime 14745->14747 14748 7ff6869d69c7 14745->14748 14746->14745 14746->14748 14747->14748 14749 7ff6869cad80 _wfindfirst32i64 8 API calls 14748->14749 14750 7ff6869d6801 14749->14750 14750->14701 14752 7ff6869df931 14751->14752 14754 7ff6869df93b 14751->14754 14752->14754 14758 7ff6869df957 14752->14758 14753 7ff6869d4444 _wfindfirst32i64 11 API calls 14755 7ff6869df943 14753->14755 14754->14753 14756 7ff6869d9db0 _invalid_parameter_noinfo 37 API calls 14755->14756 14757 7ff6869d683b 14756->14757 14757->14696 14757->14712 14758->14757 14759 7ff6869d4444 _wfindfirst32i64 11 API calls 14758->14759 14759->14755 14761 7ff6869d9de3 14760->14761 14778 7ff6869d9ae4 14761->14778 14786 7ff6869da798 GetLastError 14764->14786 14766 7ff6869d444d 14767 7ff6869d9db0 14766->14767 14844 7ff6869d9c48 14767->14844 14770 7ff6869cad89 14769->14770 14771 7ff6869cae40 IsProcessorFeaturePresent 14770->14771 14772 7ff6869cad94 14770->14772 14773 7ff6869cae58 14771->14773 14882 7ff6869cb034 RtlCaptureContext 14773->14882 14779 7ff6869d9b1e _wfindfirst32i64 __scrt_get_show_window_mode 14778->14779 14780 7ff6869d9b46 RtlCaptureContext RtlLookupFunctionEntry 14779->14780 14781 7ff6869d9b80 RtlVirtualUnwind 14780->14781 14782 7ff6869d9bb6 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 14780->14782 14781->14782 14783 7ff6869d9c08 _wfindfirst32i64 14782->14783 14784 7ff6869cad80 _wfindfirst32i64 8 API calls 14783->14784 14785 7ff6869d9c27 GetCurrentProcess TerminateProcess 14784->14785 14787 7ff6869da7d9 FlsSetValue 14786->14787 14792 7ff6869da7bc 14786->14792 14788 7ff6869da7eb 14787->14788 14793 7ff6869da7c9 SetLastError 14787->14793 14803 7ff6869ddd40 14788->14803 14792->14787 14792->14793 14793->14766 14794 7ff6869da818 FlsSetValue 14797 7ff6869da824 FlsSetValue 14794->14797 14798 7ff6869da836 14794->14798 14795 7ff6869da808 FlsSetValue 14796 7ff6869da811 14795->14796 14810 7ff6869d9e18 14796->14810 14797->14796 14816 7ff6869da3c4 14798->14816 14808 7ff6869ddd51 _wfindfirst32i64 14803->14808 14804 7ff6869ddda2 14807 7ff6869d4444 _wfindfirst32i64 10 API calls 14804->14807 14805 7ff6869ddd86 HeapAlloc 14806 7ff6869da7fa 14805->14806 14805->14808 14806->14794 14806->14795 14807->14806 14808->14804 14808->14805 14821 7ff6869e26b0 14808->14821 14811 7ff6869d9e1d RtlFreeHeap 14810->14811 14812 7ff6869d9e4c 14810->14812 14811->14812 14813 7ff6869d9e38 GetLastError 14811->14813 14812->14793 14814 7ff6869d9e45 __free_lconv_num 14813->14814 14815 7ff6869d4444 _wfindfirst32i64 9 API calls 14814->14815 14815->14812 14830 7ff6869da29c 14816->14830 14824 7ff6869e26f0 14821->14824 14829 7ff6869df788 EnterCriticalSection 14824->14829 14842 7ff6869df788 EnterCriticalSection 14830->14842 14845 7ff6869d9c73 14844->14845 14848 7ff6869d9ce4 14845->14848 14847 7ff6869d9c9a 14856 7ff6869d9a2c 14848->14856 14851 7ff6869d9d1f 14851->14847 14854 7ff6869d9dd0 _wfindfirst32i64 17 API calls 14855 7ff6869d9daf 14854->14855 14857 7ff6869d9a83 14856->14857 14858 7ff6869d9a48 GetLastError 14856->14858 14857->14851 14862 7ff6869d9a98 14857->14862 14859 7ff6869d9a58 14858->14859 14865 7ff6869da860 14859->14865 14863 7ff6869d9ab4 GetLastError SetLastError 14862->14863 14864 7ff6869d9acc 14862->14864 14863->14864 14864->14851 14864->14854 14866 7ff6869da87f FlsGetValue 14865->14866 14867 7ff6869da89a FlsSetValue 14865->14867 14869 7ff6869da894 14866->14869 14871 7ff6869d9a73 SetLastError 14866->14871 14868 7ff6869da8a7 14867->14868 14867->14871 14870 7ff6869ddd40 _wfindfirst32i64 11 API calls 14868->14870 14869->14867 14872 7ff6869da8b6 14870->14872 14871->14857 14873 7ff6869da8d4 FlsSetValue 14872->14873 14874 7ff6869da8c4 FlsSetValue 14872->14874 14876 7ff6869da8f2 14873->14876 14877 7ff6869da8e0 FlsSetValue 14873->14877 14875 7ff6869da8cd 14874->14875 14878 7ff6869d9e18 __free_lconv_num 11 API calls 14875->14878 14879 7ff6869da3c4 _wfindfirst32i64 11 API calls 14876->14879 14877->14875 14878->14871 14880 7ff6869da8fa 14879->14880 14881 7ff6869d9e18 __free_lconv_num 11 API calls 14880->14881 14881->14871 14883 7ff6869cb04e RtlLookupFunctionEntry 14882->14883 14884 7ff6869cb064 RtlVirtualUnwind 14883->14884 14885 7ff6869cae6b 14883->14885 14884->14883 14884->14885 14886 7ff6869cae00 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 14885->14886 19308 7ff6869d4290 19309 7ff6869d429b 19308->19309 19317 7ff6869de354 19309->19317 19330 7ff6869df788 EnterCriticalSection 19317->19330 18000 7ff6869dfa08 18001 7ff6869dfa2c 18000->18001 18003 7ff6869dfa3c 18000->18003 18002 7ff6869d4444 _wfindfirst32i64 11 API calls 18001->18002 18022 7ff6869dfa31 18002->18022 18004 7ff6869dfd1c 18003->18004 18005 7ff6869dfa5e 18003->18005 18006 7ff6869d4444 _wfindfirst32i64 11 API calls 18004->18006 18007 7ff6869dfa7f 18005->18007 18131 7ff6869e00c4 18005->18131 18008 7ff6869dfd21 18006->18008 18011 7ff6869dfaf1 18007->18011 18013 7ff6869dfaa5 18007->18013 18018 7ff6869dfae5 18007->18018 18010 7ff6869d9e18 __free_lconv_num 11 API calls 18008->18010 18010->18022 18015 7ff6869ddd40 _wfindfirst32i64 11 API calls 18011->18015 18032 7ff6869dfab4 18011->18032 18012 7ff6869dfb9e 18021 7ff6869dfbbb 18012->18021 18029 7ff6869dfc0d 18012->18029 18146 7ff6869d8518 18013->18146 18019 7ff6869dfb07 18015->18019 18017 7ff6869d9e18 __free_lconv_num 11 API calls 18017->18022 18018->18012 18018->18032 18152 7ff6869e64ac 18018->18152 18023 7ff6869d9e18 __free_lconv_num 11 API calls 18019->18023 18026 7ff6869d9e18 __free_lconv_num 11 API calls 18021->18026 18027 7ff6869dfb15 18023->18027 18024 7ff6869dfaaf 18028 7ff6869d4444 _wfindfirst32i64 11 API calls 18024->18028 18025 7ff6869dfacd 18025->18018 18031 7ff6869e00c4 45 API calls 18025->18031 18030 7ff6869dfbc4 18026->18030 18027->18018 18027->18032 18034 7ff6869ddd40 _wfindfirst32i64 11 API calls 18027->18034 18028->18032 18029->18032 18033 7ff6869e24fc 40 API calls 18029->18033 18042 7ff6869dfbc9 18030->18042 18188 7ff6869e24fc 18030->18188 18031->18018 18032->18017 18035 7ff6869dfc4a 18033->18035 18036 7ff6869dfb37 18034->18036 18037 7ff6869d9e18 __free_lconv_num 11 API calls 18035->18037 18039 7ff6869d9e18 __free_lconv_num 11 API calls 18036->18039 18040 7ff6869dfc54 18037->18040 18039->18018 18040->18032 18040->18042 18041 7ff6869dfd10 18044 7ff6869d9e18 __free_lconv_num 11 API calls 18041->18044 18042->18041 18046 7ff6869ddd40 _wfindfirst32i64 11 API calls 18042->18046 18043 7ff6869dfbf5 18045 7ff6869d9e18 __free_lconv_num 11 API calls 18043->18045 18044->18022 18045->18042 18047 7ff6869dfc98 18046->18047 18048 7ff6869dfca0 18047->18048 18049 7ff6869dfca9 18047->18049 18050 7ff6869d9e18 __free_lconv_num 11 API calls 18048->18050 18051 7ff6869d91ac __std_exception_copy 37 API calls 18049->18051 18072 7ff6869dfca7 18050->18072 18052 7ff6869dfcb8 18051->18052 18053 7ff6869dfcc0 18052->18053 18054 7ff6869dfd4b 18052->18054 18197 7ff6869e65c4 18053->18197 18056 7ff6869d9dd0 _wfindfirst32i64 17 API calls 18054->18056 18059 7ff6869dfd5f 18056->18059 18057 7ff6869d9e18 __free_lconv_num 11 API calls 18057->18022 18062 7ff6869dfd88 18059->18062 18064 7ff6869dfd98 18059->18064 18060 7ff6869dfce7 18065 7ff6869d4444 _wfindfirst32i64 11 API calls 18060->18065 18061 7ff6869dfd08 18063 7ff6869d9e18 __free_lconv_num 11 API calls 18061->18063 18066 7ff6869d4444 _wfindfirst32i64 11 API calls 18062->18066 18063->18041 18068 7ff6869e007b 18064->18068 18070 7ff6869dfdba 18064->18070 18067 7ff6869dfcec 18065->18067 18090 7ff6869dfd8d 18066->18090 18069 7ff6869d9e18 __free_lconv_num 11 API calls 18067->18069 18071 7ff6869d4444 _wfindfirst32i64 11 API calls 18068->18071 18069->18072 18073 7ff6869dfdd7 18070->18073 18216 7ff6869e01ac 18070->18216 18074 7ff6869e0080 18071->18074 18072->18057 18077 7ff6869dfe4b 18073->18077 18079 7ff6869dfdff 18073->18079 18085 7ff6869dfe3f 18073->18085 18076 7ff6869d9e18 __free_lconv_num 11 API calls 18074->18076 18076->18090 18081 7ff6869dfe73 18077->18081 18086 7ff6869ddd40 _wfindfirst32i64 11 API calls 18077->18086 18098 7ff6869dfe0e 18077->18098 18078 7ff6869dfefe 18088 7ff6869dff1b 18078->18088 18099 7ff6869dff6e 18078->18099 18231 7ff6869d8554 18079->18231 18083 7ff6869ddd40 _wfindfirst32i64 11 API calls 18081->18083 18081->18085 18081->18098 18089 7ff6869dfe95 18083->18089 18084 7ff6869d9e18 __free_lconv_num 11 API calls 18084->18090 18085->18078 18085->18098 18237 7ff6869e636c 18085->18237 18091 7ff6869dfe65 18086->18091 18095 7ff6869d9e18 __free_lconv_num 11 API calls 18088->18095 18096 7ff6869d9e18 __free_lconv_num 11 API calls 18089->18096 18097 7ff6869d9e18 __free_lconv_num 11 API calls 18091->18097 18092 7ff6869dfe27 18092->18085 18101 7ff6869e01ac 45 API calls 18092->18101 18093 7ff6869dfe09 18094 7ff6869d4444 _wfindfirst32i64 11 API calls 18093->18094 18094->18098 18100 7ff6869dff24 18095->18100 18096->18085 18097->18081 18098->18084 18099->18098 18102 7ff6869e24fc 40 API calls 18099->18102 18105 7ff6869e24fc 40 API calls 18100->18105 18108 7ff6869dff2a 18100->18108 18101->18085 18103 7ff6869dffac 18102->18103 18104 7ff6869d9e18 __free_lconv_num 11 API calls 18103->18104 18106 7ff6869dffb6 18104->18106 18109 7ff6869dff56 18105->18109 18106->18098 18106->18108 18107 7ff6869e006f 18110 7ff6869d9e18 __free_lconv_num 11 API calls 18107->18110 18108->18107 18112 7ff6869ddd40 _wfindfirst32i64 11 API calls 18108->18112 18111 7ff6869d9e18 __free_lconv_num 11 API calls 18109->18111 18110->18090 18111->18108 18113 7ff6869dfffb 18112->18113 18114 7ff6869e0003 18113->18114 18115 7ff6869e000c 18113->18115 18116 7ff6869d9e18 __free_lconv_num 11 API calls 18114->18116 18117 7ff6869df924 _wfindfirst32i64 37 API calls 18115->18117 18118 7ff6869e000a 18116->18118 18119 7ff6869e001a 18117->18119 18125 7ff6869d9e18 __free_lconv_num 11 API calls 18118->18125 18120 7ff6869e0022 SetEnvironmentVariableW 18119->18120 18121 7ff6869e00af 18119->18121 18122 7ff6869e0067 18120->18122 18123 7ff6869e0046 18120->18123 18124 7ff6869d9dd0 _wfindfirst32i64 17 API calls 18121->18124 18126 7ff6869d9e18 __free_lconv_num 11 API calls 18122->18126 18127 7ff6869d4444 _wfindfirst32i64 11 API calls 18123->18127 18128 7ff6869e00c3 18124->18128 18125->18090 18126->18107 18129 7ff6869e004b 18127->18129 18130 7ff6869d9e18 __free_lconv_num 11 API calls 18129->18130 18130->18118 18132 7ff6869e00e1 18131->18132 18133 7ff6869e00f9 18131->18133 18132->18007 18134 7ff6869ddd40 _wfindfirst32i64 11 API calls 18133->18134 18141 7ff6869e011d 18134->18141 18135 7ff6869e01a2 18137 7ff6869d920c _CreateFrameInfo 45 API calls 18135->18137 18136 7ff6869e017e 18138 7ff6869d9e18 __free_lconv_num 11 API calls 18136->18138 18139 7ff6869e01a8 18137->18139 18138->18132 18140 7ff6869ddd40 _wfindfirst32i64 11 API calls 18140->18141 18141->18135 18141->18136 18141->18140 18142 7ff6869d9e18 __free_lconv_num 11 API calls 18141->18142 18143 7ff6869d91ac __std_exception_copy 37 API calls 18141->18143 18144 7ff6869e018d 18141->18144 18142->18141 18143->18141 18145 7ff6869d9dd0 _wfindfirst32i64 17 API calls 18144->18145 18145->18135 18147 7ff6869d8531 18146->18147 18148 7ff6869d8528 18146->18148 18147->18024 18147->18025 18148->18147 18261 7ff6869d7ff0 18148->18261 18153 7ff6869e565c 18152->18153 18154 7ff6869e64b9 18152->18154 18155 7ff6869e5669 18153->18155 18159 7ff6869e569f 18153->18159 18156 7ff6869d4a1c 45 API calls 18154->18156 18157 7ff6869d4444 _wfindfirst32i64 11 API calls 18155->18157 18172 7ff6869e5610 18155->18172 18165 7ff6869e64ed 18156->18165 18160 7ff6869e5673 18157->18160 18158 7ff6869e56c9 18161 7ff6869d4444 _wfindfirst32i64 11 API calls 18158->18161 18159->18158 18162 7ff6869e56ee 18159->18162 18166 7ff6869d9db0 _invalid_parameter_noinfo 37 API calls 18160->18166 18167 7ff6869e56ce 18161->18167 18173 7ff6869d4a1c 45 API calls 18162->18173 18179 7ff6869e56d9 18162->18179 18163 7ff6869e64f2 18163->18018 18164 7ff6869e6503 18170 7ff6869d4444 _wfindfirst32i64 11 API calls 18164->18170 18165->18163 18165->18164 18169 7ff6869e651a 18165->18169 18171 7ff6869e567e 18166->18171 18168 7ff6869d9db0 _invalid_parameter_noinfo 37 API calls 18167->18168 18168->18179 18175 7ff6869e6524 18169->18175 18176 7ff6869e6536 18169->18176 18174 7ff6869e6508 18170->18174 18171->18018 18172->18018 18173->18179 18180 7ff6869d9db0 _invalid_parameter_noinfo 37 API calls 18174->18180 18181 7ff6869d4444 _wfindfirst32i64 11 API calls 18175->18181 18177 7ff6869e655e 18176->18177 18178 7ff6869e6547 18176->18178 18508 7ff6869e8388 18177->18508 18499 7ff6869e56ac 18178->18499 18179->18018 18180->18163 18184 7ff6869e6529 18181->18184 18185 7ff6869d9db0 _invalid_parameter_noinfo 37 API calls 18184->18185 18185->18163 18187 7ff6869d4444 _wfindfirst32i64 11 API calls 18187->18163 18189 7ff6869e251e 18188->18189 18190 7ff6869e253b 18188->18190 18189->18190 18191 7ff6869e252c 18189->18191 18192 7ff6869e2545 18190->18192 18548 7ff6869e6fb8 18190->18548 18193 7ff6869d4444 _wfindfirst32i64 11 API calls 18191->18193 18555 7ff6869df98c 18192->18555 18196 7ff6869e2531 __scrt_get_show_window_mode 18193->18196 18196->18043 18198 7ff6869d4a1c 45 API calls 18197->18198 18199 7ff6869e662a 18198->18199 18200 7ff6869e6638 18199->18200 18201 7ff6869ddfcc 5 API calls 18199->18201 18202 7ff6869d4504 14 API calls 18200->18202 18201->18200 18203 7ff6869e6694 18202->18203 18204 7ff6869e6724 18203->18204 18205 7ff6869d4a1c 45 API calls 18203->18205 18207 7ff6869e6735 18204->18207 18208 7ff6869d9e18 __free_lconv_num 11 API calls 18204->18208 18206 7ff6869e66a7 18205->18206 18211 7ff6869ddfcc 5 API calls 18206->18211 18213 7ff6869e66b0 18206->18213 18209 7ff6869dfce3 18207->18209 18210 7ff6869d9e18 __free_lconv_num 11 API calls 18207->18210 18208->18207 18209->18060 18209->18061 18210->18209 18211->18213 18212 7ff6869d4504 14 API calls 18214 7ff6869e670b 18212->18214 18213->18212 18214->18204 18215 7ff6869e6713 SetEnvironmentVariableW 18214->18215 18215->18204 18217 7ff6869e01cf 18216->18217 18218 7ff6869e01ec 18216->18218 18217->18073 18219 7ff6869ddd40 _wfindfirst32i64 11 API calls 18218->18219 18226 7ff6869e0210 18219->18226 18220 7ff6869e0271 18223 7ff6869d9e18 __free_lconv_num 11 API calls 18220->18223 18221 7ff6869d920c _CreateFrameInfo 45 API calls 18222 7ff6869e029a 18221->18222 18223->18217 18224 7ff6869ddd40 _wfindfirst32i64 11 API calls 18224->18226 18225 7ff6869d9e18 __free_lconv_num 11 API calls 18225->18226 18226->18220 18226->18224 18226->18225 18227 7ff6869df924 _wfindfirst32i64 37 API calls 18226->18227 18228 7ff6869e0280 18226->18228 18230 7ff6869e0294 18226->18230 18227->18226 18229 7ff6869d9dd0 _wfindfirst32i64 17 API calls 18228->18229 18229->18230 18230->18221 18232 7ff6869d8564 18231->18232 18233 7ff6869d856d 18231->18233 18232->18233 18567 7ff6869d8064 18232->18567 18233->18092 18233->18093 18238 7ff6869e63a6 18237->18238 18239 7ff6869e6379 18237->18239 18242 7ff6869e63ea 18238->18242 18244 7ff6869e6409 18238->18244 18259 7ff6869e63de __crtLCMapStringW 18238->18259 18239->18238 18240 7ff6869e637e 18239->18240 18241 7ff6869d4444 _wfindfirst32i64 11 API calls 18240->18241 18243 7ff6869e6383 18241->18243 18246 7ff6869d4444 _wfindfirst32i64 11 API calls 18242->18246 18245 7ff6869d9db0 _invalid_parameter_noinfo 37 API calls 18243->18245 18247 7ff6869e6413 18244->18247 18248 7ff6869e6425 18244->18248 18249 7ff6869e638e 18245->18249 18250 7ff6869e63ef 18246->18250 18251 7ff6869d4444 _wfindfirst32i64 11 API calls 18247->18251 18252 7ff6869d4a1c 45 API calls 18248->18252 18249->18085 18253 7ff6869d9db0 _invalid_parameter_noinfo 37 API calls 18250->18253 18254 7ff6869e6418 18251->18254 18255 7ff6869e6432 18252->18255 18253->18259 18256 7ff6869d9db0 _invalid_parameter_noinfo 37 API calls 18254->18256 18255->18259 18614 7ff6869e7f44 18255->18614 18256->18259 18259->18085 18260 7ff6869d4444 _wfindfirst32i64 11 API calls 18260->18259 18262 7ff6869d8009 18261->18262 18275 7ff6869d8005 18261->18275 18284 7ff6869e1730 18262->18284 18267 7ff6869d801b 18269 7ff6869d9e18 __free_lconv_num 11 API calls 18267->18269 18268 7ff6869d8027 18310 7ff6869d80d4 18268->18310 18269->18275 18272 7ff6869d9e18 __free_lconv_num 11 API calls 18273 7ff6869d804e 18272->18273 18274 7ff6869d9e18 __free_lconv_num 11 API calls 18273->18274 18274->18275 18275->18147 18276 7ff6869d8344 18275->18276 18277 7ff6869d836d 18276->18277 18282 7ff6869d8386 18276->18282 18277->18147 18278 7ff6869df0b8 WideCharToMultiByte 18278->18282 18279 7ff6869ddd40 _wfindfirst32i64 11 API calls 18279->18282 18280 7ff6869d8416 18281 7ff6869d9e18 __free_lconv_num 11 API calls 18280->18281 18281->18277 18282->18277 18282->18278 18282->18279 18282->18280 18283 7ff6869d9e18 __free_lconv_num 11 API calls 18282->18283 18283->18282 18285 7ff6869e173d 18284->18285 18289 7ff6869d800e 18284->18289 18329 7ff6869da6f4 18285->18329 18290 7ff6869e1a6c GetEnvironmentStringsW 18289->18290 18291 7ff6869d8013 18290->18291 18292 7ff6869e1a9c 18290->18292 18291->18267 18291->18268 18293 7ff6869df0b8 WideCharToMultiByte 18292->18293 18294 7ff6869e1aed 18293->18294 18295 7ff6869e1af4 FreeEnvironmentStringsW 18294->18295 18296 7ff6869dcacc _fread_nolock 12 API calls 18294->18296 18295->18291 18297 7ff6869e1b07 18296->18297 18298 7ff6869e1b0f 18297->18298 18299 7ff6869e1b18 18297->18299 18300 7ff6869d9e18 __free_lconv_num 11 API calls 18298->18300 18301 7ff6869df0b8 WideCharToMultiByte 18299->18301 18302 7ff6869e1b16 18300->18302 18303 7ff6869e1b3b 18301->18303 18302->18295 18304 7ff6869e1b3f 18303->18304 18305 7ff6869e1b49 18303->18305 18306 7ff6869d9e18 __free_lconv_num 11 API calls 18304->18306 18307 7ff6869d9e18 __free_lconv_num 11 API calls 18305->18307 18308 7ff6869e1b47 FreeEnvironmentStringsW 18306->18308 18307->18308 18308->18291 18311 7ff6869d80f9 18310->18311 18312 7ff6869ddd40 _wfindfirst32i64 11 API calls 18311->18312 18325 7ff6869d812f 18312->18325 18313 7ff6869d8137 18314 7ff6869d9e18 __free_lconv_num 11 API calls 18313->18314 18315 7ff6869d802f 18314->18315 18315->18272 18316 7ff6869d81aa 18317 7ff6869d9e18 __free_lconv_num 11 API calls 18316->18317 18317->18315 18318 7ff6869ddd40 _wfindfirst32i64 11 API calls 18318->18325 18319 7ff6869d8199 18493 7ff6869d8300 18319->18493 18321 7ff6869d91ac __std_exception_copy 37 API calls 18321->18325 18323 7ff6869d9e18 __free_lconv_num 11 API calls 18323->18313 18324 7ff6869d81cf 18327 7ff6869d9dd0 _wfindfirst32i64 17 API calls 18324->18327 18325->18313 18325->18316 18325->18318 18325->18319 18325->18321 18325->18324 18326 7ff6869d9e18 __free_lconv_num 11 API calls 18325->18326 18326->18325 18328 7ff6869d81e2 18327->18328 18330 7ff6869da705 FlsGetValue 18329->18330 18331 7ff6869da720 FlsSetValue 18329->18331 18332 7ff6869da712 18330->18332 18334 7ff6869da71a 18330->18334 18331->18332 18333 7ff6869da72d 18331->18333 18335 7ff6869da718 18332->18335 18336 7ff6869d920c _CreateFrameInfo 45 API calls 18332->18336 18337 7ff6869ddd40 _wfindfirst32i64 11 API calls 18333->18337 18334->18331 18349 7ff6869e1404 18335->18349 18338 7ff6869da795 18336->18338 18339 7ff6869da73c 18337->18339 18340 7ff6869da75a FlsSetValue 18339->18340 18341 7ff6869da74a FlsSetValue 18339->18341 18343 7ff6869da766 FlsSetValue 18340->18343 18344 7ff6869da778 18340->18344 18342 7ff6869da753 18341->18342 18345 7ff6869d9e18 __free_lconv_num 11 API calls 18342->18345 18343->18342 18346 7ff6869da3c4 _wfindfirst32i64 11 API calls 18344->18346 18345->18332 18347 7ff6869da780 18346->18347 18348 7ff6869d9e18 __free_lconv_num 11 API calls 18347->18348 18348->18335 18372 7ff6869e1674 18349->18372 18351 7ff6869e1439 18387 7ff6869e1104 18351->18387 18354 7ff6869e1456 18354->18289 18355 7ff6869dcacc _fread_nolock 12 API calls 18356 7ff6869e1467 18355->18356 18357 7ff6869e146f 18356->18357 18359 7ff6869e147e 18356->18359 18358 7ff6869d9e18 __free_lconv_num 11 API calls 18357->18358 18358->18354 18359->18359 18394 7ff6869e17ac 18359->18394 18362 7ff6869e157a 18363 7ff6869d4444 _wfindfirst32i64 11 API calls 18362->18363 18365 7ff6869e157f 18363->18365 18364 7ff6869e15d5 18367 7ff6869e163c 18364->18367 18405 7ff6869e0f34 18364->18405 18368 7ff6869d9e18 __free_lconv_num 11 API calls 18365->18368 18366 7ff6869e1594 18366->18364 18369 7ff6869d9e18 __free_lconv_num 11 API calls 18366->18369 18371 7ff6869d9e18 __free_lconv_num 11 API calls 18367->18371 18368->18354 18369->18364 18371->18354 18373 7ff6869e1697 18372->18373 18374 7ff6869e16a1 18373->18374 18420 7ff6869df788 EnterCriticalSection 18373->18420 18376 7ff6869e1713 18374->18376 18379 7ff6869d920c _CreateFrameInfo 45 API calls 18374->18379 18376->18351 18380 7ff6869e172b 18379->18380 18383 7ff6869e1782 18380->18383 18384 7ff6869da6f4 50 API calls 18380->18384 18383->18351 18385 7ff6869e176c 18384->18385 18386 7ff6869e1404 65 API calls 18385->18386 18386->18383 18388 7ff6869d4a1c 45 API calls 18387->18388 18389 7ff6869e1118 18388->18389 18390 7ff6869e1124 GetOEMCP 18389->18390 18391 7ff6869e1136 18389->18391 18392 7ff6869e114b 18390->18392 18391->18392 18393 7ff6869e113b GetACP 18391->18393 18392->18354 18392->18355 18393->18392 18395 7ff6869e1104 47 API calls 18394->18395 18396 7ff6869e17d9 18395->18396 18397 7ff6869e192f 18396->18397 18398 7ff6869e1816 IsValidCodePage 18396->18398 18404 7ff6869e1830 __scrt_get_show_window_mode 18396->18404 18399 7ff6869cad80 _wfindfirst32i64 8 API calls 18397->18399 18398->18397 18401 7ff6869e1827 18398->18401 18400 7ff6869e1571 18399->18400 18400->18362 18400->18366 18402 7ff6869e1856 GetCPInfo 18401->18402 18401->18404 18402->18397 18402->18404 18421 7ff6869e121c 18404->18421 18492 7ff6869df788 EnterCriticalSection 18405->18492 18422 7ff6869e1259 GetCPInfo 18421->18422 18423 7ff6869e134f 18421->18423 18422->18423 18428 7ff6869e126c 18422->18428 18424 7ff6869cad80 _wfindfirst32i64 8 API calls 18423->18424 18425 7ff6869e13ee 18424->18425 18425->18397 18432 7ff6869e1f60 18428->18432 18431 7ff6869e6f04 54 API calls 18431->18423 18433 7ff6869d4a1c 45 API calls 18432->18433 18434 7ff6869e1fa2 18433->18434 18435 7ff6869de7f0 _fread_nolock MultiByteToWideChar 18434->18435 18438 7ff6869e1fd8 18435->18438 18436 7ff6869e1fdf 18441 7ff6869cad80 _wfindfirst32i64 8 API calls 18436->18441 18437 7ff6869e209c 18437->18436 18443 7ff6869d9e18 __free_lconv_num 11 API calls 18437->18443 18438->18436 18438->18437 18439 7ff6869e2008 __scrt_get_show_window_mode 18438->18439 18440 7ff6869dcacc _fread_nolock 12 API calls 18438->18440 18439->18437 18444 7ff6869de7f0 _fread_nolock MultiByteToWideChar 18439->18444 18440->18439 18442 7ff6869e12e3 18441->18442 18447 7ff6869e6f04 18442->18447 18443->18436 18445 7ff6869e207e 18444->18445 18445->18437 18446 7ff6869e2082 GetStringTypeW 18445->18446 18446->18437 18448 7ff6869d4a1c 45 API calls 18447->18448 18449 7ff6869e6f29 18448->18449 18452 7ff6869e6bd0 18449->18452 18453 7ff6869e6c11 18452->18453 18454 7ff6869de7f0 _fread_nolock MultiByteToWideChar 18453->18454 18458 7ff6869e6c5b 18454->18458 18455 7ff6869e6ed9 18456 7ff6869cad80 _wfindfirst32i64 8 API calls 18455->18456 18457 7ff6869e1316 18456->18457 18457->18431 18458->18455 18459 7ff6869dcacc _fread_nolock 12 API calls 18458->18459 18460 7ff6869e6c93 18458->18460 18471 7ff6869e6d91 18458->18471 18459->18460 18462 7ff6869de7f0 _fread_nolock MultiByteToWideChar 18460->18462 18460->18471 18461 7ff6869d9e18 __free_lconv_num 11 API calls 18461->18455 18463 7ff6869e6d06 18462->18463 18463->18471 18483 7ff6869de18c 18463->18483 18466 7ff6869e6da2 18469 7ff6869dcacc _fread_nolock 12 API calls 18466->18469 18470 7ff6869e6e74 18466->18470 18473 7ff6869e6dc0 18466->18473 18467 7ff6869e6d51 18468 7ff6869de18c __crtLCMapStringW 6 API calls 18467->18468 18467->18471 18468->18471 18469->18473 18470->18471 18472 7ff6869d9e18 __free_lconv_num 11 API calls 18470->18472 18471->18455 18471->18461 18472->18471 18473->18471 18474 7ff6869de18c __crtLCMapStringW 6 API calls 18473->18474 18475 7ff6869e6e40 18474->18475 18475->18470 18476 7ff6869e6e60 18475->18476 18477 7ff6869e6e76 18475->18477 18478 7ff6869df0b8 WideCharToMultiByte 18476->18478 18479 7ff6869df0b8 WideCharToMultiByte 18477->18479 18480 7ff6869e6e6e 18478->18480 18479->18480 18480->18470 18481 7ff6869e6e8e 18480->18481 18481->18471 18482 7ff6869d9e18 __free_lconv_num 11 API calls 18481->18482 18482->18471 18484 7ff6869dddb8 __crtLCMapStringW 5 API calls 18483->18484 18485 7ff6869de1ca 18484->18485 18486 7ff6869de1d2 18485->18486 18489 7ff6869de278 18485->18489 18486->18466 18486->18467 18486->18471 18488 7ff6869de23b LCMapStringW 18488->18486 18490 7ff6869dddb8 __crtLCMapStringW 5 API calls 18489->18490 18491 7ff6869de2a6 __crtLCMapStringW 18490->18491 18491->18488 18497 7ff6869d81a1 18493->18497 18498 7ff6869d8305 18493->18498 18494 7ff6869d832e 18495 7ff6869d9e18 __free_lconv_num 11 API calls 18494->18495 18495->18497 18496 7ff6869d9e18 __free_lconv_num 11 API calls 18496->18498 18497->18323 18498->18494 18498->18496 18500 7ff6869e56e0 18499->18500 18501 7ff6869e56c9 18499->18501 18500->18501 18503 7ff6869e56ee 18500->18503 18502 7ff6869d4444 _wfindfirst32i64 11 API calls 18501->18502 18504 7ff6869e56ce 18502->18504 18506 7ff6869d4a1c 45 API calls 18503->18506 18507 7ff6869e56d9 18503->18507 18505 7ff6869d9db0 _invalid_parameter_noinfo 37 API calls 18504->18505 18505->18507 18506->18507 18507->18163 18509 7ff6869d4a1c 45 API calls 18508->18509 18510 7ff6869e83ad 18509->18510 18513 7ff6869e8004 18510->18513 18514 7ff6869e8052 18513->18514 18517 7ff6869e80d9 18514->18517 18519 7ff6869e80c4 GetCPInfo 18514->18519 18520 7ff6869e80dd 18514->18520 18515 7ff6869cad80 _wfindfirst32i64 8 API calls 18516 7ff6869e6585 18515->18516 18516->18163 18516->18187 18518 7ff6869de7f0 _fread_nolock MultiByteToWideChar 18517->18518 18517->18520 18521 7ff6869e8171 18518->18521 18519->18517 18519->18520 18520->18515 18521->18520 18522 7ff6869dcacc _fread_nolock 12 API calls 18521->18522 18523 7ff6869e81a8 18521->18523 18522->18523 18523->18520 18524 7ff6869de7f0 _fread_nolock MultiByteToWideChar 18523->18524 18525 7ff6869e8216 18524->18525 18526 7ff6869e82f8 18525->18526 18527 7ff6869de7f0 _fread_nolock MultiByteToWideChar 18525->18527 18526->18520 18528 7ff6869d9e18 __free_lconv_num 11 API calls 18526->18528 18529 7ff6869e823c 18527->18529 18528->18520 18529->18526 18530 7ff6869dcacc _fread_nolock 12 API calls 18529->18530 18531 7ff6869e8269 18529->18531 18530->18531 18531->18526 18532 7ff6869de7f0 _fread_nolock MultiByteToWideChar 18531->18532 18533 7ff6869e82e0 18532->18533 18534 7ff6869e8300 18533->18534 18535 7ff6869e82e6 18533->18535 18542 7ff6869de010 18534->18542 18535->18526 18538 7ff6869d9e18 __free_lconv_num 11 API calls 18535->18538 18538->18526 18539 7ff6869e833f 18539->18520 18541 7ff6869d9e18 __free_lconv_num 11 API calls 18539->18541 18540 7ff6869d9e18 __free_lconv_num 11 API calls 18540->18539 18541->18520 18543 7ff6869dddb8 __crtLCMapStringW 5 API calls 18542->18543 18544 7ff6869de04e 18543->18544 18545 7ff6869de056 18544->18545 18546 7ff6869de278 __crtLCMapStringW 5 API calls 18544->18546 18545->18539 18545->18540 18547 7ff6869de0bf CompareStringW 18546->18547 18547->18545 18549 7ff6869e6fc1 18548->18549 18550 7ff6869e6fda HeapSize 18548->18550 18551 7ff6869d4444 _wfindfirst32i64 11 API calls 18549->18551 18552 7ff6869e6fc6 18551->18552 18553 7ff6869d9db0 _invalid_parameter_noinfo 37 API calls 18552->18553 18554 7ff6869e6fd1 18553->18554 18554->18192 18556 7ff6869df9a1 18555->18556 18557 7ff6869df9ab 18555->18557 18558 7ff6869dcacc _fread_nolock 12 API calls 18556->18558 18559 7ff6869df9b0 18557->18559 18565 7ff6869df9b7 _wfindfirst32i64 18557->18565 18563 7ff6869df9a9 18558->18563 18560 7ff6869d9e18 __free_lconv_num 11 API calls 18559->18560 18560->18563 18561 7ff6869df9ea HeapReAlloc 18561->18563 18561->18565 18562 7ff6869df9bd 18564 7ff6869d4444 _wfindfirst32i64 11 API calls 18562->18564 18563->18196 18564->18563 18565->18561 18565->18562 18566 7ff6869e26b0 _wfindfirst32i64 2 API calls 18565->18566 18566->18565 18568 7ff6869d807d 18567->18568 18575 7ff6869d8079 18567->18575 18588 7ff6869e1b7c GetEnvironmentStringsW 18568->18588 18571 7ff6869d808a 18573 7ff6869d9e18 __free_lconv_num 11 API calls 18571->18573 18572 7ff6869d8096 18595 7ff6869d81e4 18572->18595 18573->18575 18575->18233 18580 7ff6869d8424 18575->18580 18577 7ff6869d9e18 __free_lconv_num 11 API calls 18578 7ff6869d80bd 18577->18578 18579 7ff6869d9e18 __free_lconv_num 11 API calls 18578->18579 18579->18575 18581 7ff6869d8447 18580->18581 18586 7ff6869d845e 18580->18586 18581->18233 18582 7ff6869ddd40 _wfindfirst32i64 11 API calls 18582->18586 18583 7ff6869d84d2 18585 7ff6869d9e18 __free_lconv_num 11 API calls 18583->18585 18584 7ff6869de7f0 MultiByteToWideChar _fread_nolock 18584->18586 18585->18581 18586->18581 18586->18582 18586->18583 18586->18584 18587 7ff6869d9e18 __free_lconv_num 11 API calls 18586->18587 18587->18586 18589 7ff6869d8082 18588->18589 18590 7ff6869e1ba0 18588->18590 18589->18571 18589->18572 18591 7ff6869dcacc _fread_nolock 12 API calls 18590->18591 18592 7ff6869e1bd7 memcpy_s 18591->18592 18593 7ff6869d9e18 __free_lconv_num 11 API calls 18592->18593 18594 7ff6869e1bf7 FreeEnvironmentStringsW 18593->18594 18594->18589 18596 7ff6869d820c 18595->18596 18597 7ff6869ddd40 _wfindfirst32i64 11 API calls 18596->18597 18603 7ff6869d8247 18597->18603 18598 7ff6869d9e18 __free_lconv_num 11 API calls 18599 7ff6869d809e 18598->18599 18599->18577 18600 7ff6869d82c9 18601 7ff6869d9e18 __free_lconv_num 11 API calls 18600->18601 18601->18599 18602 7ff6869ddd40 _wfindfirst32i64 11 API calls 18602->18603 18603->18600 18603->18602 18604 7ff6869d82b8 18603->18604 18606 7ff6869df924 _wfindfirst32i64 37 API calls 18603->18606 18608 7ff6869d82ec 18603->18608 18610 7ff6869d9e18 __free_lconv_num 11 API calls 18603->18610 18611 7ff6869d824f 18603->18611 18605 7ff6869d8300 11 API calls 18604->18605 18607 7ff6869d82c0 18605->18607 18606->18603 18609 7ff6869d9e18 __free_lconv_num 11 API calls 18607->18609 18612 7ff6869d9dd0 _wfindfirst32i64 17 API calls 18608->18612 18609->18611 18610->18603 18611->18598 18613 7ff6869d82fe 18612->18613 18616 7ff6869e7f6d __crtLCMapStringW 18614->18616 18615 7ff6869e646e 18615->18259 18615->18260 18616->18615 18617 7ff6869de010 6 API calls 18616->18617 18617->18615

                                                        Executed Functions

                                                        Function 00007FF6869E4E20 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 334timeCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 135 7ff6869e4e20-7ff6869e4e5b call 7ff6869e47a8 call 7ff6869e47b0 call 7ff6869e4818 142 7ff6869e5085-7ff6869e50d1 call 7ff6869d9dd0 call 7ff6869e47a8 call 7ff6869e47b0 call 7ff6869e4818 135->142 143 7ff6869e4e61-7ff6869e4e6c call 7ff6869e47b8 135->143 169 7ff6869e520f-7ff6869e527d call 7ff6869d9dd0 call 7ff6869e06b8 142->169 170 7ff6869e50d7-7ff6869e50e2 call 7ff6869e47b8 142->170 143->142 148 7ff6869e4e72-7ff6869e4e7c 143->148 150 7ff6869e4e9e-7ff6869e4ea2 148->150 151 7ff6869e4e7e-7ff6869e4e81 148->151 155 7ff6869e4ea5-7ff6869e4ead 150->155 153 7ff6869e4e84-7ff6869e4e8f 151->153 156 7ff6869e4e91-7ff6869e4e98 153->156 157 7ff6869e4e9a-7ff6869e4e9c 153->157 155->155 159 7ff6869e4eaf-7ff6869e4ec2 call 7ff6869dcacc 155->159 156->153 156->157 157->150 160 7ff6869e4ecb-7ff6869e4ed9 157->160 166 7ff6869e4ec4-7ff6869e4ec6 call 7ff6869d9e18 159->166 167 7ff6869e4eda-7ff6869e4ee6 call 7ff6869d9e18 159->167 166->160 176 7ff6869e4eed-7ff6869e4ef5 167->176 188 7ff6869e527f-7ff6869e5286 169->188 189 7ff6869e528b-7ff6869e528e 169->189 170->169 180 7ff6869e50e8-7ff6869e50f3 call 7ff6869e47e8 170->180 176->176 179 7ff6869e4ef7-7ff6869e4f08 call 7ff6869df924 176->179 179->142 190 7ff6869e4f0e-7ff6869e4f64 call 7ff6869cc210 * 4 call 7ff6869e4d3c 179->190 180->169 187 7ff6869e50f9-7ff6869e511c call 7ff6869d9e18 GetTimeZoneInformation 180->187 202 7ff6869e5122-7ff6869e5143 187->202 203 7ff6869e51e4-7ff6869e520e call 7ff6869e47a0 call 7ff6869e4790 call 7ff6869e4798 187->203 192 7ff6869e531b-7ff6869e531e 188->192 194 7ff6869e52c5-7ff6869e52d8 call 7ff6869dcacc 189->194 195 7ff6869e5290 189->195 247 7ff6869e4f66-7ff6869e4f6a 190->247 199 7ff6869e5293 192->199 200 7ff6869e5324-7ff6869e532c call 7ff6869e4e20 192->200 208 7ff6869e52e3-7ff6869e52fe call 7ff6869e06b8 194->208 209 7ff6869e52da 194->209 195->199 205 7ff6869e5298-7ff6869e52c4 call 7ff6869d9e18 call 7ff6869cad80 199->205 206 7ff6869e5293 call 7ff6869e509c 199->206 200->205 210 7ff6869e5145-7ff6869e514b 202->210 211 7ff6869e514e-7ff6869e5155 202->211 206->205 231 7ff6869e5305-7ff6869e5317 call 7ff6869d9e18 208->231 232 7ff6869e5300-7ff6869e5303 208->232 216 7ff6869e52dc-7ff6869e52e1 call 7ff6869d9e18 209->216 210->211 218 7ff6869e5157-7ff6869e515f 211->218 219 7ff6869e5169 211->219 216->195 218->219 225 7ff6869e5161-7ff6869e5167 218->225 229 7ff6869e516b-7ff6869e51df call 7ff6869cc210 * 4 call 7ff6869e1c7c call 7ff6869e5334 * 2 219->229 225->229 229->203 231->192 232->216 249 7ff6869e4f70-7ff6869e4f74 247->249 250 7ff6869e4f6c 247->250 249->247 253 7ff6869e4f76-7ff6869e4f9b call 7ff6869e7c64 249->253 250->249 259 7ff6869e4f9e-7ff6869e4fa2 253->259 261 7ff6869e4fa4-7ff6869e4faf 259->261 262 7ff6869e4fb1-7ff6869e4fb5 259->262 261->262 264 7ff6869e4fb7-7ff6869e4fbb 261->264 262->259 266 7ff6869e4fbd-7ff6869e4fe5 call 7ff6869e7c64 264->266 267 7ff6869e503c-7ff6869e5040 264->267 276 7ff6869e5003-7ff6869e5007 266->276 277 7ff6869e4fe7 266->277 268 7ff6869e5042-7ff6869e5044 267->268 269 7ff6869e5047-7ff6869e5054 267->269 268->269 271 7ff6869e506f-7ff6869e507e call 7ff6869e47a0 call 7ff6869e4790 269->271 272 7ff6869e5056-7ff6869e506c call 7ff6869e4d3c 269->272 271->142 272->271 276->267 280 7ff6869e5009-7ff6869e5027 call 7ff6869e7c64 276->280 278 7ff6869e4fea-7ff6869e4ff1 277->278 278->276 282 7ff6869e4ff3-7ff6869e5001 278->282 287 7ff6869e5033-7ff6869e503a 280->287 282->276 282->278 287->267 288 7ff6869e5029-7ff6869e502d 287->288 288->267 289 7ff6869e502f 288->289 289->287
                                                        APIs
                                                        • _get_daylight.LIBCMT ref: 00007FF6869E4E65
                                                          • Part of subcall function 00007FF6869E47B8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6869E47CC
                                                          • Part of subcall function 00007FF6869D9E18: RtlFreeHeap.NTDLL(?,?,?,00007FF6869E1E42,?,?,?,00007FF6869E1E7F,?,?,00000000,00007FF6869E2345,?,?,?,00007FF6869E2277), ref: 00007FF6869D9E2E
                                                          • Part of subcall function 00007FF6869D9E18: GetLastError.KERNEL32(?,?,?,00007FF6869E1E42,?,?,?,00007FF6869E1E7F,?,?,00000000,00007FF6869E2345,?,?,?,00007FF6869E2277), ref: 00007FF6869D9E38
                                                          • Part of subcall function 00007FF6869D9DD0: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF6869D9DAF,?,?,?,?,?,00007FF6869D21EC), ref: 00007FF6869D9DD9
                                                          • Part of subcall function 00007FF6869D9DD0: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF6869D9DAF,?,?,?,?,?,00007FF6869D21EC), ref: 00007FF6869D9DFE
                                                        • _get_daylight.LIBCMT ref: 00007FF6869E4E54
                                                          • Part of subcall function 00007FF6869E4818: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6869E482C
                                                        • _get_daylight.LIBCMT ref: 00007FF6869E50CA
                                                        • _get_daylight.LIBCMT ref: 00007FF6869E50DB
                                                        • _get_daylight.LIBCMT ref: 00007FF6869E50EC
                                                        • GetTimeZoneInformation.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000,?,00007FF6869E532C), ref: 00007FF6869E5113
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2050744018.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000001.00000002.2050716641.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050804666.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050904528.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: _get_daylight$_invalid_parameter_noinfo$CurrentErrorFeatureFreeHeapInformationLastPresentProcessProcessorTimeZone
                                                        • String ID: Eastern Standard Time$Eastern Summer Time
                                                        • API String ID: 4070488512-239921721
                                                        • Opcode ID: 77ba2d10f7a40a17f98ee8fd01e8c058cff67636c36494bf754a44884999314e
                                                        • Instruction ID: 4a730f5b140078a5de538043c89b975cabd17c3897cac6644a78913b76a902d4
                                                        • Opcode Fuzzy Hash: 77ba2d10f7a40a17f98ee8fd01e8c058cff67636c36494bf754a44884999314e
                                                        • Instruction Fuzzy Hash: 44D17C66A18283C6EF20AF25D4511B967A1FF84B94F45813EEA0D876C6DF7EEC42C740
                                                        Function 00007FF6869E5D6C Relevance: 13.8, APIs: 9, Instructions: 276fileCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 320 7ff6869e5d6c-7ff6869e5ddf call 7ff6869e5aa0 323 7ff6869e5de1-7ff6869e5dea call 7ff6869d4424 320->323 324 7ff6869e5df9-7ff6869e5e03 call 7ff6869d6cfc 320->324 331 7ff6869e5ded-7ff6869e5df4 call 7ff6869d4444 323->331 329 7ff6869e5e05-7ff6869e5e1c call 7ff6869d4424 call 7ff6869d4444 324->329 330 7ff6869e5e1e-7ff6869e5e87 CreateFileW 324->330 329->331 334 7ff6869e5f04-7ff6869e5f0f GetFileType 330->334 335 7ff6869e5e89-7ff6869e5e8f 330->335 342 7ff6869e613a-7ff6869e615a 331->342 337 7ff6869e5f62-7ff6869e5f69 334->337 338 7ff6869e5f11-7ff6869e5f4c GetLastError call 7ff6869d43b8 CloseHandle 334->338 340 7ff6869e5ed1-7ff6869e5eff GetLastError call 7ff6869d43b8 335->340 341 7ff6869e5e91-7ff6869e5e95 335->341 345 7ff6869e5f71-7ff6869e5f74 337->345 346 7ff6869e5f6b-7ff6869e5f6f 337->346 338->331 354 7ff6869e5f52-7ff6869e5f5d call 7ff6869d4444 338->354 340->331 341->340 347 7ff6869e5e97-7ff6869e5ecf CreateFileW 341->347 352 7ff6869e5f7a-7ff6869e5fcf call 7ff6869d6c14 345->352 353 7ff6869e5f76 345->353 346->352 347->334 347->340 359 7ff6869e5fee-7ff6869e601f call 7ff6869e5820 352->359 360 7ff6869e5fd1-7ff6869e5fdd call 7ff6869e5ca8 352->360 353->352 354->331 366 7ff6869e6025-7ff6869e6067 359->366 367 7ff6869e6021-7ff6869e6023 359->367 360->359 365 7ff6869e5fdf 360->365 368 7ff6869e5fe1-7ff6869e5fe9 call 7ff6869d9f90 365->368 369 7ff6869e6089-7ff6869e6094 366->369 370 7ff6869e6069-7ff6869e606d 366->370 367->368 368->342 373 7ff6869e609a-7ff6869e609e 369->373 374 7ff6869e6138 369->374 370->369 372 7ff6869e606f-7ff6869e6084 370->372 372->369 373->374 376 7ff6869e60a4-7ff6869e60e9 CloseHandle CreateFileW 373->376 374->342 377 7ff6869e611e-7ff6869e6133 376->377 378 7ff6869e60eb-7ff6869e6119 GetLastError call 7ff6869d43b8 call 7ff6869d6e3c 376->378 377->374 378->377
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2050744018.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000001.00000002.2050716641.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050804666.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050904528.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
                                                        • String ID:
                                                        • API String ID: 1617910340-0
                                                        • Opcode ID: f9714f3a8e10acd42ca2d2c5b2c2c8a966f4ca54d5d677232d284773bb45134f
                                                        • Instruction ID: ffb95471b4a742d7601a96979353f00057265813c4828013fc064cbb673f0455
                                                        • Opcode Fuzzy Hash: f9714f3a8e10acd42ca2d2c5b2c2c8a966f4ca54d5d677232d284773bb45134f
                                                        • Instruction Fuzzy Hash: 6FC1A236B24A82C6EF51CF69C4906AC3761FB49BA8B015239DA1E977D6CF7AD851C300
                                                        Function 00007FF6869C6780 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 139COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • GetTempPathW.KERNEL32(?,00000000,?,00007FF6869C674D), ref: 00007FF6869C681A
                                                          • Part of subcall function 00007FF6869C6990: GetEnvironmentVariableW.KERNEL32(00007FF6869C36E7), ref: 00007FF6869C69CA
                                                          • Part of subcall function 00007FF6869C6990: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF6869C69E7
                                                          • Part of subcall function 00007FF6869D66B4: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6869D66CD
                                                        • SetEnvironmentVariableW.KERNEL32(?,TokenIntegrityLevel), ref: 00007FF6869C68D1
                                                          • Part of subcall function 00007FF6869C2770: MessageBoxW.USER32 ref: 00007FF6869C2841
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2050744018.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000001.00000002.2050716641.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050804666.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050904528.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: Environment$Variable$ExpandMessagePathStringsTemp_invalid_parameter_noinfo
                                                        • String ID: LOADER: Failed to set the TMP environment variable.$TMP$TMP$_MEI%d
                                                        • API String ID: 3752271684-1116378104
                                                        • Opcode ID: e6afb0128859ccbf49ce8011b8d869e8e025b7611e3f9a50b4fcc1994f3a2000
                                                        • Instruction ID: 12615383b6e2257a10b6f3c23b9eacad0eb6fbf4281c3efd35d3c732767b3415
                                                        • Opcode Fuzzy Hash: e6afb0128859ccbf49ce8011b8d869e8e025b7611e3f9a50b4fcc1994f3a2000
                                                        • Instruction Fuzzy Hash: 84515921B1D6C3C1FE54AB62A9556BA5251BF89BD0F484439ED0ECB7D7EE2EEC01C600
                                                        Function 00007FF6869E509C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 143timeCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 799 7ff6869e509c-7ff6869e50d1 call 7ff6869e47a8 call 7ff6869e47b0 call 7ff6869e4818 806 7ff6869e520f-7ff6869e527d call 7ff6869d9dd0 call 7ff6869e06b8 799->806 807 7ff6869e50d7-7ff6869e50e2 call 7ff6869e47b8 799->807 819 7ff6869e527f-7ff6869e5286 806->819 820 7ff6869e528b-7ff6869e528e 806->820 807->806 813 7ff6869e50e8-7ff6869e50f3 call 7ff6869e47e8 807->813 813->806 818 7ff6869e50f9-7ff6869e511c call 7ff6869d9e18 GetTimeZoneInformation 813->818 830 7ff6869e5122-7ff6869e5143 818->830 831 7ff6869e51e4-7ff6869e520e call 7ff6869e47a0 call 7ff6869e4790 call 7ff6869e4798 818->831 822 7ff6869e531b-7ff6869e531e 819->822 823 7ff6869e52c5-7ff6869e52d8 call 7ff6869dcacc 820->823 824 7ff6869e5290 820->824 827 7ff6869e5293 822->827 828 7ff6869e5324-7ff6869e532c call 7ff6869e4e20 822->828 835 7ff6869e52e3-7ff6869e52fe call 7ff6869e06b8 823->835 836 7ff6869e52da 823->836 824->827 832 7ff6869e5298-7ff6869e52c4 call 7ff6869d9e18 call 7ff6869cad80 827->832 833 7ff6869e5293 call 7ff6869e509c 827->833 828->832 837 7ff6869e5145-7ff6869e514b 830->837 838 7ff6869e514e-7ff6869e5155 830->838 833->832 855 7ff6869e5305-7ff6869e5317 call 7ff6869d9e18 835->855 856 7ff6869e5300-7ff6869e5303 835->856 842 7ff6869e52dc-7ff6869e52e1 call 7ff6869d9e18 836->842 837->838 844 7ff6869e5157-7ff6869e515f 838->844 845 7ff6869e5169 838->845 842->824 844->845 850 7ff6869e5161-7ff6869e5167 844->850 853 7ff6869e516b-7ff6869e51df call 7ff6869cc210 * 4 call 7ff6869e1c7c call 7ff6869e5334 * 2 845->853 850->853 853->831 855->822 856->842
                                                        APIs
                                                        • _get_daylight.LIBCMT ref: 00007FF6869E50CA
                                                          • Part of subcall function 00007FF6869E4818: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6869E482C
                                                        • _get_daylight.LIBCMT ref: 00007FF6869E50DB
                                                          • Part of subcall function 00007FF6869E47B8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6869E47CC
                                                        • _get_daylight.LIBCMT ref: 00007FF6869E50EC
                                                          • Part of subcall function 00007FF6869E47E8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6869E47FC
                                                          • Part of subcall function 00007FF6869D9E18: RtlFreeHeap.NTDLL(?,?,?,00007FF6869E1E42,?,?,?,00007FF6869E1E7F,?,?,00000000,00007FF6869E2345,?,?,?,00007FF6869E2277), ref: 00007FF6869D9E2E
                                                          • Part of subcall function 00007FF6869D9E18: GetLastError.KERNEL32(?,?,?,00007FF6869E1E42,?,?,?,00007FF6869E1E7F,?,?,00000000,00007FF6869E2345,?,?,?,00007FF6869E2277), ref: 00007FF6869D9E38
                                                        • GetTimeZoneInformation.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000,?,00007FF6869E532C), ref: 00007FF6869E5113
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2050744018.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000001.00000002.2050716641.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050804666.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050904528.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: _get_daylight_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
                                                        • String ID: Eastern Standard Time$Eastern Summer Time
                                                        • API String ID: 3458911817-239921721
                                                        • Opcode ID: 74e2aae664cff904285b8cceaf5bd78e264b53cf78d1017760ee0a7f729cca6e
                                                        • Instruction ID: f05a120133836877883eb79a7598f4e417a44c09cbd800705c14821e6c1c51b4
                                                        • Opcode Fuzzy Hash: 74e2aae664cff904285b8cceaf5bd78e264b53cf78d1017760ee0a7f729cca6e
                                                        • Instruction Fuzzy Hash: F9516A72A18683C6EB20EF21E9911A96760BF88784F45513EEA4DC36D6DF7EEC01C740
                                                        Function 00007FF6869C17B0 Relevance: 21.1, APIs: 2, Strings: 10, Instructions: 144COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2050744018.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000001.00000002.2050716641.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050804666.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050904528.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: _fread_nolock$Message_invalid_parameter_noinfo
                                                        • String ID: Cannot read Table of Contents.$Could not allocate buffer for TOC!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$fread$fseek$malloc
                                                        • API String ID: 2153230061-4158440160
                                                        • Opcode ID: 68b35546f29596827bc47b3227837218a9e837bbf0a69e001d444f975be426ca
                                                        • Instruction ID: 6baa0f4772c03c00f59c1df640cf9658c2e9d7bfcb866351f80806edd549a0fc
                                                        • Opcode Fuzzy Hash: 68b35546f29596827bc47b3227837218a9e837bbf0a69e001d444f975be426ca
                                                        • Instruction Fuzzy Hash: 33511A72A09683C6EF54CF28E45517833A0FF48B58B518139DA0EC77DAEE6EE944C744
                                                        Function 00007FF6869C1440 Relevance: 21.1, APIs: 1, Strings: 11, Instructions: 133COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 53 7ff6869c1440-7ff6869c1457 call 7ff6869c6720 56 7ff6869c1462-7ff6869c1485 call 7ff6869c6a40 53->56 57 7ff6869c1459-7ff6869c1461 53->57 60 7ff6869c14a7-7ff6869c14ad 56->60 61 7ff6869c1487-7ff6869c14a2 call 7ff6869c24d0 56->61 63 7ff6869c14e0-7ff6869c14f4 call 7ff6869cf934 60->63 64 7ff6869c14af-7ff6869c14ba call 7ff6869c3cb0 60->64 70 7ff6869c1635-7ff6869c1647 61->70 72 7ff6869c1516-7ff6869c151a 63->72 73 7ff6869c14f6-7ff6869c1511 call 7ff6869c24d0 63->73 68 7ff6869c14bf-7ff6869c14c5 64->68 68->63 71 7ff6869c14c7-7ff6869c14db call 7ff6869c2770 68->71 83 7ff6869c1617-7ff6869c161d 71->83 76 7ff6869c1534-7ff6869c1554 call 7ff6869d40b0 72->76 77 7ff6869c151c-7ff6869c1528 call 7ff6869c1050 72->77 73->83 85 7ff6869c1575-7ff6869c157b 76->85 86 7ff6869c1556-7ff6869c1570 call 7ff6869c24d0 76->86 84 7ff6869c152d-7ff6869c152f 77->84 87 7ff6869c161f call 7ff6869cf2ac 83->87 88 7ff6869c162b-7ff6869c162e call 7ff6869cf2ac 83->88 84->83 90 7ff6869c1581-7ff6869c1586 85->90 91 7ff6869c1605-7ff6869c1608 call 7ff6869d409c 85->91 99 7ff6869c160d-7ff6869c1612 86->99 97 7ff6869c1624 87->97 98 7ff6869c1633 88->98 96 7ff6869c1590-7ff6869c15b2 call 7ff6869cf5fc 90->96 91->99 102 7ff6869c15e5-7ff6869c15ec 96->102 103 7ff6869c15b4-7ff6869c15cc call 7ff6869cfd3c 96->103 97->88 98->70 99->83 104 7ff6869c15f3-7ff6869c15fb call 7ff6869c24d0 102->104 109 7ff6869c15ce-7ff6869c15d1 103->109 110 7ff6869c15d5-7ff6869c15e3 103->110 111 7ff6869c1600 104->111 109->96 112 7ff6869c15d3 109->112 110->104 111->91 112->111
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2050744018.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000001.00000002.2050716641.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050804666.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050904528.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: Failed to extract %s: failed to allocate temporary buffer!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to open target file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$Failed to extract %s: failed to write data chunk!$fopen$fread$fseek$fwrite$malloc
                                                        • API String ID: 0-666925554
                                                        • Opcode ID: 6041479c6bed9feef08198157533aa3f314bee298d6c7b4abc1b35478bb2c527
                                                        • Instruction ID: ec3dde29b07e951715218c0a3e8332ebf4329088ddccf8077d0ee4201b64d0fe
                                                        • Opcode Fuzzy Hash: 6041479c6bed9feef08198157533aa3f314bee298d6c7b4abc1b35478bb2c527
                                                        • Instruction Fuzzy Hash: F5517861B08AC3C1EE209B21E5546B963A0BF45BE8F444539DE0EC76E7EE7EE945C304
                                                        Function 00007FF6869C78A0 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 91COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2050744018.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000001.00000002.2050716641.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050804666.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050904528.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: Token$ConvertDescriptorInformationProcessSecurityString$CloseCreateCurrentDirectoryErrorFreeHandleLastLocalOpen
                                                        • String ID: D:(A;;FA;;;%s)$S-1-3-4
                                                        • API String ID: 4998090-2855260032
                                                        • Opcode ID: bd17a40a22c884ade7d87aa0fec574675d56acca5ecee7ff6bf5a056ddc52e71
                                                        • Instruction ID: 8da2eea8deb8d7015943f864ab9d974cea02c40b2eda5059854a239fdba017de
                                                        • Opcode Fuzzy Hash: bd17a40a22c884ade7d87aa0fec574675d56acca5ecee7ff6bf5a056ddc52e71
                                                        • Instruction Fuzzy Hash: 96413D3161C6C3C2EF509F61E4446AA7361FF857A4F440239EA9E866E6DF7DD944CB00
                                                        Function 00007FF6869C6FD0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 90processsynchronizationCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2050744018.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000001.00000002.2050716641.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050804666.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050904528.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: Process_invalid_parameter_noinfo$ByteCharCodeCommandConsoleCreateCtrlExitHandlerInfoLineMultiObjectSingleStartupWaitWide
                                                        • String ID: CreateProcessW$Error creating child process!
                                                        • API String ID: 2895956056-3524285272
                                                        • Opcode ID: 818e29d337d92c80142cd965dc47d4137e35c853672c1fb6e5a7bce6e7f526a1
                                                        • Instruction ID: 7f8df44f7d045042c4078dee0a01664aadb41bf48f778d8dee9f7bd61b584d72
                                                        • Opcode Fuzzy Hash: 818e29d337d92c80142cd965dc47d4137e35c853672c1fb6e5a7bce6e7f526a1
                                                        • Instruction Fuzzy Hash: A4412032A087C3C2DE209B64E8552AAB364FF95364F400339E6AD87AE6DF7DD454CB40
                                                        Function 00007FF6869C1000 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 273COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 383 7ff6869c1000-7ff6869c3686 call 7ff6869cf080 call 7ff6869cf078 call 7ff6869c7600 call 7ff6869cf078 call 7ff6869cadb0 call 7ff6869d4270 call 7ff6869d4f14 call 7ff6869c1af0 401 7ff6869c368c-7ff6869c369b call 7ff6869c3ba0 383->401 402 7ff6869c379a 383->402 401->402 407 7ff6869c36a1-7ff6869c36b4 call 7ff6869c3a70 401->407 404 7ff6869c379f-7ff6869c37bf call 7ff6869cad80 402->404 407->402 411 7ff6869c36ba-7ff6869c36cd call 7ff6869c3b20 407->411 411->402 414 7ff6869c36d3-7ff6869c36fa call 7ff6869c6990 411->414 417 7ff6869c373c-7ff6869c3764 call 7ff6869c6f90 call 7ff6869c19d0 414->417 418 7ff6869c36fc-7ff6869c370b call 7ff6869c6990 414->418 429 7ff6869c384d-7ff6869c385e 417->429 430 7ff6869c376a-7ff6869c3780 call 7ff6869c19d0 417->430 418->417 423 7ff6869c370d-7ff6869c3713 418->423 425 7ff6869c371f-7ff6869c3739 call 7ff6869d409c call 7ff6869c6f90 423->425 426 7ff6869c3715-7ff6869c371d 423->426 425->417 426->425 433 7ff6869c3860-7ff6869c386a call 7ff6869c3280 429->433 434 7ff6869c3873-7ff6869c388b call 7ff6869c7a30 429->434 439 7ff6869c37c0-7ff6869c37c3 430->439 440 7ff6869c3782-7ff6869c3795 call 7ff6869c2770 430->440 446 7ff6869c386c 433->446 447 7ff6869c38ab-7ff6869c38b8 call 7ff6869c5e40 433->447 448 7ff6869c389e-7ff6869c38a5 SetDllDirectoryW 434->448 449 7ff6869c388d-7ff6869c3899 call 7ff6869c2770 434->449 439->429 445 7ff6869c37c9-7ff6869c37e0 call 7ff6869c3cb0 439->445 440->402 458 7ff6869c37e2-7ff6869c37e5 445->458 459 7ff6869c37e7-7ff6869c3813 call 7ff6869c7200 445->459 446->434 456 7ff6869c3906-7ff6869c390b call 7ff6869c5dc0 447->456 457 7ff6869c38ba-7ff6869c38ca call 7ff6869c5ae0 447->457 448->447 449->402 465 7ff6869c3910-7ff6869c3913 456->465 457->456 473 7ff6869c38cc-7ff6869c38db call 7ff6869c5640 457->473 462 7ff6869c3822-7ff6869c3838 call 7ff6869c2770 458->462 468 7ff6869c3815-7ff6869c381d call 7ff6869cf2ac 459->468 469 7ff6869c383d-7ff6869c384b 459->469 462->402 471 7ff6869c3919-7ff6869c3926 465->471 472 7ff6869c39c6-7ff6869c39d5 call 7ff6869c3110 465->472 468->462 469->433 475 7ff6869c3930-7ff6869c393a 471->475 472->402 487 7ff6869c39db-7ff6869c3a12 call 7ff6869c6f20 call 7ff6869c6990 call 7ff6869c53e0 472->487 485 7ff6869c38dd-7ff6869c38e9 call 7ff6869c55d0 473->485 486 7ff6869c38fc-7ff6869c3901 call 7ff6869c5890 473->486 479 7ff6869c3943-7ff6869c3945 475->479 480 7ff6869c393c-7ff6869c3941 475->480 483 7ff6869c3991-7ff6869c39c1 call 7ff6869c3270 call 7ff6869c30b0 call 7ff6869c3260 call 7ff6869c5890 call 7ff6869c5dc0 479->483 484 7ff6869c3947-7ff6869c396a call 7ff6869c1b30 479->484 480->475 480->479 483->404 484->402 499 7ff6869c3970-7ff6869c397b 484->499 485->486 500 7ff6869c38eb-7ff6869c38fa call 7ff6869c5c90 485->500 486->456 487->402 510 7ff6869c3a18-7ff6869c3a4d call 7ff6869c3270 call 7ff6869c6fd0 call 7ff6869c5890 call 7ff6869c5dc0 487->510 504 7ff6869c3980-7ff6869c398f 499->504 500->465 504->483 504->504 523 7ff6869c3a4f-7ff6869c3a52 call 7ff6869c6c90 510->523 524 7ff6869c3a57-7ff6869c3a5a call 7ff6869c1ab0 510->524 523->524 527 7ff6869c3a5f-7ff6869c3a61 524->527 527->404
                                                        APIs
                                                          • Part of subcall function 00007FF6869C3BA0: GetModuleFileNameW.KERNEL32(?,00007FF6869C3699), ref: 00007FF6869C3BD1
                                                        • SetDllDirectoryW.KERNEL32 ref: 00007FF6869C38A5
                                                          • Part of subcall function 00007FF6869C6990: GetEnvironmentVariableW.KERNEL32(00007FF6869C36E7), ref: 00007FF6869C69CA
                                                          • Part of subcall function 00007FF6869C6990: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF6869C69E7
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2050744018.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000001.00000002.2050716641.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050804666.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050904528.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: Environment$DirectoryExpandFileModuleNameStringsVariable
                                                        • String ID: Cannot open PyInstaller archive from executable (%s) or external archive (%s)$Cannot side-load external archive %s (code %d)!$Failed to convert DLL search path!$MEI$_MEIPASS2$_PYI_ONEDIR_MODE
                                                        • API String ID: 2344891160-3602715111
                                                        • Opcode ID: 50111eb3a4ecf2aa9f2e8277530249e951fb5dfdc06a0922ff57c1695f9e45b2
                                                        • Instruction ID: 8a413891b6935212a964e5ed665dfd365a39070ce06dff9cbd96d0c9a3657484
                                                        • Opcode Fuzzy Hash: 50111eb3a4ecf2aa9f2e8277530249e951fb5dfdc06a0922ff57c1695f9e45b2
                                                        • Instruction Fuzzy Hash: D1B18121A1CAC3D1EE65AB2194512FD6390BF44784F80413AEA4FC76DBEE2EEE05D740
                                                        Function 00007FF6869C1050 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 156COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 528 7ff6869c1050-7ff6869c10ab call 7ff6869ca610 531 7ff6869c10d3-7ff6869c10eb call 7ff6869d40b0 528->531 532 7ff6869c10ad-7ff6869c10d2 call 7ff6869c2770 528->532 537 7ff6869c1109-7ff6869c1119 call 7ff6869d40b0 531->537 538 7ff6869c10ed-7ff6869c1104 call 7ff6869c24d0 531->538 544 7ff6869c1137-7ff6869c1147 537->544 545 7ff6869c111b-7ff6869c1132 call 7ff6869c24d0 537->545 543 7ff6869c126c-7ff6869c1281 call 7ff6869ca2f0 call 7ff6869d409c * 2 538->543 560 7ff6869c1286-7ff6869c12a0 543->560 547 7ff6869c1150-7ff6869c1175 call 7ff6869cf5fc 544->547 545->543 554 7ff6869c125e 547->554 555 7ff6869c117b-7ff6869c1185 call 7ff6869cf370 547->555 557 7ff6869c1264 554->557 555->554 562 7ff6869c118b-7ff6869c1197 555->562 557->543 563 7ff6869c11a0-7ff6869c11c8 call 7ff6869c8a60 562->563 566 7ff6869c1241-7ff6869c125c call 7ff6869c2770 563->566 567 7ff6869c11ca-7ff6869c11cd 563->567 566->557 568 7ff6869c11cf-7ff6869c11d9 567->568 569 7ff6869c123c 567->569 571 7ff6869c1203-7ff6869c1206 568->571 572 7ff6869c11db-7ff6869c11e8 call 7ff6869cfd3c 568->572 569->566 575 7ff6869c1219-7ff6869c121e 571->575 576 7ff6869c1208-7ff6869c1216 call 7ff6869cbb60 571->576 578 7ff6869c11ed-7ff6869c11f0 572->578 575->563 577 7ff6869c1220-7ff6869c1223 575->577 576->575 580 7ff6869c1225-7ff6869c1228 577->580 581 7ff6869c1237-7ff6869c123a 577->581 582 7ff6869c11fe-7ff6869c1201 578->582 583 7ff6869c11f2-7ff6869c11fc call 7ff6869cf370 578->583 580->566 585 7ff6869c122a-7ff6869c1232 580->585 581->557 582->566 583->575 583->582 585->547
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2050744018.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000001.00000002.2050716641.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050804666.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050904528.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: Message
                                                        • String ID: 1.2.13$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
                                                        • API String ID: 2030045667-1655038675
                                                        • Opcode ID: 2f46febe429223a823cb0d88def6e2cd0a3a4a90dbb08f42ff036ba8ee2fdb2c
                                                        • Instruction ID: 955c61dbf2f9955b0a763ad5e6a27ffde3007a405058485060dfca9b9a955f49
                                                        • Opcode Fuzzy Hash: 2f46febe429223a823cb0d88def6e2cd0a3a4a90dbb08f42ff036ba8ee2fdb2c
                                                        • Instruction Fuzzy Hash: 8551BC22A086C3C5EE609B55E4503BA6290BF86BA4F444139DE4EC77DAEF3EE945C704
                                                        Function 00007FF6869DDDB8 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMONLIBRARYCODE
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • FreeLibrary.KERNEL32(?,00000000,?,00007FF6869DE152,?,?,-00000018,00007FF6869DA223,?,?,?,00007FF6869DA11A,?,?,?,00007FF6869D5472), ref: 00007FF6869DDF34
                                                        • GetProcAddress.KERNEL32(?,00000000,?,00007FF6869DE152,?,?,-00000018,00007FF6869DA223,?,?,?,00007FF6869DA11A,?,?,?,00007FF6869D5472), ref: 00007FF6869DDF40
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2050744018.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000001.00000002.2050716641.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050804666.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050904528.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: AddressFreeLibraryProc
                                                        • String ID: api-ms-$ext-ms-
                                                        • API String ID: 3013587201-537541572
                                                        • Opcode ID: 01869d8b0b1ae08ce046380e8c955ca032c286979885a37836ee5a28d8bde6d1
                                                        • Instruction ID: 9d107852cfc4aa0f868c5404c2d617d4e674a6d402143d49c1fa439845df7a03
                                                        • Opcode Fuzzy Hash: 01869d8b0b1ae08ce046380e8c955ca032c286979885a37836ee5a28d8bde6d1
                                                        • Instruction Fuzzy Hash: 9341E122B19693C1FE25CB1698005756299BF15BA0F4A413DDD0DC77DAEE7EEC49C310
                                                        Function 00007FF6869DAF2C Relevance: 10.8, APIs: 7, Instructions: 290COMMONLIBRARYCODE
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 686 7ff6869daf2c-7ff6869daf52 687 7ff6869daf54-7ff6869daf68 call 7ff6869d4424 call 7ff6869d4444 686->687 688 7ff6869daf6d-7ff6869daf71 686->688 706 7ff6869db35e 687->706 690 7ff6869db347-7ff6869db353 call 7ff6869d4424 call 7ff6869d4444 688->690 691 7ff6869daf77-7ff6869daf7e 688->691 708 7ff6869db359 call 7ff6869d9db0 690->708 691->690 694 7ff6869daf84-7ff6869dafb2 691->694 694->690 695 7ff6869dafb8-7ff6869dafbf 694->695 698 7ff6869dafc1-7ff6869dafd3 call 7ff6869d4424 call 7ff6869d4444 695->698 699 7ff6869dafd8-7ff6869dafdb 695->699 698->708 704 7ff6869db343-7ff6869db345 699->704 705 7ff6869dafe1-7ff6869dafe7 699->705 709 7ff6869db361-7ff6869db378 704->709 705->704 710 7ff6869dafed-7ff6869daff0 705->710 706->709 708->706 710->698 713 7ff6869daff2-7ff6869db017 710->713 715 7ff6869db04a-7ff6869db051 713->715 716 7ff6869db019-7ff6869db01b 713->716 717 7ff6869db053-7ff6869db07b call 7ff6869dcacc call 7ff6869d9e18 * 2 715->717 718 7ff6869db026-7ff6869db03d call 7ff6869d4424 call 7ff6869d4444 call 7ff6869d9db0 715->718 719 7ff6869db042-7ff6869db048 716->719 720 7ff6869db01d-7ff6869db024 716->720 749 7ff6869db07d-7ff6869db093 call 7ff6869d4444 call 7ff6869d4424 717->749 750 7ff6869db098-7ff6869db0c3 call 7ff6869db754 717->750 747 7ff6869db1d0 718->747 721 7ff6869db0c8-7ff6869db0df 719->721 720->718 720->719 724 7ff6869db0e1-7ff6869db0e9 721->724 725 7ff6869db15a-7ff6869db164 call 7ff6869e2a3c 721->725 724->725 728 7ff6869db0eb-7ff6869db0ed 724->728 736 7ff6869db1ee 725->736 737 7ff6869db16a-7ff6869db17f 725->737 728->725 734 7ff6869db0ef-7ff6869db105 728->734 734->725 739 7ff6869db107-7ff6869db113 734->739 745 7ff6869db1f3-7ff6869db213 ReadFile 736->745 737->736 741 7ff6869db181-7ff6869db193 GetConsoleMode 737->741 739->725 743 7ff6869db115-7ff6869db117 739->743 741->736 746 7ff6869db195-7ff6869db19d 741->746 743->725 748 7ff6869db119-7ff6869db131 743->748 751 7ff6869db30d-7ff6869db316 GetLastError 745->751 752 7ff6869db219-7ff6869db221 745->752 746->745 755 7ff6869db19f-7ff6869db1c1 ReadConsoleW 746->755 758 7ff6869db1d3-7ff6869db1dd call 7ff6869d9e18 747->758 748->725 759 7ff6869db133-7ff6869db13f 748->759 749->747 750->721 756 7ff6869db333-7ff6869db336 751->756 757 7ff6869db318-7ff6869db32e call 7ff6869d4444 call 7ff6869d4424 751->757 752->751 753 7ff6869db227 752->753 761 7ff6869db22e-7ff6869db243 753->761 763 7ff6869db1c3 GetLastError 755->763 764 7ff6869db1e2-7ff6869db1ec 755->764 768 7ff6869db33c-7ff6869db33e 756->768 769 7ff6869db1c9-7ff6869db1cb call 7ff6869d43b8 756->769 757->747 758->709 759->725 767 7ff6869db141-7ff6869db143 759->767 761->758 771 7ff6869db245-7ff6869db250 761->771 763->769 764->761 767->725 775 7ff6869db145-7ff6869db155 767->775 768->758 769->747 778 7ff6869db252-7ff6869db26b call 7ff6869dab44 771->778 779 7ff6869db277-7ff6869db27f 771->779 775->725 786 7ff6869db270-7ff6869db272 778->786 782 7ff6869db281-7ff6869db293 779->782 783 7ff6869db2fb-7ff6869db308 call 7ff6869da984 779->783 787 7ff6869db295 782->787 788 7ff6869db2ee-7ff6869db2f6 782->788 783->786 786->758 790 7ff6869db29a-7ff6869db2a1 787->790 788->758 791 7ff6869db2a3-7ff6869db2a7 790->791 792 7ff6869db2dd-7ff6869db2e8 790->792 793 7ff6869db2c3 791->793 794 7ff6869db2a9-7ff6869db2b0 791->794 792->788 796 7ff6869db2c9-7ff6869db2d9 793->796 794->793 795 7ff6869db2b2-7ff6869db2b6 794->795 795->793 798 7ff6869db2b8-7ff6869db2c1 795->798 796->790 797 7ff6869db2db 796->797 797->788 798->796
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2050744018.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000001.00000002.2050716641.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050804666.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050904528.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: _invalid_parameter_noinfo
                                                        • String ID:
                                                        • API String ID: 3215553584-0
                                                        • Opcode ID: 184652ea66a00c646f0d6e367f8fa0d47b8fb75159f9cd0cc9461bb9675fa9ff
                                                        • Instruction ID: 35f6306d704fc450e07160b12ce18835cde31332b95a2372a797c17fbde69450
                                                        • Opcode Fuzzy Hash: 184652ea66a00c646f0d6e367f8fa0d47b8fb75159f9cd0cc9461bb9675fa9ff
                                                        • Instruction Fuzzy Hash: 13C1B262A086C7C2EF609B1594402BD6BA6FF91B90F550139DA4E837DBCE7EEC45C300
                                                        Function 00007FF6869DC430 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 876 7ff6869dc430-7ff6869dc455 877 7ff6869dc723 876->877 878 7ff6869dc45b-7ff6869dc45e 876->878 879 7ff6869dc725-7ff6869dc735 877->879 880 7ff6869dc460-7ff6869dc492 call 7ff6869d9ce4 878->880 881 7ff6869dc497-7ff6869dc4c3 878->881 880->879 883 7ff6869dc4c5-7ff6869dc4cc 881->883 884 7ff6869dc4ce-7ff6869dc4d4 881->884 883->880 883->884 886 7ff6869dc4e4-7ff6869dc4f9 call 7ff6869e2a3c 884->886 887 7ff6869dc4d6-7ff6869dc4df call 7ff6869db7f0 884->887 891 7ff6869dc613-7ff6869dc61c 886->891 892 7ff6869dc4ff-7ff6869dc508 886->892 887->886 893 7ff6869dc61e-7ff6869dc624 891->893 894 7ff6869dc670-7ff6869dc695 WriteFile 891->894 892->891 895 7ff6869dc50e-7ff6869dc512 892->895 898 7ff6869dc65c-7ff6869dc66e call 7ff6869dbee8 893->898 899 7ff6869dc626-7ff6869dc629 893->899 896 7ff6869dc6a0 894->896 897 7ff6869dc697-7ff6869dc69d GetLastError 894->897 900 7ff6869dc523-7ff6869dc52e 895->900 901 7ff6869dc514-7ff6869dc51c call 7ff6869d3a20 895->901 905 7ff6869dc6a3 896->905 897->896 920 7ff6869dc600-7ff6869dc607 898->920 906 7ff6869dc62b-7ff6869dc62e 899->906 907 7ff6869dc648-7ff6869dc65a call 7ff6869dc108 899->907 902 7ff6869dc53f-7ff6869dc554 GetConsoleMode 900->902 903 7ff6869dc530-7ff6869dc539 900->903 901->900 909 7ff6869dc55a-7ff6869dc560 902->909 910 7ff6869dc60c 902->910 903->891 903->902 912 7ff6869dc6a8 905->912 913 7ff6869dc6b4-7ff6869dc6be 906->913 914 7ff6869dc634-7ff6869dc646 call 7ff6869dbfec 906->914 907->920 918 7ff6869dc566-7ff6869dc569 909->918 919 7ff6869dc5e9-7ff6869dc5fb call 7ff6869dba70 909->919 910->891 921 7ff6869dc6ad 912->921 922 7ff6869dc6c0-7ff6869dc6c5 913->922 923 7ff6869dc71c-7ff6869dc721 913->923 914->920 925 7ff6869dc574-7ff6869dc582 918->925 926 7ff6869dc56b-7ff6869dc56e 918->926 919->920 920->912 921->913 928 7ff6869dc6f3-7ff6869dc6fd 922->928 929 7ff6869dc6c7-7ff6869dc6ca 922->929 923->879 933 7ff6869dc584 925->933 934 7ff6869dc5e0-7ff6869dc5e4 925->934 926->921 926->925 931 7ff6869dc704-7ff6869dc713 928->931 932 7ff6869dc6ff-7ff6869dc702 928->932 935 7ff6869dc6e3-7ff6869dc6ee call 7ff6869d4400 929->935 936 7ff6869dc6cc-7ff6869dc6db 929->936 931->923 932->877 932->931 938 7ff6869dc588-7ff6869dc59f call 7ff6869e2b08 933->938 934->905 935->928 936->935 942 7ff6869dc5a1-7ff6869dc5ad 938->942 943 7ff6869dc5d7-7ff6869dc5dd GetLastError 938->943 944 7ff6869dc5af-7ff6869dc5c1 call 7ff6869e2b08 942->944 945 7ff6869dc5cc-7ff6869dc5d3 942->945 943->934 944->943 949 7ff6869dc5c3-7ff6869dc5ca 944->949 945->934 946 7ff6869dc5d5 945->946 946->938 949->945
                                                        APIs
                                                        • GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?,00000000,00000000,00007FF6869DC41B), ref: 00007FF6869DC54C
                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?,00000000,00000000,00007FF6869DC41B), ref: 00007FF6869DC5D7
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2050744018.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000001.00000002.2050716641.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050804666.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050904528.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: ConsoleErrorLastMode
                                                        • String ID:
                                                        • API String ID: 953036326-0
                                                        • Opcode ID: f410d9e07cb2d854853af875ff306a0e9c9ee922f70c4cde11a48ef332fbc2ec
                                                        • Instruction ID: a9441e32a3afeeca4ddadcb5b85b1b15deb759aef26ec62ca785a7e1ea7d543a
                                                        • Opcode Fuzzy Hash: f410d9e07cb2d854853af875ff306a0e9c9ee922f70c4cde11a48ef332fbc2ec
                                                        • Instruction Fuzzy Hash: BE918C62A18693C5FB608F6594403BD2BA9BF44BC8F54513DDA0EA7AD6DF3AD842C700
                                                        Function 00007FF6869DE8DC Relevance: 6.2, APIs: 4, Instructions: 162COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2050744018.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000001.00000002.2050716641.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050804666.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050904528.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: _get_daylight$_isindst
                                                        • String ID:
                                                        • API String ID: 4170891091-0
                                                        • Opcode ID: d5d13d1c94d14ccfec0c44e7243bbda22246c77cf8c41a11f0b86d98f8b3a05c
                                                        • Instruction ID: 9284604e2a3f059722f4b685aee7ca3fc47244255e99c7c081658d03c1867a06
                                                        • Opcode Fuzzy Hash: d5d13d1c94d14ccfec0c44e7243bbda22246c77cf8c41a11f0b86d98f8b3a05c
                                                        • Instruction Fuzzy Hash: 2351C572F04693CAEF14DB68A9816BC27A5BF50368F54423DED1E92AD6DF39AC41C700
                                                        Function 00007FF6869CB19C Relevance: 6.1, APIs: 4, Instructions: 94COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2050744018.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000001.00000002.2050716641.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050804666.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050904528.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_initialize_crt__scrt_release_startup_lock
                                                        • String ID:
                                                        • API String ID: 1452418845-0
                                                        • Opcode ID: 90a7fcc3a81af5bf04ad81541e301d7d9fb9f11ea0fdd18d74326f9016f6428e
                                                        • Instruction ID: c44b0a608571c3da6aa2a096032fc1fad657fba48939cd9cdd61962a0bcf5723
                                                        • Opcode Fuzzy Hash: 90a7fcc3a81af5bf04ad81541e301d7d9fb9f11ea0fdd18d74326f9016f6428e
                                                        • Instruction Fuzzy Hash: A5313911E08183C6FE14AB6095613BD3282BFA5384F45003CD94FCB2EBDE6FAE06C201
                                                        Function 00007FF6869D4680 Relevance: 6.1, APIs: 4, Instructions: 90fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2050744018.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000001.00000002.2050716641.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050804666.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050904528.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: CloseCreateFileHandle_invalid_parameter_noinfo
                                                        • String ID:
                                                        • API String ID: 1279662727-0
                                                        • Opcode ID: 1c8fa0e9f1f268703cdfbf571ccde9a0ae4dbb37f3b5d3b3dc57de33b3aee677
                                                        • Instruction ID: 54af97e77354bbb2b2d59b266c33b0ebdf1e0cd9b2f329112b284c0e020acf48
                                                        • Opcode Fuzzy Hash: 1c8fa0e9f1f268703cdfbf571ccde9a0ae4dbb37f3b5d3b3dc57de33b3aee677
                                                        • Instruction Fuzzy Hash: 5E418322E187C2C3EB948B61951037962A0FF95B64F109338E69C47AD7DF6DA9E0C700
                                                        Function 00007FF6869D8888 Relevance: 4.5, APIs: 3, Instructions: 14COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2050744018.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000001.00000002.2050716641.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050804666.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050904528.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: Process$CurrentExitTerminate
                                                        • String ID:
                                                        • API String ID: 1703294689-0
                                                        • Opcode ID: d426427e4f48dbbb9dc5f253e5f2c69f0b75b8518679dacd75070a6bbb583433
                                                        • Instruction ID: 3dfb40239b053b8c91d6a486a76a98fa43dadd9ed469e1c9b6dae5d383991e51
                                                        • Opcode Fuzzy Hash: d426427e4f48dbbb9dc5f253e5f2c69f0b75b8518679dacd75070a6bbb583433
                                                        • Instruction Fuzzy Hash: ABD06C10B18683C2EE182BB0599517912127F88B61B11283CC81A8A7E7CDAEAC49C300
                                                        Function 00007FF6869CF39C Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2050744018.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000001.00000002.2050716641.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050804666.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050904528.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: _invalid_parameter_noinfo
                                                        • String ID:
                                                        • API String ID: 3215553584-0
                                                        • Opcode ID: e6b31fcbb010569d964db91d6e465c54053a5eb593f9b70391a20bf1ad845ba7
                                                        • Instruction ID: 1ddfc6e910e589cafb0d55d111a27352bfd63f83c7b17d911d935b6c52a2941c
                                                        • Opcode Fuzzy Hash: e6b31fcbb010569d964db91d6e465c54053a5eb593f9b70391a20bf1ad845ba7
                                                        • Instruction Fuzzy Hash: BB51D461B092C3C6EE689E25950467A6691BF44BE4F148638DE6EC77CBCF3EDC01C601
                                                        Function 00007FF6869DB604 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • SetFilePointerEx.KERNELBASE(?,?,?,?,00000000,00007FF6869DB79D), ref: 00007FF6869DB650
                                                        • GetLastError.KERNEL32(?,?,?,?,00000000,00007FF6869DB79D), ref: 00007FF6869DB65A
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2050744018.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000001.00000002.2050716641.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050804666.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050904528.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: ErrorFileLastPointer
                                                        • String ID:
                                                        • API String ID: 2976181284-0
                                                        • Opcode ID: ff2257711b1d275b862e663729d543ef4812b290fbf882e2e1232765a84f7875
                                                        • Instruction ID: 55e0760c798f35c2569b785a52dc0337a394420d47c0e93d2944f701cd1159ca
                                                        • Opcode Fuzzy Hash: ff2257711b1d275b862e663729d543ef4812b290fbf882e2e1232765a84f7875
                                                        • Instruction Fuzzy Hash: 2A118FA2A18B82C1DE108B25A40416D7762BF45BF4F944339EA7D877EACF7DD851C700
                                                        Function 00007FF6869D6984 Relevance: 3.0, APIs: 2, Instructions: 35timeCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6869D6801), ref: 00007FF6869D69A7
                                                        • SystemTimeToTzSpecificLocalTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6869D6801), ref: 00007FF6869D69BD
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2050744018.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000001.00000002.2050716641.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050804666.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050904528.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: Time$System$FileLocalSpecific
                                                        • String ID:
                                                        • API String ID: 1707611234-0
                                                        • Opcode ID: 830c94081867150c960b6d723a3faffd283ff7679e667b9fb6d49bf0e5e2b665
                                                        • Instruction ID: 7f54df71d7538cbb144f8064f4618191f39e1c964096e6fb4732ff075b316b05
                                                        • Opcode Fuzzy Hash: 830c94081867150c960b6d723a3faffd283ff7679e667b9fb6d49bf0e5e2b665
                                                        • Instruction Fuzzy Hash: 53017C3250C692C2EB608F15A40167AB7A0FF81731F60023AF6AD815D9DF7ED815CB00
                                                        Function 00007FF6869D9E18 Relevance: 3.0, APIs: 2, Instructions: 19memoryCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • RtlFreeHeap.NTDLL(?,?,?,00007FF6869E1E42,?,?,?,00007FF6869E1E7F,?,?,00000000,00007FF6869E2345,?,?,?,00007FF6869E2277), ref: 00007FF6869D9E2E
                                                        • GetLastError.KERNEL32(?,?,?,00007FF6869E1E42,?,?,?,00007FF6869E1E7F,?,?,00000000,00007FF6869E2345,?,?,?,00007FF6869E2277), ref: 00007FF6869D9E38
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2050744018.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000001.00000002.2050716641.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050804666.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050904528.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: ErrorFreeHeapLast
                                                        • String ID:
                                                        • API String ID: 485612231-0
                                                        • Opcode ID: 875bb2537aa3df01b4a1e34b7b101e94a2dc47b4cb64fa0c1180c15e07a79d81
                                                        • Instruction ID: e233039c3f063b84a7f2222e7b2d7db71e5b20832fec8a66159b2c913f31ce4d
                                                        • Opcode Fuzzy Hash: 875bb2537aa3df01b4a1e34b7b101e94a2dc47b4cb64fa0c1180c15e07a79d81
                                                        • Instruction Fuzzy Hash: A5E08C60F08283C2FF58ABB2A88513912A07F98B40F04503CC90DC72E3EF2EAC85C350
                                                        Function 00007FF6869D6F70 Relevance: 3.0, APIs: 2, Instructions: 12fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2050744018.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000001.00000002.2050716641.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050804666.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050904528.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: DeleteErrorFileLast
                                                        • String ID:
                                                        • API String ID: 2018770650-0
                                                        • Opcode ID: 677f2ceb8ee0d5d75214142403d5559098fe9c7e5a50d88e5e1a5187c850d191
                                                        • Instruction ID: e23ef4bed944f0971e34f0f881a1d4b31390db087d012cd2a05c2f1beeb829a9
                                                        • Opcode Fuzzy Hash: 677f2ceb8ee0d5d75214142403d5559098fe9c7e5a50d88e5e1a5187c850d191
                                                        • Instruction Fuzzy Hash: 3BD01224F28983C6EE542B794C4553C12907F55731F50063DE019C02E3EE6EBD85D201
                                                        Function 00007FF6869D66EC Relevance: 3.0, APIs: 2, Instructions: 12COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2050744018.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000001.00000002.2050716641.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050804666.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050904528.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: DirectoryErrorLastRemove
                                                        • String ID:
                                                        • API String ID: 377330604-0
                                                        • Opcode ID: 45670ffc5494559b4402bb32e1ee61b2bed3bec50e0362f78a5b89dc8e7724e5
                                                        • Instruction ID: de8b7a7429b0e363d698a6a7e4a2abd745c67795f0992667521d8f71bde5fdd1
                                                        • Opcode Fuzzy Hash: 45670ffc5494559b4402bb32e1ee61b2bed3bec50e0362f78a5b89dc8e7724e5
                                                        • Instruction Fuzzy Hash: DAD01220F1C687C2EF5427754D4523811A03F54771F51063CE01AC52E3DE6FAD55C211
                                                        Function 00007FF6869DA028 Relevance: 2.6, APIs: 2, Instructions: 59COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CloseHandle.KERNELBASE(?,?,?,00007FF6869D9EA5,?,?,00000000,00007FF6869D9F5A), ref: 00007FF6869DA096
                                                        • GetLastError.KERNEL32(?,?,?,00007FF6869D9EA5,?,?,00000000,00007FF6869D9F5A), ref: 00007FF6869DA0A0
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2050744018.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000001.00000002.2050716641.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050804666.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050904528.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: CloseErrorHandleLast
                                                        • String ID:
                                                        • API String ID: 918212764-0
                                                        • Opcode ID: 649148bb364a2e2bb6c01b4b98e8ba63ccdb9764b03dbbc10b4a89a301f042aa
                                                        • Instruction ID: d737a1cc6f16eeebada49c06781e2be62655489af6c7ef62383d8b29d848b388
                                                        • Opcode Fuzzy Hash: 649148bb364a2e2bb6c01b4b98e8ba63ccdb9764b03dbbc10b4a89a301f042aa
                                                        • Instruction Fuzzy Hash: 68219F21B186C3C5EE509765D4542791292BF85BF0F14423DEA2EC77D3CE6EAC65C300
                                                        Function 00007FF6869C6C90 Relevance: 1.6, APIs: 1, Instructions: 141COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2050744018.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000001.00000002.2050716641.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050804666.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050904528.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: ByteCharMultiWide_findclose
                                                        • String ID:
                                                        • API String ID: 2772937645-0
                                                        • Opcode ID: 37a4e224697fbf4831613d35a88c56fbb79b718194e75a506f580689560dc945
                                                        • Instruction ID: 536e0067b1d47790b8fd2d2bda9182463fb96266c8619a8a656472d7656cdf94
                                                        • Opcode Fuzzy Hash: 37a4e224697fbf4831613d35a88c56fbb79b718194e75a506f580689560dc945
                                                        • Instruction Fuzzy Hash: DD71AE62E18AC6C1EA10CB2CC5052FD6360FBA9B48F55E325DB9D52593EF29E6D9C300
                                                        Function 00007FF6869DB37C Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2050744018.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000001.00000002.2050716641.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050804666.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050904528.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: _invalid_parameter_noinfo
                                                        • String ID:
                                                        • API String ID: 3215553584-0
                                                        • Opcode ID: 7edcb5c19051daea02f21c4053ec30bf8603933813fd22e9cae156a3527bc5bd
                                                        • Instruction ID: 231b8e70e92c901180214fd3ef494851442aee016d0e91d6841f46d27fdd9029
                                                        • Opcode Fuzzy Hash: 7edcb5c19051daea02f21c4053ec30bf8603933813fd22e9cae156a3527bc5bd
                                                        • Instruction Fuzzy Hash: C941CF72909283C7EE24DA19E540279B3A2FF95B54F100239D68EC76D6CF2EE802C751
                                                        Function 00007FF6869C7200 Relevance: 1.6, APIs: 1, Instructions: 85COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2050744018.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000001.00000002.2050716641.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050804666.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050904528.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: _fread_nolock
                                                        • String ID:
                                                        • API String ID: 840049012-0
                                                        • Opcode ID: abb5fb2f1e2ece73c5b7ea27c97ed87c428d7c079f2870cf2a6124b1c0566b16
                                                        • Instruction ID: 64991a8481fd01b862e2bf2ecb1abfc886ec1adce2d048773d07bdb5ced14326
                                                        • Opcode Fuzzy Hash: abb5fb2f1e2ece73c5b7ea27c97ed87c428d7c079f2870cf2a6124b1c0566b16
                                                        • Instruction Fuzzy Hash: A7218021B092D3C6EE119A12A5147BAA651BF45BD4F884438EF0E8B7C7CE3EE946C600
                                                        Function 00007FF6869DAE0C Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2050744018.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000001.00000002.2050716641.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050804666.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050904528.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: _invalid_parameter_noinfo
                                                        • String ID:
                                                        • API String ID: 3215553584-0
                                                        • Opcode ID: 47f2cb7360056a46563935c31beadd7a45ae652dec1b657f4a22353b163fa2db
                                                        • Instruction ID: cb0f4aae9aa6e56c07f7b2345923d5c3fc933e9148756c73f83a58709fd9c366
                                                        • Opcode Fuzzy Hash: 47f2cb7360056a46563935c31beadd7a45ae652dec1b657f4a22353b163fa2db
                                                        • Instruction Fuzzy Hash: 0C316722A18683C9EF91AF15C8413782690BF40BA0F410239EA1D833D3CFBEEC91C725
                                                        Function 00007FF6869D87B9 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2050744018.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000001.00000002.2050716641.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050804666.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050904528.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: HandleModule$AddressFreeLibraryProc
                                                        • String ID:
                                                        • API String ID: 3947729631-0
                                                        • Opcode ID: e9a7e304643df4a79f5f92f113a909c0855d61e5f1cd2648997e34e72053eb35
                                                        • Instruction ID: 2f5a657defdde97fecea673e24998d2ae17fb294642703dd0b7496241ee72114
                                                        • Opcode Fuzzy Hash: e9a7e304643df4a79f5f92f113a909c0855d61e5f1cd2648997e34e72053eb35
                                                        • Instruction Fuzzy Hash: 3B216932E04A86CAEF259F64D4402AC33A0FF44718F15163AD62C8AAD7DF39D984CB80
                                                        Function 00007FF6869D54C8 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2050744018.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000001.00000002.2050716641.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050804666.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050904528.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: _invalid_parameter_noinfo
                                                        • String ID:
                                                        • API String ID: 3215553584-0
                                                        • Opcode ID: be1079961907d1906d587a3e65c1e024338dd0a3e917ec7f85ba85c18500dcb2
                                                        • Instruction ID: dbd4f0277b0e975a140a45a9be0193ea1b0fb7296ff64198b296dd7a40225499
                                                        • Opcode Fuzzy Hash: be1079961907d1906d587a3e65c1e024338dd0a3e917ec7f85ba85c18500dcb2
                                                        • Instruction Fuzzy Hash: BD115E21A0E6C3C1EE619F5194012B9A2A0BF85B84F444439EA8C97BD7CF7EDC51C742
                                                        Function 00007FF6869E575C Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2050744018.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000001.00000002.2050716641.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050804666.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050904528.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: _invalid_parameter_noinfo
                                                        • String ID:
                                                        • API String ID: 3215553584-0
                                                        • Opcode ID: bc68aba4551d34184bb05bda2552568f64e358e9307c55527e30db01171bb599
                                                        • Instruction ID: baeb1ffdf0cccce4bb1848af9da19655a8c0a8ee857090300bcd218459b548fb
                                                        • Opcode Fuzzy Hash: bc68aba4551d34184bb05bda2552568f64e358e9307c55527e30db01171bb599
                                                        • Instruction Fuzzy Hash: 29214172A18682C6DF619F18E44036976A0FF84B54F144239EA5D876DADF7FD810CB00
                                                        Function 00007FF6869CF61C Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2050744018.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000001.00000002.2050716641.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050804666.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050904528.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: _invalid_parameter_noinfo
                                                        • String ID:
                                                        • API String ID: 3215553584-0
                                                        • Opcode ID: f8ccbbb08b6b64fca274b3102351a157ba9f641dbe881e0fbefe782dfe020abd
                                                        • Instruction ID: 19d8271c81482c0947bf7c50bb4d989528cd58a8303711f9ebab4c5e849c13f6
                                                        • Opcode Fuzzy Hash: f8ccbbb08b6b64fca274b3102351a157ba9f641dbe881e0fbefe782dfe020abd
                                                        • Instruction Fuzzy Hash: AC01A521A08BC7C1EE049B529A01069A695BF85FE4F084639DE5D97BD7CE3ED901C700
                                                        Function 00007FF6869C7330 Relevance: 1.3, APIs: 1, Instructions: 92COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2050744018.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000001.00000002.2050716641.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050804666.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050904528.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: DirectoryErrorLastRemove
                                                        • String ID:
                                                        • API String ID: 377330604-0
                                                        • Opcode ID: de2adb1bf489c698f757e3417ae5e0a26a5c09157b409e8aff6e044788b7f808
                                                        • Instruction ID: 9a438ab6699f15137a2a3cd074472f0c4bc68f492fc35a2e59fb6e1073452cfa
                                                        • Opcode Fuzzy Hash: de2adb1bf489c698f757e3417ae5e0a26a5c09157b409e8aff6e044788b7f808
                                                        • Instruction Fuzzy Hash: 4D418716D186C7C2EA119B2495012FC6361FFA9784F45923AEF8E871D3EF29A9C8C700
                                                        Function 00007FF6869DDD40 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • HeapAlloc.KERNEL32(?,?,00000000,00007FF6869DA8B6,?,?,?,00007FF6869D9A73,?,?,00000000,00007FF6869D9D0E), ref: 00007FF6869DDD95
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2050744018.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000001.00000002.2050716641.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050804666.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050904528.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: AllocHeap
                                                        • String ID:
                                                        • API String ID: 4292702814-0
                                                        • Opcode ID: 2e0f3e4b2c9ccc38d96cb592f5054ed38be707e8bf6a1ab6843b3be497aa41a7
                                                        • Instruction ID: 00c93ae9c86ed463d8c4816b99b927637622d912605ba3f5c2904ae2bb6c4832
                                                        • Opcode Fuzzy Hash: 2e0f3e4b2c9ccc38d96cb592f5054ed38be707e8bf6a1ab6843b3be497aa41a7
                                                        • Instruction Fuzzy Hash: 7AF09054B19683C0FE956BA299413B5128C7F99B90F4CA43EC90ED6BD3DD5EEC88C710
                                                        Function 00007FF6869DCACC Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • HeapAlloc.KERNEL32(?,?,?,00007FF6869CFE44,?,?,?,00007FF6869D1356,?,?,?,?,?,00007FF6869D2949), ref: 00007FF6869DCB0A
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2050744018.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000001.00000002.2050716641.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050804666.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050904528.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: AllocHeap
                                                        • String ID:
                                                        • API String ID: 4292702814-0
                                                        • Opcode ID: c69b2b415516246c39874758743c65376e97b2ba2b88f646b423658d781f7dfd
                                                        • Instruction ID: 857b5f3d8c902fd6cf67e3c247b7c297b20072a85fee0e46adc12bd882366ae4
                                                        • Opcode Fuzzy Hash: c69b2b415516246c39874758743c65376e97b2ba2b88f646b423658d781f7dfd
                                                        • Instruction Fuzzy Hash: ADF05810B092C3C0FE646AB159413752188BF58BF0F080638D82ED76C3EE6EEC80C610

                                                        Non-executed Functions

                                                        Function 00007FF6869C3DF0 Relevance: 291.0, APIs: 55, Strings: 111, Instructions: 457libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2050744018.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000001.00000002.2050716641.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050804666.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050904528.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: AddressProc
                                                        • String ID: Failed to get address for PyDict_GetItemString$Failed to get address for PyErr_Clear$Failed to get address for PyErr_Fetch$Failed to get address for PyErr_NormalizeException$Failed to get address for PyErr_Occurred$Failed to get address for PyErr_Print$Failed to get address for PyErr_Restore$Failed to get address for PyEval_EvalCode$Failed to get address for PyImport_AddModule$Failed to get address for PyImport_ExecCodeModule$Failed to get address for PyImport_ImportModule$Failed to get address for PyList_Append$Failed to get address for PyList_New$Failed to get address for PyLong_AsLong$Failed to get address for PyMarshal_ReadObjectFromString$Failed to get address for PyMem_RawFree$Failed to get address for PyModule_GetDict$Failed to get address for PyObject_CallFunction$Failed to get address for PyObject_CallFunctionObjArgs$Failed to get address for PyObject_GetAttrString$Failed to get address for PyObject_SetAttrString$Failed to get address for PyObject_Str$Failed to get address for PyRun_SimpleStringFlags$Failed to get address for PySys_AddWarnOption$Failed to get address for PySys_GetObject$Failed to get address for PySys_SetArgvEx$Failed to get address for PySys_SetObject$Failed to get address for PySys_SetPath$Failed to get address for PyUnicode_AsUTF8$Failed to get address for PyUnicode_Decode$Failed to get address for PyUnicode_DecodeFSDefault$Failed to get address for PyUnicode_FromFormat$Failed to get address for PyUnicode_FromString$Failed to get address for PyUnicode_Join$Failed to get address for PyUnicode_Replace$Failed to get address for Py_BuildValue$Failed to get address for Py_DecRef$Failed to get address for Py_DecodeLocale$Failed to get address for Py_DontWriteBytecodeFlag$Failed to get address for Py_FileSystemDefaultEncoding$Failed to get address for Py_Finalize$Failed to get address for Py_FrozenFlag$Failed to get address for Py_GetPath$Failed to get address for Py_IgnoreEnvironmentFlag$Failed to get address for Py_IncRef$Failed to get address for Py_Initialize$Failed to get address for Py_NoSiteFlag$Failed to get address for Py_NoUserSiteDirectory$Failed to get address for Py_OptimizeFlag$Failed to get address for Py_SetPath$Failed to get address for Py_SetProgramName$Failed to get address for Py_SetPythonHome$Failed to get address for Py_UTF8Mode$Failed to get address for Py_UnbufferedStdioFlag$Failed to get address for Py_VerboseFlag$GetProcAddress$PyDict_GetItemString$PyErr_Clear$PyErr_Fetch$PyErr_NormalizeException$PyErr_Occurred$PyErr_Print$PyErr_Restore$PyEval_EvalCode$PyImport_AddModule$PyImport_ExecCodeModule$PyImport_ImportModule$PyList_Append$PyList_New$PyLong_AsLong$PyMarshal_ReadObjectFromString$PyMem_RawFree$PyModule_GetDict$PyObject_CallFunction$PyObject_CallFunctionObjArgs$PyObject_GetAttrString$PyObject_SetAttrString$PyObject_Str$PyRun_SimpleStringFlags$PySys_AddWarnOption$PySys_GetObject$PySys_SetArgvEx$PySys_SetObject$PySys_SetPath$PyUnicode_AsUTF8$PyUnicode_Decode$PyUnicode_DecodeFSDefault$PyUnicode_FromFormat$PyUnicode_FromString$PyUnicode_Join$PyUnicode_Replace$Py_BuildValue$Py_DecRef$Py_DecodeLocale$Py_DontWriteBytecodeFlag$Py_FileSystemDefaultEncoding$Py_Finalize$Py_FrozenFlag$Py_GetPath$Py_IgnoreEnvironmentFlag$Py_IncRef$Py_Initialize$Py_NoSiteFlag$Py_NoUserSiteDirectory$Py_OptimizeFlag$Py_SetPath$Py_SetProgramName$Py_SetPythonHome$Py_UTF8Mode$Py_UnbufferedStdioFlag$Py_VerboseFlag
                                                        • API String ID: 190572456-3109299426
                                                        • Opcode ID: 67747be8a076f706c1c9372e7d2496993eaa02b7082083ef588a9e8b618be952
                                                        • Instruction ID: c8d9f9b5edfaa15344947d12d845e44874886091f7758a2788adb69aff7ce728
                                                        • Opcode Fuzzy Hash: 67747be8a076f706c1c9372e7d2496993eaa02b7082083ef588a9e8b618be952
                                                        • Instruction Fuzzy Hash: 9E42A164A0DB87D1FE55CB08E95017423A6BF157A5B84503ED80E863EAFFBEAD58D300
                                                        Function 00007FF6869C1B90 Relevance: 43.9, APIs: 20, Strings: 5, Instructions: 188windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2050744018.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000001.00000002.2050716641.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050804666.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050904528.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: MessageSend$Window$Create$Move$ObjectSelect$#380BaseClientDialogDrawFontIndirectInfoParametersRectReleaseSystemTextUnits
                                                        • String ID: BUTTON$Close$EDIT$Failed to execute script '%ls' due to unhandled exception: %ls$STATIC
                                                        • API String ID: 2446303242-1601438679
                                                        • Opcode ID: 47b3578659853d453a5822a751c8e2f63cfdf798862dd1eeebf7592aa26dc86d
                                                        • Instruction ID: 0477b2ba14464ed9a822cbd2da8e6cd8e0b4b4d0c1d87d4f7dff378c594421b7
                                                        • Opcode Fuzzy Hash: 47b3578659853d453a5822a751c8e2f63cfdf798862dd1eeebf7592aa26dc86d
                                                        • Instruction Fuzzy Hash: 2EA15B32208B82C7DB148F11E55479AB360FB88BA0F50412ADB8D43B65DFBEE565CB40
                                                        Function 00007FF6869E31CC Relevance: 24.0, APIs: 9, Strings: 4, Instructions: 1226COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2050744018.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000001.00000002.2050716641.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050804666.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050904528.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: _invalid_parameter_noinfo$memcpy_s$fegetenv
                                                        • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                        • API String ID: 808467561-2761157908
                                                        • Opcode ID: 46fb5d0366b8e1e712cdd684d815614daf2c7cda5b16cac76ba58e706ef79b66
                                                        • Instruction ID: ae24ae5abe43e1dc281be432cd0b5c4c28a20f429c0c771a9e831ee2c44bba08
                                                        • Opcode Fuzzy Hash: 46fb5d0366b8e1e712cdd684d815614daf2c7cda5b16cac76ba58e706ef79b66
                                                        • Instruction Fuzzy Hash: 04B28E72A182C3CAEB658E65D4407F937A1FF54788F405139DA0E97AC6DFBAAD01CB40
                                                        Function 00007FF6869C74B0 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 52windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLastError.KERNEL32(00000000,00007FF6869C26A0), ref: 00007FF6869C74D7
                                                        • FormatMessageW.KERNEL32(00000000,00007FF6869C26A0), ref: 00007FF6869C7506
                                                        • WideCharToMultiByte.KERNEL32 ref: 00007FF6869C755C
                                                          • Part of subcall function 00007FF6869C2620: GetLastError.KERNEL32(00000000,00000000,00000000,00007FF6869C7744,?,?,?,?,?,?,?,?,?,?,?,00007FF6869C101D), ref: 00007FF6869C2654
                                                          • Part of subcall function 00007FF6869C2620: MessageBoxW.USER32 ref: 00007FF6869C272C
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2050744018.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000001.00000002.2050716641.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050804666.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050904528.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: ErrorLastMessage$ByteCharFormatMultiWide
                                                        • String ID: Failed to encode wchar_t as UTF-8.$FormatMessageW$No error messages generated.$PyInstaller: FormatMessageW failed.$PyInstaller: pyi_win32_utils_to_utf8 failed.$WideCharToMultiByte
                                                        • API String ID: 2920928814-2573406579
                                                        • Opcode ID: 8b0166d5a5045c769a8e77ad43af0852bc728ff9b5502801be361ecb61f6b2fa
                                                        • Instruction ID: b033085725c13a7986ea97f6fe2a985c09bd342bac3ea676cab11986621025a0
                                                        • Opcode Fuzzy Hash: 8b0166d5a5045c769a8e77ad43af0852bc728ff9b5502801be361ecb61f6b2fa
                                                        • Instruction Fuzzy Hash: 58213031A18AC3C2EF209B11E8413766265BF48394F84003DE69EC66E6EFBEE945C740
                                                        Function 00007FF6869CB69C Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2050744018.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000001.00000002.2050716641.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050804666.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050904528.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                        • String ID:
                                                        • API String ID: 3140674995-0
                                                        • Opcode ID: 24fff5600ca101af0e2334446d678d156eb325a0e0e0c0538aba544f51e330ab
                                                        • Instruction ID: e6bfce1863a5ba720a7819482a11e462114de780809be9d01ece5cbd1e777c48
                                                        • Opcode Fuzzy Hash: 24fff5600ca101af0e2334446d678d156eb325a0e0e0c0538aba544f51e330ab
                                                        • Instruction Fuzzy Hash: 14313C72608AC2C6EF608F60E8803E97361FB84754F444439DA4E87A99DF7DDA48C710
                                                        Function 00007FF6869D9AE4 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2050744018.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000001.00000002.2050716641.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050804666.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050904528.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                        • String ID:
                                                        • API String ID: 1239891234-0
                                                        • Opcode ID: 4204087c2144b4154cc610f07160e172692864cccd6c23e577d201b1c5d7dbdf
                                                        • Instruction ID: a1e27d5aacefb87dfccb981d6cb2b78c9e86ffb13a174d6217a010ff4b3b5a92
                                                        • Opcode Fuzzy Hash: 4204087c2144b4154cc610f07160e172692864cccd6c23e577d201b1c5d7dbdf
                                                        • Instruction Fuzzy Hash: 4A313E32618B82C6DF609B65E8402AE73A4FF84764F500139EA8D83BA6DF7DD945CB00
                                                        Function 00007FF6869E09B4 Relevance: 7.8, APIs: 5, Instructions: 282COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2050744018.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000001.00000002.2050716641.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050804666.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050904528.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: FileFindFirst_invalid_parameter_noinfo
                                                        • String ID:
                                                        • API String ID: 2227656907-0
                                                        • Opcode ID: 1a8060551746b007c23963201f19a9fa9ddec40a19b74045b76b4ab8f762ca91
                                                        • Instruction ID: 0571d8a96a6ab2270c820fbaabde35dea725f2852ef88dde61022697707ef2cd
                                                        • Opcode Fuzzy Hash: 1a8060551746b007c23963201f19a9fa9ddec40a19b74045b76b4ab8f762ca91
                                                        • Instruction Fuzzy Hash: ADB1B022B186D7C1EE619B21A4042B963A0FF44BE4F44417AEA5D97BC6DFBEEC51C700
                                                        Function 00007FF6869E2D30 Relevance: 4.8, APIs: 3, Instructions: 340COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2050744018.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000001.00000002.2050716641.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050804666.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050904528.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: memcpy_s
                                                        • String ID:
                                                        • API String ID: 1502251526-0
                                                        • Opcode ID: 723df14fe8405c9280d13974b9e0b256372cd2939c4def8ecbac686ef57d643c
                                                        • Instruction ID: 51def3e237b6bc4efa00a09e3a6779f09cb407167a6e00ed9f337cb92699c77a
                                                        • Opcode Fuzzy Hash: 723df14fe8405c9280d13974b9e0b256372cd2939c4def8ecbac686ef57d643c
                                                        • Instruction Fuzzy Hash: 17C1BF72A186C6C7EB248F59E04466AB791FB88B84F44813DDB4E87785DE7EEC05CB40
                                                        Function 00007FF6869E8B68 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2050744018.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000001.00000002.2050716641.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050804666.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050904528.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: ExceptionRaise_clrfp
                                                        • String ID:
                                                        • API String ID: 15204871-0
                                                        • Opcode ID: 34bf4ba4d1f77b159a602f4f3a79dc58b46c4397abc6f90fe1b78d3c276b8e03
                                                        • Instruction ID: 0e258823a54e4b170d8886c1f2c258feaf7d0f870368a83c7808a906779d11f7
                                                        • Opcode Fuzzy Hash: 34bf4ba4d1f77b159a602f4f3a79dc58b46c4397abc6f90fe1b78d3c276b8e03
                                                        • Instruction Fuzzy Hash: 09B18E77600B8ACBEB15CF29C94636837A0FB44B48F16892ADB5D877A5CF7AD851C700
                                                        Function 00007FF6869C7820 Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2050744018.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000001.00000002.2050716641.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050804666.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050904528.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: Find$CloseFileFirst
                                                        • String ID:
                                                        • API String ID: 2295610775-0
                                                        • Opcode ID: b154a429360a9d8fc422caeeb97d2d39407f5ca637504bf6a4efef03296319f0
                                                        • Instruction ID: ff1baf78c2e9d3ed1140d8bb94a5888a6bc93e9f4343bd8a0ac6e17d61b64168
                                                        • Opcode Fuzzy Hash: b154a429360a9d8fc422caeeb97d2d39407f5ca637504bf6a4efef03296319f0
                                                        • Instruction Fuzzy Hash: C5F08122A186C2C6EB60CF60E49476A7390BF44774F040339EA6E466E5DF7CD409CB00
                                                        Function 00007FF6869D2C04 Relevance: 2.8, Strings: 2, Instructions: 350COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2050744018.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000001.00000002.2050716641.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050804666.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050904528.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: $
                                                        • API String ID: 0-227171996
                                                        • Opcode ID: 2d8c388a4af4e59f7aa018185c24a80b808f927c20487c79df8fa8b9671cd73b
                                                        • Instruction ID: 5388d19cefbd211cba58ffcf86b209c06c2287623f0fb256c6391b869ee7df99
                                                        • Opcode Fuzzy Hash: 2d8c388a4af4e59f7aa018185c24a80b808f927c20487c79df8fa8b9671cd73b
                                                        • Instruction Fuzzy Hash: 09E18136A08687C6EF688E29815117963A0FF45B88F24513ADB4E876D6DF3FEC52C740
                                                        Function 00007FF6869DD098 Relevance: 2.6, Strings: 2, Instructions: 144COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2050744018.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000001.00000002.2050716641.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050804666.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050904528.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: e+000$gfff
                                                        • API String ID: 0-3030954782
                                                        • Opcode ID: e8ad3313ac50deca76865dcff50c63e8317fb702a62c77948e89599ff08dba86
                                                        • Instruction ID: 85064a8a8e1ebc2e708d5dd106570db43fa241d096c64db156d613108b90515c
                                                        • Opcode Fuzzy Hash: e8ad3313ac50deca76865dcff50c63e8317fb702a62c77948e89599ff08dba86
                                                        • Instruction Fuzzy Hash: E9516C62B182C686EB248E35D9417697795FB44B94F489239CB5C87AC6CF3ED845C700
                                                        Function 00007FF6869DFA08 Relevance: 2.0, APIs: 1, Instructions: 461COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2050744018.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000001.00000002.2050716641.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050804666.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050904528.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: CurrentFeaturePresentProcessProcessor
                                                        • String ID:
                                                        • API String ID: 1010374628-0
                                                        • Opcode ID: 2f1140fd3f6f5e7d67c42ca6fc456eae8160b6473a59202e1228688bc9ba3277
                                                        • Instruction ID: 9856b1ad0baaca16deff47967da4220e3dd800f404ec82513d20c5be57fd33de
                                                        • Opcode Fuzzy Hash: 2f1140fd3f6f5e7d67c42ca6fc456eae8160b6473a59202e1228688bc9ba3277
                                                        • Instruction Fuzzy Hash: 0F026822A0D6C3C0FE65AB21A5022792694BF45BA4F44463EDD5ECB7D3EE7EAC11C310
                                                        Function 00007FF6869DCC04 Relevance: 1.5, Strings: 1, Instructions: 254COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2050744018.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000001.00000002.2050716641.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050804666.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050904528.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: gfffffff
                                                        • API String ID: 0-1523873471
                                                        • Opcode ID: 24567b7b7ad9cc25883cfe86a0af8cdb31fb8148e1153fa934f37376d4be2ae6
                                                        • Instruction ID: 1b5ba28f2c42ced63bb6dec389e6cb0e5d0102d0be5a80a12ba37801ca32fd34
                                                        • Opcode Fuzzy Hash: 24567b7b7ad9cc25883cfe86a0af8cdb31fb8148e1153fa934f37376d4be2ae6
                                                        • Instruction Fuzzy Hash: 12A10162A086C6C6EF21CB29A4107B97B99BF55BC4F048136DA8D877D6DE3EE805C700
                                                        Function 00007FF6869D6F98 Relevance: 1.4, Strings: 1, Instructions: 177COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2050744018.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000001.00000002.2050716641.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050804666.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050904528.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: _invalid_parameter_noinfo
                                                        • String ID: TMP
                                                        • API String ID: 3215553584-3125297090
                                                        • Opcode ID: 8bf532746fbfdd3304831ccd4c5a1a1816c9a4087bc6ecff30edaf665492098b
                                                        • Instruction ID: d4b2c072dd6fa491ac67281212b9e08aed54a772ce5aa6c89bef0cada974f634
                                                        • Opcode Fuzzy Hash: 8bf532746fbfdd3304831ccd4c5a1a1816c9a4087bc6ecff30edaf665492098b
                                                        • Instruction Fuzzy Hash: 58516711B08683C1FE68AA2699115BA6290BF94BC4F48453DDF0DDB7D3EE7FE852C240
                                                        Function 00007FF6869E25A0 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2050744018.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000001.00000002.2050716641.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050804666.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050904528.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: HeapProcess
                                                        • String ID:
                                                        • API String ID: 54951025-0
                                                        • Opcode ID: 6aaf01db4fcd6d8e5e92a2165bcca8bef3bc9097c29bcaeff3790f5a52787e5b
                                                        • Instruction ID: 8280a2b3ed09bfa236844de758bd1b153834bbb1c8ff34c99f40bb5cf22aefce
                                                        • Opcode Fuzzy Hash: 6aaf01db4fcd6d8e5e92a2165bcca8bef3bc9097c29bcaeff3790f5a52787e5b
                                                        • Instruction Fuzzy Hash: 8AB09260E07A42D2EE082B616C8221423A47F48720F98007CC00C80320DF2D28AA9701
                                                        Function 00007FF6869D2800 Relevance: .3, Instructions: 327COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2050744018.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000001.00000002.2050716641.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050804666.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050904528.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 720b0f885fc535c3a242e303a59ba9c626026de2633fd245c18c7096fc28f432
                                                        • Instruction ID: 462c3184ff873a285234c8f74c2971a516062005c7e54d320ae1832a6c2eba69
                                                        • Opcode Fuzzy Hash: 720b0f885fc535c3a242e303a59ba9c626026de2633fd245c18c7096fc28f432
                                                        • Instruction Fuzzy Hash: 32D17C26A08687C6EF688E29865227D27A0FF45B58F14523DCF4E876D6DF2EEC45C340
                                                        Function 00007FF6869C80A0 Relevance: .3, Instructions: 287COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2050744018.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000001.00000002.2050716641.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050804666.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050904528.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 25b4879d951165098d7d9ad8dfdbe188c5f26750c92d05a39af3c572e9b4c9ce
                                                        • Instruction ID: 2a808caec630687c102f8a9a22a16678ca6fd61c10224e6546b95693ce4d0234
                                                        • Opcode Fuzzy Hash: 25b4879d951165098d7d9ad8dfdbe188c5f26750c92d05a39af3c572e9b4c9ce
                                                        • Instruction Fuzzy Hash: 5EC1C4722141E18BE2C9EB29E56947E7791F78930DB85403BEB8747BCACB3CA814D750
                                                        Function 00007FF6869D1E70 Relevance: .2, Instructions: 241COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2050744018.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000001.00000002.2050716641.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050804666.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050904528.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 3511ad376341763adbf03eaa1481790c1cd7a3e825f7d6c297581565e8b6740f
                                                        • Instruction ID: cc08abdc5fb66eed3c18aec25ff4cd042923fe95cbb4d31be0773ff1ccf379b1
                                                        • Opcode Fuzzy Hash: 3511ad376341763adbf03eaa1481790c1cd7a3e825f7d6c297581565e8b6740f
                                                        • Instruction Fuzzy Hash: 8AB12976A08686C5EB658F29C45127C3BA0FB4AB48F244239CB4E87396DF3FD842D750
                                                        Function 00007FF6869DD718 Relevance: .2, Instructions: 198COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2050744018.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000001.00000002.2050716641.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050804666.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050904528.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: b482d32cf4439f597672c93949c919f143e2d798b80af63496daf47fa9f459cc
                                                        • Instruction ID: 8f4740da0b4d63bb3f40fce93c20d0516d0c34f49e2b64a3e7b1a1f8fdcb10ad
                                                        • Opcode Fuzzy Hash: b482d32cf4439f597672c93949c919f143e2d798b80af63496daf47fa9f459cc
                                                        • Instruction Fuzzy Hash: 3C81B272A087C2C6EF64CB2994403696AA4FF45794F145239DA9D87BDADF3EE844CB00
                                                        Function 00007FF6869E5820 Relevance: .2, Instructions: 183COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2050744018.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000001.00000002.2050716641.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050804666.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050904528.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: _invalid_parameter_noinfo
                                                        • String ID:
                                                        • API String ID: 3215553584-0
                                                        • Opcode ID: 43964b9baea6600a933ee8e1a049a499104490ec7162e6d0a4f8078b6de4c171
                                                        • Instruction ID: 0b122e0712f761bf78d611e923e51a3dbc87edb5fe2cc0c3e60fb32da71e38b6
                                                        • Opcode Fuzzy Hash: 43964b9baea6600a933ee8e1a049a499104490ec7162e6d0a4f8078b6de4c171
                                                        • Instruction Fuzzy Hash: E56191A2E182D3C6FF669A2894903796691BF40770F54423DDA5EC66D7EEAFEC40C700
                                                        Function 00007FF6869D0FB4 Relevance: .1, Instructions: 146COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2050744018.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000001.00000002.2050716641.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050804666.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050904528.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d861661aa08db629cc23cdca8c369b076586a2e450c00db1ba5d57a294e44a4f
                                                        • Instruction ID: d6a01aeafa71f16d794bebcddb8b090bdbd9dfa9629bf555e8c41514c6868d92
                                                        • Opcode Fuzzy Hash: d861661aa08db629cc23cdca8c369b076586a2e450c00db1ba5d57a294e44a4f
                                                        • Instruction Fuzzy Hash: AC515177A186D2C6EB248B29D04022827A0FF55BA8F244139CA4D977E6DF7BEC53C740
                                                        Function 00007FF6869D13C4 Relevance: .1, Instructions: 146COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2050744018.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000001.00000002.2050716641.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050804666.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050904528.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 867914ff4df0b6b44d704adc42bbe88cde9096fdc707783f05752eff833c7ffe
                                                        • Instruction ID: 98815c3a7f7c38495de8fe8770828f3f0f14ae42437c98f4fffa728f8c0645a1
                                                        • Opcode Fuzzy Hash: 867914ff4df0b6b44d704adc42bbe88cde9096fdc707783f05752eff833c7ffe
                                                        • Instruction Fuzzy Hash: 30514E77A18692C6EB248B29D04022837A1FF55B6CF244139CA4D977D6EF3BEC82C740
                                                        Function 00007FF6869D0BA4 Relevance: .1, Instructions: 146COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2050744018.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000001.00000002.2050716641.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050804666.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050904528.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c32b4ddfd43473a216dec7aa9a0be5b617892f75f4149cffacdc7470c95e978f
                                                        • Instruction ID: 4a03d13888bc7415af52e1aac856095bc6ed61b23ebaa82752226b81681e7597
                                                        • Opcode Fuzzy Hash: c32b4ddfd43473a216dec7aa9a0be5b617892f75f4149cffacdc7470c95e978f
                                                        • Instruction Fuzzy Hash: 33516C76A18692C6EF248F29D04022837A0FF44B68F24517ACA8D877D6CF3BEC52C750
                                                        Function 00007FF6869D0DB0 Relevance: .1, Instructions: 145COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2050744018.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000001.00000002.2050716641.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050804666.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050904528.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 1de1d42fcd570761cca71ddda72003ed022ec41b6526507f8e47f89f031e3167
                                                        • Instruction ID: 5db2fc562d8cdde6dded8f3d9cec446e5f94830979756e265e9705b9dd56a554
                                                        • Opcode Fuzzy Hash: 1de1d42fcd570761cca71ddda72003ed022ec41b6526507f8e47f89f031e3167
                                                        • Instruction Fuzzy Hash: F8515936A18692C6EB648F29D04023C27A1FF48B58F245179CA4D977EACF3BEC52D740
                                                        Function 00007FF6869D11C0 Relevance: .1, Instructions: 145COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2050744018.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000001.00000002.2050716641.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050804666.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050904528.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 6b4a4146db3bd1fe649265067838c8b0d7c1a5e97031d62dd0eb31e0fdd0228e
                                                        • Instruction ID: 76de2a8bee4db954ee67ce74be2c45fc0e8190533c5703ecc5527d9a79912d8f
                                                        • Opcode Fuzzy Hash: 6b4a4146db3bd1fe649265067838c8b0d7c1a5e97031d62dd0eb31e0fdd0228e
                                                        • Instruction Fuzzy Hash: 74516C37A18692C6EB248B29C04022867A1FF45B68F644139CE4D977DAEF3BEC53C740
                                                        Function 00007FF6869D09A0 Relevance: .1, Instructions: 145COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2050744018.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000001.00000002.2050716641.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050804666.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050904528.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 876697f8e8f5cbbdb44752562e3cb115d809b93d1bac5633a342ac63b65505f1
                                                        • Instruction ID: 9b6d7f5e12f18601229709c81f89281e41a20ea252c70e1a6162e42c8efc48f7
                                                        • Opcode Fuzzy Hash: 876697f8e8f5cbbdb44752562e3cb115d809b93d1bac5633a342ac63b65505f1
                                                        • Instruction Fuzzy Hash: 3F515E36A18A96C6EF648F29C04422927A1FF44B68F284179CA4D977D6DF3BEC52C740
                                                        Function 00007FF6869D4F50 Relevance: .1, Instructions: 138COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2050744018.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000001.00000002.2050716641.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050804666.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050904528.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: dde3b7cfbcf26fc8d7513faefc9a59c4b8821272907dfbb35b6db6355186da00
                                                        • Instruction ID: d591e84ffc370335a5d65e1e5927622a38b06be2881b84dfe953116f00f95b8e
                                                        • Opcode Fuzzy Hash: dde3b7cfbcf26fc8d7513faefc9a59c4b8821272907dfbb35b6db6355186da00
                                                        • Instruction Fuzzy Hash: 7B41855280A6CBC5FD96891C8500AB42680BF22BE5E6852BCDD9ED37D7CD1F6D86C341
                                                        Function 00007FF6869D8BA0 Relevance: .1, Instructions: 126COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2050744018.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000001.00000002.2050716641.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050804666.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050904528.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: ErrorFreeHeapLast
                                                        • String ID:
                                                        • API String ID: 485612231-0
                                                        • Opcode ID: d52a693ca64156346f3ce50e8e1564a69fccf06189b002bdd4e7495fde204544
                                                        • Instruction ID: 85f3a4686d497f9acb5b9042ef4d2f3bbc603f5ae5447da9b2f2a7135d955430
                                                        • Opcode Fuzzy Hash: d52a693ca64156346f3ce50e8e1564a69fccf06189b002bdd4e7495fde204544
                                                        • Instruction Fuzzy Hash: D6412562B14A96C2EF04CF2AD91456973A1BB48FD0B49903BEE0DD7B95DE7DC846C300
                                                        Function 00007FF6869D6560 Relevance: .1, Instructions: 98COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2050744018.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000001.00000002.2050716641.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050804666.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050904528.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 709f6445809074b3fd878d66f1ae61fc27f70d00436a2f6cfa1359df9a62e73e
                                                        • Instruction ID: 1576bf8b49f629c40d7b98eb3bc3f9242d961a64cfc8f9759557fbfa894440ed
                                                        • Opcode Fuzzy Hash: 709f6445809074b3fd878d66f1ae61fc27f70d00436a2f6cfa1359df9a62e73e
                                                        • Instruction Fuzzy Hash: 5D318F32608B83C2EB649F25A44152E76D5BF85BA0F54423CEA8D93BDBDF3DD812C604
                                                        Function 00007FF6869E89B0 Relevance: .0, Instructions: 32COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2050744018.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000001.00000002.2050716641.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050804666.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050904528.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: b98f8205f4dd5ad0f3b4c63852b6076f32f3a1b530b1ff8e23dc59df104b107b
                                                        • Instruction ID: fb7a583d67ce6549c435cb043d7759aa72655723cfd9af57f4caa8e4ac377f3a
                                                        • Opcode Fuzzy Hash: b98f8205f4dd5ad0f3b4c63852b6076f32f3a1b530b1ff8e23dc59df104b107b
                                                        • Instruction Fuzzy Hash: 89F06872718296CADB989F69A80262977D0FB083C4F80A03DD58DC3B04DF3D9451DF05
                                                        Function 00007FF6869CB880 Relevance: .0, Instructions: 2COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2050744018.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000001.00000002.2050716641.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050804666.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050904528.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 03ec394501486fefa8e68c4fc5f22486c81951ca79d36a27091b1f9b4683aa64
                                                        • Instruction ID: 8d8bc187319dff08ac8fb5f151abb026342f1bde308f0561d59e8bd7ec2d4fde
                                                        • Opcode Fuzzy Hash: 03ec394501486fefa8e68c4fc5f22486c81951ca79d36a27091b1f9b4683aa64
                                                        • Instruction Fuzzy Hash: EDA0012190C887D0EE449B40A8505302265BF90311B400039D50E810E6DE6EA940D300
                                                        Function 00007FF6869C55D0 Relevance: 166.5, APIs: 31, Strings: 64, Instructions: 287libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2050744018.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000001.00000002.2050716641.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050804666.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050904528.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: AddressProc$LibraryLoad
                                                        • String ID: Failed to get address for Tcl_Alloc$Failed to get address for Tcl_ConditionFinalize$Failed to get address for Tcl_ConditionNotify$Failed to get address for Tcl_ConditionWait$Failed to get address for Tcl_CreateInterp$Failed to get address for Tcl_CreateObjCommand$Failed to get address for Tcl_CreateThread$Failed to get address for Tcl_DeleteInterp$Failed to get address for Tcl_DoOneEvent$Failed to get address for Tcl_EvalEx$Failed to get address for Tcl_EvalFile$Failed to get address for Tcl_EvalObjv$Failed to get address for Tcl_Finalize$Failed to get address for Tcl_FinalizeThread$Failed to get address for Tcl_FindExecutable$Failed to get address for Tcl_Free$Failed to get address for Tcl_GetCurrentThread$Failed to get address for Tcl_GetObjResult$Failed to get address for Tcl_GetString$Failed to get address for Tcl_GetVar2$Failed to get address for Tcl_Init$Failed to get address for Tcl_MutexLock$Failed to get address for Tcl_MutexUnlock$Failed to get address for Tcl_NewByteArrayObj$Failed to get address for Tcl_NewStringObj$Failed to get address for Tcl_SetVar2$Failed to get address for Tcl_SetVar2Ex$Failed to get address for Tcl_ThreadAlert$Failed to get address for Tcl_ThreadQueueEvent$Failed to get address for Tk_GetNumMainWindows$Failed to get address for Tk_Init$GetProcAddress$LOADER: Failed to load tcl/tk libraries$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
                                                        • API String ID: 2238633743-1453502826
                                                        • Opcode ID: ba523ba2b13c4ea14ee618d69630f35f7ff64aa3d65f3ca8e14aa07d75cb9247
                                                        • Instruction ID: a2811b3cd48626fc7b102f29f6d7b8bb0c45153efacc1a6ff7f91671dfc5caf5
                                                        • Opcode Fuzzy Hash: ba523ba2b13c4ea14ee618d69630f35f7ff64aa3d65f3ca8e14aa07d75cb9247
                                                        • Instruction Fuzzy Hash: 72E1F760A0DB83D5FE59CB08A95027423A9BF15791B84503DC85EC63EAEFBEBD58D301
                                                        Function 00007FF6869C2030 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2050744018.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000001.00000002.2050716641.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050804666.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050904528.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: MoveWindow$ObjectSelect$DrawReleaseText
                                                        • String ID: P%
                                                        • API String ID: 2147705588-2959514604
                                                        • Opcode ID: 2abf96d7e756ec95747b6225775113f5ca3bbb9c1d9d148edce5ba3104c9dbe9
                                                        • Instruction ID: 10a2cfe017bc9901790bd3251bd4720250bdaebab6c13eb73d989123c7bdfc82
                                                        • Opcode Fuzzy Hash: 2abf96d7e756ec95747b6225775113f5ca3bbb9c1d9d148edce5ba3104c9dbe9
                                                        • Instruction Fuzzy Hash: 90512626608BE2C6DA349F26E0181BAB7A1FB98B61F004125EFCF83695DF7DD445DB10
                                                        Function 00007FF6869D0228 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2050744018.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000001.00000002.2050716641.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050804666.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050904528.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: _invalid_parameter_noinfo
                                                        • String ID: f$f$p$p$f
                                                        • API String ID: 3215553584-1325933183
                                                        • Opcode ID: 864902cbb2e935f55fbb0b0f358a3d1305b233c90ffe52d12db1516ed6b7c985
                                                        • Instruction ID: 2eb7f65ec5b1043f3e062cde9a2dc9a687b26e1f4d8482bebcea5b9c5b4a7a12
                                                        • Opcode Fuzzy Hash: 864902cbb2e935f55fbb0b0f358a3d1305b233c90ffe52d12db1516ed6b7c985
                                                        • Instruction Fuzzy Hash: ED128C62E0C1C3C6FF209E15A0546BA76A1FF90754F884179E68987AC6DF7EEC80CB54
                                                        Function 00007FF6869C12B0 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 106COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2050744018.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000001.00000002.2050716641.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050804666.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050904528.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: Message
                                                        • String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
                                                        • API String ID: 2030045667-3659356012
                                                        • Opcode ID: 026f885360816c96bdd77ba67c1eb1664edbcbfa270e969d54b231075d802d52
                                                        • Instruction ID: 9fa2b0cfd654436aeca4cb589196669ed3e15a82a63e47ed4d4c030ee9d81fac
                                                        • Opcode Fuzzy Hash: 026f885360816c96bdd77ba67c1eb1664edbcbfa270e969d54b231075d802d52
                                                        • Instruction Fuzzy Hash: DA415E21A086C3C2EE24DB15E4512BA63A0FF44B94F44443ADE4E87BD7EE7EE942C704
                                                        Function 00007FF6869CDC30 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2050744018.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000001.00000002.2050716641.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050804666.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050904528.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                        • String ID: csm$csm$csm
                                                        • API String ID: 849930591-393685449
                                                        • Opcode ID: 64a04dea20eab758f09741b49381e36ae6aa3d4dbdf263ead872da10faeebcc4
                                                        • Instruction ID: ea632bb401eb1443126ce2c3b0a2881f2bef4ac76ed3a491a3bb03b45bd34a6b
                                                        • Opcode Fuzzy Hash: 64a04dea20eab758f09741b49381e36ae6aa3d4dbdf263ead872da10faeebcc4
                                                        • Instruction Fuzzy Hash: 37E16072A08786CAEF209F65A4402AD77A4FF45798F100139EE4E97B96CF39E895C740
                                                        Function 00007FF6869C7600 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 103COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF6869C101D), ref: 00007FF6869C769F
                                                        • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF6869C101D), ref: 00007FF6869C76EF
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2050744018.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000001.00000002.2050716641.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050804666.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050904528.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: ByteCharMultiWide
                                                        • String ID: Failed to encode wchar_t as UTF-8.$Failed to get UTF-8 buffer size.$Out of memory.$WideCharToMultiByte$win32_utils_to_utf8
                                                        • API String ID: 626452242-27947307
                                                        • Opcode ID: d9d72b3d70819d691a45a5c69d72243a1061b564855b32675f65c1480a0ef4ee
                                                        • Instruction ID: b7ba52b738895a4525354db50a6cb80c1245ccdb882ed0a2bbf737f81afecc0c
                                                        • Opcode Fuzzy Hash: d9d72b3d70819d691a45a5c69d72243a1061b564855b32675f65c1480a0ef4ee
                                                        • Instruction Fuzzy Hash: A3416B32A08BC3C6EA20CF15B44026AA7A5FF84B90F584139DA9E87BD6DF7DD851D700
                                                        Function 00007FF6869C7B40 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 63COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • WideCharToMultiByte.KERNEL32(?,00007FF6869C3699), ref: 00007FF6869C7B81
                                                          • Part of subcall function 00007FF6869C2620: GetLastError.KERNEL32(00000000,00000000,00000000,00007FF6869C7744,?,?,?,?,?,?,?,?,?,?,?,00007FF6869C101D), ref: 00007FF6869C2654
                                                          • Part of subcall function 00007FF6869C2620: MessageBoxW.USER32 ref: 00007FF6869C272C
                                                        • WideCharToMultiByte.KERNEL32(?,00007FF6869C3699), ref: 00007FF6869C7BF5
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2050744018.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000001.00000002.2050716641.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050804666.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050904528.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: ByteCharMultiWide$ErrorLastMessage
                                                        • String ID: Failed to encode wchar_t as UTF-8.$Failed to get UTF-8 buffer size.$Out of memory.$WideCharToMultiByte$win32_utils_to_utf8
                                                        • API String ID: 3723044601-27947307
                                                        • Opcode ID: aced5f46d53ba3e30c592e5434d0d7ab1f54160dd14b943fd141642a19c75b6b
                                                        • Instruction ID: 0e6415bdf981e6651d9d08d5523d0540f31ba27183a7b3bfc18f44f97b668878
                                                        • Opcode Fuzzy Hash: aced5f46d53ba3e30c592e5434d0d7ab1f54160dd14b943fd141642a19c75b6b
                                                        • Instruction Fuzzy Hash: CE218B21A08B83C5EE109F22A8411797661BF84B90F48453EDA9E877D6EFBEED41C300
                                                        Function 00007FF6869D9264 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 494COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2050744018.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000001.00000002.2050716641.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050804666.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050904528.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: _invalid_parameter_noinfo
                                                        • String ID: f$p$p
                                                        • API String ID: 3215553584-1995029353
                                                        • Opcode ID: 8b43f30c9b627f105c9440690760d813b6cbc2015482011a3dd154e3df4de9b0
                                                        • Instruction ID: a96dcb0d4494875c93fdbcf7cd4024e1224f9d98fd82ceae0567bdbadeedb9d8
                                                        • Opcode Fuzzy Hash: 8b43f30c9b627f105c9440690760d813b6cbc2015482011a3dd154e3df4de9b0
                                                        • Instruction Fuzzy Hash: 3B126B62E0C183C6FF24BA55E0542B97691FF80B54F944039E69A876CADF3EED80CB50
                                                        Function 00007FF6869C7C30 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 98COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2050744018.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000001.00000002.2050716641.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050804666.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050904528.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: ByteCharMultiWide
                                                        • String ID: Failed to decode wchar_t from UTF-8$Failed to get wchar_t buffer size.$MultiByteToWideChar$Out of memory.$win32_utils_from_utf8
                                                        • API String ID: 626452242-876015163
                                                        • Opcode ID: 75ada23d093b76e5b35e8a216d6a7c66ee7d2317080e6440cd66e03fb4978861
                                                        • Instruction ID: 44916e53939b998e8b0cba986ac7e26fc6889c3c25040a2eb5644fbf58a520fb
                                                        • Opcode Fuzzy Hash: 75ada23d093b76e5b35e8a216d6a7c66ee7d2317080e6440cd66e03fb4978861
                                                        • Instruction Fuzzy Hash: BA414D32A08A83C2EA50DF15A44017966A5FF44B90F54513ADB9E8BBE6EF3DD852C700
                                                        Function 00007FF6869CCEE8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadLibraryExW.KERNEL32(?,?,?,00007FF6869CD19A,?,?,?,00007FF6869CCE8C,?,?,00000001,00007FF6869CCAA9), ref: 00007FF6869CCF6D
                                                        • GetLastError.KERNEL32(?,?,?,00007FF6869CD19A,?,?,?,00007FF6869CCE8C,?,?,00000001,00007FF6869CCAA9), ref: 00007FF6869CCF7B
                                                        • LoadLibraryExW.KERNEL32(?,?,?,00007FF6869CD19A,?,?,?,00007FF6869CCE8C,?,?,00000001,00007FF6869CCAA9), ref: 00007FF6869CCFA5
                                                        • FreeLibrary.KERNEL32(?,?,?,00007FF6869CD19A,?,?,?,00007FF6869CCE8C,?,?,00000001,00007FF6869CCAA9), ref: 00007FF6869CCFEB
                                                        • GetProcAddress.KERNEL32(?,?,?,00007FF6869CD19A,?,?,?,00007FF6869CCE8C,?,?,00000001,00007FF6869CCAA9), ref: 00007FF6869CCFF7
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2050744018.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000001.00000002.2050716641.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050804666.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050904528.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: Library$Load$AddressErrorFreeLastProc
                                                        • String ID: api-ms-
                                                        • API String ID: 2559590344-2084034818
                                                        • Opcode ID: 46f8882ba5516ded8d0f67aa9085a497a0d646e74245b223b6bb25c85e55adca
                                                        • Instruction ID: bbb9c3032bee128a5ba59f16534db5e3efb5c7a8733a0c745b01688d9e528c9a
                                                        • Opcode Fuzzy Hash: 46f8882ba5516ded8d0f67aa9085a497a0d646e74245b223b6bb25c85e55adca
                                                        • Instruction Fuzzy Hash: CD31E221A0AA83D5FE61DB06A40067427D4FF08BA4F49453DED1E8A3D2DF3EE845D700
                                                        Function 00007FF6869C6480 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 88COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00007FF6869C7A30: MultiByteToWideChar.KERNEL32 ref: 00007FF6869C7A6A
                                                        • ExpandEnvironmentStringsW.KERNEL32(00000000,00007FF6869C67CF,?,00000000,?,TokenIntegrityLevel), ref: 00007FF6869C64DF
                                                          • Part of subcall function 00007FF6869C2770: MessageBoxW.USER32 ref: 00007FF6869C2841
                                                        Strings
                                                        • LOADER: Failed to obtain the absolute path of the runtime-tmpdir., xrefs: 00007FF6869C653A
                                                        • LOADER: Failed to expand environment variables in the runtime-tmpdir., xrefs: 00007FF6869C64F3
                                                        • LOADER: Failed to convert runtime-tmpdir to a wide string., xrefs: 00007FF6869C64B6
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2050744018.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000001.00000002.2050716641.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050804666.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050904528.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: ByteCharEnvironmentExpandMessageMultiStringsWide
                                                        • String ID: LOADER: Failed to convert runtime-tmpdir to a wide string.$LOADER: Failed to expand environment variables in the runtime-tmpdir.$LOADER: Failed to obtain the absolute path of the runtime-tmpdir.
                                                        • API String ID: 1662231829-3498232454
                                                        • Opcode ID: e770f63f1b65fbf44ebddb50d5af86b3d9fe6b483d73fb8ce13bd60b0e8df226
                                                        • Instruction ID: 211546259d5930b174fa4072088a24e1c9dad8520c3b73b1a569c00bdd5ffada
                                                        • Opcode Fuzzy Hash: e770f63f1b65fbf44ebddb50d5af86b3d9fe6b483d73fb8ce13bd60b0e8df226
                                                        • Instruction Fuzzy Hash: 3C316021B1C7C3C1FE21AB21A5553BA5291BF98780F84443ADA4FC66DBEE2EED04C700
                                                        Function 00007FF6869C7A30 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 68COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • MultiByteToWideChar.KERNEL32 ref: 00007FF6869C7A6A
                                                          • Part of subcall function 00007FF6869C2620: GetLastError.KERNEL32(00000000,00000000,00000000,00007FF6869C7744,?,?,?,?,?,?,?,?,?,?,?,00007FF6869C101D), ref: 00007FF6869C2654
                                                          • Part of subcall function 00007FF6869C2620: MessageBoxW.USER32 ref: 00007FF6869C272C
                                                        • MultiByteToWideChar.KERNEL32 ref: 00007FF6869C7AF0
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2050744018.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000001.00000002.2050716641.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050804666.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050904528.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: ByteCharMultiWide$ErrorLastMessage
                                                        • String ID: Failed to decode wchar_t from UTF-8$Failed to get wchar_t buffer size.$MultiByteToWideChar$Out of memory.$win32_utils_from_utf8
                                                        • API String ID: 3723044601-876015163
                                                        • Opcode ID: a067ef3949ab1c43b8cad70a8c207a907739284b21da8d2c9820fdf83144c31f
                                                        • Instruction ID: bdfdb10566961ccc46bb778b9362552f6f61e686f08c5cf040d876fdf01faed9
                                                        • Opcode Fuzzy Hash: a067ef3949ab1c43b8cad70a8c207a907739284b21da8d2c9820fdf83144c31f
                                                        • Instruction Fuzzy Hash: 0D214122B08A83C1EF50CB29F401169A361FF98794F584539DB5DD7BAAEE6DD941C700
                                                        Function 00007FF6869DA620 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLastError.KERNEL32(?,?,?,00007FF6869E2433,?,?,?,00007FF6869DCB8C,?,?,00000000,00007FF6869D3A5F,?,?,?,00007FF6869D9313), ref: 00007FF6869DA62F
                                                        • FlsGetValue.KERNEL32(?,?,?,00007FF6869E2433,?,?,?,00007FF6869DCB8C,?,?,00000000,00007FF6869D3A5F,?,?,?,00007FF6869D9313), ref: 00007FF6869DA644
                                                        • FlsSetValue.KERNEL32(?,?,?,00007FF6869E2433,?,?,?,00007FF6869DCB8C,?,?,00000000,00007FF6869D3A5F,?,?,?,00007FF6869D9313), ref: 00007FF6869DA665
                                                        • FlsSetValue.KERNEL32(?,?,?,00007FF6869E2433,?,?,?,00007FF6869DCB8C,?,?,00000000,00007FF6869D3A5F,?,?,?,00007FF6869D9313), ref: 00007FF6869DA692
                                                        • FlsSetValue.KERNEL32(?,?,?,00007FF6869E2433,?,?,?,00007FF6869DCB8C,?,?,00000000,00007FF6869D3A5F,?,?,?,00007FF6869D9313), ref: 00007FF6869DA6A3
                                                        • FlsSetValue.KERNEL32(?,?,?,00007FF6869E2433,?,?,?,00007FF6869DCB8C,?,?,00000000,00007FF6869D3A5F,?,?,?,00007FF6869D9313), ref: 00007FF6869DA6B4
                                                        • SetLastError.KERNEL32(?,?,?,00007FF6869E2433,?,?,?,00007FF6869DCB8C,?,?,00000000,00007FF6869D3A5F,?,?,?,00007FF6869D9313), ref: 00007FF6869DA6CF
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2050744018.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000001.00000002.2050716641.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050804666.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050904528.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: Value$ErrorLast
                                                        • String ID:
                                                        • API String ID: 2506987500-0
                                                        • Opcode ID: e4690b43786acef7750caa62a4944ce50e7135dc012d72f0de57dd7c45479f7b
                                                        • Instruction ID: ece477d59959cdede41b8ff40de3083e6623be3e49112ee5f8df792e2b848621
                                                        • Opcode Fuzzy Hash: e4690b43786acef7750caa62a4944ce50e7135dc012d72f0de57dd7c45479f7b
                                                        • Instruction Fuzzy Hash: 6F213820B0C2C3C6FE58A729A65513D62427F44BB4F54063CE83E87ADBDE6EAC21C700
                                                        Function 00007FF6869E706C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2050744018.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000001.00000002.2050716641.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050804666.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050904528.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                        • String ID: CONOUT$
                                                        • API String ID: 3230265001-3130406586
                                                        • Opcode ID: 1a41989b306c04176fbb8ce5d038fb17b2eb18ca34d01c5ff4cda60dd112554e
                                                        • Instruction ID: 4cfeb9e46bd16a98249ccfbb4e13b428a17b834ced2703a599a15c012f6961ba
                                                        • Opcode Fuzzy Hash: 1a41989b306c04176fbb8ce5d038fb17b2eb18ca34d01c5ff4cda60dd112554e
                                                        • Instruction Fuzzy Hash: CE115121A18A82C6EB508B56E85432972A4FF88BE5F454238EA5DC77E5CFBDDD04C740
                                                        Function 00007FF6869DA798 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLastError.KERNEL32(?,?,?,00007FF6869D444D,?,?,?,?,00007FF6869DDDA7,?,?,00000000,00007FF6869DA8B6,?,?,?), ref: 00007FF6869DA7A7
                                                        • FlsSetValue.KERNEL32(?,?,?,00007FF6869D444D,?,?,?,?,00007FF6869DDDA7,?,?,00000000,00007FF6869DA8B6,?,?,?), ref: 00007FF6869DA7DD
                                                        • FlsSetValue.KERNEL32(?,?,?,00007FF6869D444D,?,?,?,?,00007FF6869DDDA7,?,?,00000000,00007FF6869DA8B6,?,?,?), ref: 00007FF6869DA80A
                                                        • FlsSetValue.KERNEL32(?,?,?,00007FF6869D444D,?,?,?,?,00007FF6869DDDA7,?,?,00000000,00007FF6869DA8B6,?,?,?), ref: 00007FF6869DA81B
                                                        • FlsSetValue.KERNEL32(?,?,?,00007FF6869D444D,?,?,?,?,00007FF6869DDDA7,?,?,00000000,00007FF6869DA8B6,?,?,?), ref: 00007FF6869DA82C
                                                        • SetLastError.KERNEL32(?,?,?,00007FF6869D444D,?,?,?,?,00007FF6869DDDA7,?,?,00000000,00007FF6869DA8B6,?,?,?), ref: 00007FF6869DA847
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2050744018.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000001.00000002.2050716641.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050804666.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050904528.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: Value$ErrorLast
                                                        • String ID:
                                                        • API String ID: 2506987500-0
                                                        • Opcode ID: b80b9a6360fdb838ee2f6689ae67004e58d61d8a43e34886883bb0108a8494f3
                                                        • Instruction ID: 4b4bb2676ddba638a4b37d52e88cdb0656d3cd592af1f9b3a22d44298cfe5015
                                                        • Opcode Fuzzy Hash: b80b9a6360fdb838ee2f6689ae67004e58d61d8a43e34886883bb0108a8494f3
                                                        • Instruction Fuzzy Hash: 41113B30F0C2C3C6FE586725AA4117961527F44BB0F04463CE82E876DBDE6EAC22C710
                                                        Function 00007FF6869CC8A8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2050744018.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000001.00000002.2050716641.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050804666.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050904528.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                        • String ID: csm$f
                                                        • API String ID: 2395640692-629598281
                                                        • Opcode ID: 42fbbb83cedbe148bfcc1de87ea3e914151e174f0a46670c6939306692d2d31c
                                                        • Instruction ID: c90eca7a9b005616e058376d9a00c63bd52cdf54d878512b52edc02a1a9f5295
                                                        • Opcode Fuzzy Hash: 42fbbb83cedbe148bfcc1de87ea3e914151e174f0a46670c6939306692d2d31c
                                                        • Instruction Fuzzy Hash: 8F515D32A19683C6EF14CB15E404B292B95FF84B98F558138DA4B877CADE7AED41C704
                                                        Function 00007FF6869C2240 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2050744018.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000001.00000002.2050716641.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050804666.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050904528.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: DeleteDestroyDialogHandleIconIndirectModuleObjectParam
                                                        • String ID: Unhandled exception in script
                                                        • API String ID: 3081866767-2699770090
                                                        • Opcode ID: 6bea62eccc28d19483c18ff1a3e2d52c6af3fb64e3e46481c97fdf2a226d8d74
                                                        • Instruction ID: 45f8982eae29a4ee10a04d3992fc7989e800afaf002ebdc46c46ec770681cefc
                                                        • Opcode Fuzzy Hash: 6bea62eccc28d19483c18ff1a3e2d52c6af3fb64e3e46481c97fdf2a226d8d74
                                                        • Instruction Fuzzy Hash: 5D314032A096C3C9EF24DF61E8552E96360FF88B94F440139EA4E8BA96DF7DD945C700
                                                        Function 00007FF6869C2620 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 67windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLastError.KERNEL32(00000000,00000000,00000000,00007FF6869C7744,?,?,?,?,?,?,?,?,?,?,?,00007FF6869C101D), ref: 00007FF6869C2654
                                                          • Part of subcall function 00007FF6869C74B0: GetLastError.KERNEL32(00000000,00007FF6869C26A0), ref: 00007FF6869C74D7
                                                          • Part of subcall function 00007FF6869C74B0: FormatMessageW.KERNEL32(00000000,00007FF6869C26A0), ref: 00007FF6869C7506
                                                          • Part of subcall function 00007FF6869C7A30: MultiByteToWideChar.KERNEL32 ref: 00007FF6869C7A6A
                                                        • MessageBoxW.USER32 ref: 00007FF6869C272C
                                                        • MessageBoxA.USER32 ref: 00007FF6869C2748
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2050744018.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000001.00000002.2050716641.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050804666.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050904528.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: Message$ErrorLast$ByteCharFormatMultiWide
                                                        • String ID: %s%s: %s$Fatal error detected
                                                        • API String ID: 2806210788-2410924014
                                                        • Opcode ID: bd2085b38ade222d48c53e4b242a54a19eedc60d0d0276a39b8304b5fd6b5430
                                                        • Instruction ID: a795bd3ae84f8295e75a048542b5d8d81aebf6f9b372a5db8fab28017994bc99
                                                        • Opcode Fuzzy Hash: bd2085b38ade222d48c53e4b242a54a19eedc60d0d0276a39b8304b5fd6b5430
                                                        • Instruction Fuzzy Hash: 91314372628AC3D1EB209B11E4517EA6364FF84794F40403AE68E876DADF7DDB05CB40
                                                        Function 00007FF6869D88E0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2050744018.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000001.00000002.2050716641.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050804666.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050904528.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: AddressFreeHandleLibraryModuleProc
                                                        • String ID: CorExitProcess$mscoree.dll
                                                        • API String ID: 4061214504-1276376045
                                                        • Opcode ID: 611779d08fafb8db9f6fab045cd04065641a8af0ffd245d6ff06f44facfa83ea
                                                        • Instruction ID: 9632cce19e2929d99617a2dc5a42b04faf92f32887ac1b3eac2aacaf03a4b974
                                                        • Opcode Fuzzy Hash: 611779d08fafb8db9f6fab045cd04065641a8af0ffd245d6ff06f44facfa83ea
                                                        • Instruction Fuzzy Hash: 24F0C271A19A83C1EF108B64E4443391320BF857B1F45023DD5AD8A2F6DF6ED848C340
                                                        Function 00007FF6869E87A4 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2050744018.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000001.00000002.2050716641.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050804666.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050904528.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: _set_statfp
                                                        • String ID:
                                                        • API String ID: 1156100317-0
                                                        • Opcode ID: 69d38c35bd33e64192705e47d806ebaffe6519085bb8d16871af39b095092657
                                                        • Instruction ID: 98c1f238f0251762a9ed4d43b6dfb64728edccf0f167f4d9a9ebc168e7bb5ba5
                                                        • Opcode Fuzzy Hash: 69d38c35bd33e64192705e47d806ebaffe6519085bb8d16871af39b095092657
                                                        • Instruction Fuzzy Hash: EE11C122E2CA87C1FE9521E4E65137514417F583B4F86063CED7E8E6D7CEAEAC41C140
                                                        Function 00007FF6869DA860 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • FlsGetValue.KERNEL32(?,?,?,00007FF6869D9A73,?,?,00000000,00007FF6869D9D0E,?,?,?,?,?,00007FF6869D21EC), ref: 00007FF6869DA87F
                                                        • FlsSetValue.KERNEL32(?,?,?,00007FF6869D9A73,?,?,00000000,00007FF6869D9D0E,?,?,?,?,?,00007FF6869D21EC), ref: 00007FF6869DA89E
                                                        • FlsSetValue.KERNEL32(?,?,?,00007FF6869D9A73,?,?,00000000,00007FF6869D9D0E,?,?,?,?,?,00007FF6869D21EC), ref: 00007FF6869DA8C6
                                                        • FlsSetValue.KERNEL32(?,?,?,00007FF6869D9A73,?,?,00000000,00007FF6869D9D0E,?,?,?,?,?,00007FF6869D21EC), ref: 00007FF6869DA8D7
                                                        • FlsSetValue.KERNEL32(?,?,?,00007FF6869D9A73,?,?,00000000,00007FF6869D9D0E,?,?,?,?,?,00007FF6869D21EC), ref: 00007FF6869DA8E8
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2050744018.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000001.00000002.2050716641.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050804666.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050904528.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: Value
                                                        • String ID:
                                                        • API String ID: 3702945584-0
                                                        • Opcode ID: 7f030ec9ba2ccb2e9b5360193d37b1ac766c0381a595b89cd51a21b8ccd138ec
                                                        • Instruction ID: 97a706f6f50e4edfd3735707793969674984d4f56940fa6fb7249e3a5a1f9330
                                                        • Opcode Fuzzy Hash: 7f030ec9ba2ccb2e9b5360193d37b1ac766c0381a595b89cd51a21b8ccd138ec
                                                        • Instruction Fuzzy Hash: B0112930F0C2C385FE58A726AA4117A62457F447B0E04463CE93E866D7DE2EAC62C711
                                                        Function 00007FF6869DA6F4 Relevance: 7.6, APIs: 5, Instructions: 50COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • FlsGetValue.KERNEL32(?,?,?,?,?,?,?,00007FF6869E2433,?,?,?,00007FF6869DCB8C,?,?,00000000,00007FF6869D3A5F), ref: 00007FF6869DA705
                                                        • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FF6869E2433,?,?,?,00007FF6869DCB8C,?,?,00000000,00007FF6869D3A5F), ref: 00007FF6869DA724
                                                        • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FF6869E2433,?,?,?,00007FF6869DCB8C,?,?,00000000,00007FF6869D3A5F), ref: 00007FF6869DA74C
                                                        • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FF6869E2433,?,?,?,00007FF6869DCB8C,?,?,00000000,00007FF6869D3A5F), ref: 00007FF6869DA75D
                                                        • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FF6869E2433,?,?,?,00007FF6869DCB8C,?,?,00000000,00007FF6869D3A5F), ref: 00007FF6869DA76E
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2050744018.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000001.00000002.2050716641.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050804666.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050904528.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: Value
                                                        • String ID:
                                                        • API String ID: 3702945584-0
                                                        • Opcode ID: 80e08a14f964f1394f595af2946dfd7764109c44ee838682c6d48f6542b65f19
                                                        • Instruction ID: d0ac504a9255f30b9c725926041b77177e5e0caed2dc1baed0341d437d289319
                                                        • Opcode Fuzzy Hash: 80e08a14f964f1394f595af2946dfd7764109c44ee838682c6d48f6542b65f19
                                                        • Instruction Fuzzy Hash: A511D624F0D283D5FE58A725981217A22967F45774F140B3CE93E8A2DBDE2EBC61C311
                                                        Function 00007FF6869DF198 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2050744018.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000001.00000002.2050716641.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050804666.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050904528.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: _invalid_parameter_noinfo
                                                        • String ID: UTF-16LEUNICODE$UTF-8$ccs
                                                        • API String ID: 3215553584-1196891531
                                                        • Opcode ID: e657aeb740c2ac826b77e83addb2cc82262a2e6e3b5be7210a8d66ad85871f1f
                                                        • Instruction ID: dea5d836526d7f32542a13b1b3bd3c0257a6f2339b2220473f637304729b08c6
                                                        • Opcode Fuzzy Hash: e657aeb740c2ac826b77e83addb2cc82262a2e6e3b5be7210a8d66ad85871f1f
                                                        • Instruction Fuzzy Hash: CC817D76E086C3C5EF645E29821627866A0BF11BC8F568039DA0DD76D7DF2FED02D242
                                                        Function 00007FF6869CE108 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2050744018.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000001.00000002.2050716641.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050804666.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050904528.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: CallEncodePointerTranslator
                                                        • String ID: MOC$RCC
                                                        • API String ID: 3544855599-2084237596
                                                        • Opcode ID: e66b2a899b3be21a272ca3efbe1e1fab7eec351de36f73ff2a6cc06a45c4f2b1
                                                        • Instruction ID: fff2bc78147d69bd18f4cf5fbbf11df836cd58d6b1147b4cf610286a91cd6065
                                                        • Opcode Fuzzy Hash: e66b2a899b3be21a272ca3efbe1e1fab7eec351de36f73ff2a6cc06a45c4f2b1
                                                        • Instruction Fuzzy Hash: EE613D37A08B86C6EB10CF69E4803AD77A0FB44B88F144229DE4E57B96DF79E955C700
                                                        Function 00007FF6869CE464 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2050744018.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000001.00000002.2050716641.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050804666.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050904528.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                        • String ID: csm$csm
                                                        • API String ID: 3896166516-3733052814
                                                        • Opcode ID: 37bca86698e542f9df3f1c5971c843800452ce466371b2576d682bdca002ed1e
                                                        • Instruction ID: 157fd54d32650b1124cd0de8053910a0ab0ddfb52b357d1d642059d4dc686bd9
                                                        • Opcode Fuzzy Hash: 37bca86698e542f9df3f1c5971c843800452ce466371b2576d682bdca002ed1e
                                                        • Instruction Fuzzy Hash: 22516B329186C3C6EF748B19A24426876A0BF54B98F144139EB9F87BD6CF3DE851CB00
                                                        Function 00007FF6869C24D0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2050744018.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000001.00000002.2050716641.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050804666.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050904528.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: Message$ByteCharMultiWide
                                                        • String ID: %s%s: %s$Fatal error detected
                                                        • API String ID: 1878133881-2410924014
                                                        • Opcode ID: 1ad8658de8dbd2e7b08889bff9c9537d6e44ae678795f4b96bc9f189f6c45e5f
                                                        • Instruction ID: 6b9ae77ebcc3041d8ea54aa4f0e416c000911eee618bbda18a9c92c78883b683
                                                        • Opcode Fuzzy Hash: 1ad8658de8dbd2e7b08889bff9c9537d6e44ae678795f4b96bc9f189f6c45e5f
                                                        • Instruction Fuzzy Hash: 61314172628AC3D1EA20DB11E4517EA6364FF84794F80403AEA8D876DADE7DDA45CB40
                                                        Function 00007FF6869C3BA0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleFileNameW.KERNEL32(?,00007FF6869C3699), ref: 00007FF6869C3BD1
                                                          • Part of subcall function 00007FF6869C2620: GetLastError.KERNEL32(00000000,00000000,00000000,00007FF6869C7744,?,?,?,?,?,?,?,?,?,?,?,00007FF6869C101D), ref: 00007FF6869C2654
                                                          • Part of subcall function 00007FF6869C2620: MessageBoxW.USER32 ref: 00007FF6869C272C
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2050744018.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000001.00000002.2050716641.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050804666.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050904528.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: ErrorFileLastMessageModuleName
                                                        • String ID: Failed to convert executable path to UTF-8.$Failed to get executable path.$GetModuleFileNameW
                                                        • API String ID: 2581892565-1977442011
                                                        • Opcode ID: fe87d08da65b513e87772ab3e16eb14927cda1b8744753a26f3e7d7b1799e4b8
                                                        • Instruction ID: c7d30d38b17b5b97308c0a3f614f5726d0ee270d3fa06f5c76a17cf4f67fbedd
                                                        • Opcode Fuzzy Hash: fe87d08da65b513e87772ab3e16eb14927cda1b8744753a26f3e7d7b1799e4b8
                                                        • Instruction Fuzzy Hash: 65014F21B1CAC3C1FE619B20E8563B92295BF58794F40103ED94FCA6D7EE9EEA45D700
                                                        Function 00007FF6869DBA70 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2050744018.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000001.00000002.2050716641.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050804666.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050904528.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: FileWrite$ConsoleErrorLastOutput
                                                        • String ID:
                                                        • API String ID: 2718003287-0
                                                        • Opcode ID: f750311aff661a04a86bbbada4284786bf27b8065a17484a8f486471230e888d
                                                        • Instruction ID: 0b81d6ea8600c74eb9049009ca2889d4c82c8e42b04c0a4bba3986407ce612a7
                                                        • Opcode Fuzzy Hash: f750311aff661a04a86bbbada4284786bf27b8065a17484a8f486471230e888d
                                                        • Instruction Fuzzy Hash: 2FD1D372B18A86C9EB10CF75D4502BC37A2FB44798B44423ACE5E97BDADE39D816C740
                                                        Function 00007FF6869D47D4 Relevance: 6.1, APIs: 4, Instructions: 119pipeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2050744018.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000001.00000002.2050716641.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050804666.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050904528.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: File$ErrorHandleInformationLastNamedPeekPipeType
                                                        • String ID:
                                                        • API String ID: 2780335769-0
                                                        • Opcode ID: 1c70a69b05d9cb3f6248f84cd75ebf1bef0caf7e7cf88daad42b4853df974b62
                                                        • Instruction ID: 099a8028040e6d1ef781c9be5da36b6f2381bf2fd562a8bf29b57826324be4c0
                                                        • Opcode Fuzzy Hash: 1c70a69b05d9cb3f6248f84cd75ebf1bef0caf7e7cf88daad42b4853df974b62
                                                        • Instruction Fuzzy Hash: 6D516822E08682CAFB90DFA1D5403BD23A1BF58B98F158139DE4D9769ADF39D891C740
                                                        Function 00007FF6869C1F70 Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2050744018.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000001.00000002.2050716641.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050804666.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050904528.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: LongWindow$DialogInvalidateRect
                                                        • String ID:
                                                        • API String ID: 1956198572-0
                                                        • Opcode ID: 162ef6909b0da24e61350fefbcaa0130b5f771c4d53ef42d88aea1c24daf7f6c
                                                        • Instruction ID: 4b11804335e80d8ff71ed52055bfcf1b5eaf3c3cbccfdb02dbeacbfdaa4f918c
                                                        • Opcode Fuzzy Hash: 162ef6909b0da24e61350fefbcaa0130b5f771c4d53ef42d88aea1c24daf7f6c
                                                        • Instruction Fuzzy Hash: CF11E921E181C3C2FE508769E5442B91292FF897D0F445039E94A86BDFDE2EDCC1D204
                                                        Function 00007FF6869E4D3C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2050744018.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000001.00000002.2050716641.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050804666.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050904528.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: _get_daylight$_invalid_parameter_noinfo
                                                        • String ID: ?
                                                        • API String ID: 1286766494-1684325040
                                                        • Opcode ID: c6b54485bead06bc5539c244e4ab75d05ddcaebff17989ae90453d9827129cd1
                                                        • Instruction ID: c5fa129c8d873c276f2d0dc1b09e848e784fff689e3df1ff861b6b0124fc59b6
                                                        • Opcode Fuzzy Hash: c6b54485bead06bc5539c244e4ab75d05ddcaebff17989ae90453d9827129cd1
                                                        • Instruction Fuzzy Hash: 8641E612A086C3D6FF649B25940137A6690FF80BA4F14423DEF5C86AD6DE7ED891C700
                                                        Function 00007FF6869D7E6C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _invalid_parameter_noinfo.LIBCMT ref: 00007FF6869D7E9E
                                                          • Part of subcall function 00007FF6869D9E18: RtlFreeHeap.NTDLL(?,?,?,00007FF6869E1E42,?,?,?,00007FF6869E1E7F,?,?,00000000,00007FF6869E2345,?,?,?,00007FF6869E2277), ref: 00007FF6869D9E2E
                                                          • Part of subcall function 00007FF6869D9E18: GetLastError.KERNEL32(?,?,?,00007FF6869E1E42,?,?,?,00007FF6869E1E7F,?,?,00000000,00007FF6869E2345,?,?,?,00007FF6869E2277), ref: 00007FF6869D9E38
                                                        • GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF6869CB105), ref: 00007FF6869D7EBC
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2050744018.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000001.00000002.2050716641.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050804666.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050904528.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: ErrorFileFreeHeapLastModuleName_invalid_parameter_noinfo
                                                        • String ID: C:\Users\user\Desktop\oneDrive.exe
                                                        • API String ID: 3580290477-2215394283
                                                        • Opcode ID: 3943842da798c31a181edbdfd7e827be925f8530d91395b67a93139410b16115
                                                        • Instruction ID: beb2f3adef401bd025e1c9dc72d2a71517280ef65c44d507e8c1c01a85c26c0c
                                                        • Opcode Fuzzy Hash: 3943842da798c31a181edbdfd7e827be925f8530d91395b67a93139410b16115
                                                        • Instruction Fuzzy Hash: 46412B32A08B93C5EF249F2594801B867A4FF44B94B544039EA4E87BD6DF3EEC91C350
                                                        Function 00007FF6869DC108 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2050744018.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000001.00000002.2050716641.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050804666.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050904528.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: ErrorFileLastWrite
                                                        • String ID: U
                                                        • API String ID: 442123175-4171548499
                                                        • Opcode ID: 4134df34369bde334de186fcdf44a7df93ab1702ff4cc21259579c47d67cfea1
                                                        • Instruction ID: b470332bb7105c81cbfaf1d0b361a93fe564f7c3fb2ab3a9a2fb93b7eb822e8c
                                                        • Opcode Fuzzy Hash: 4134df34369bde334de186fcdf44a7df93ab1702ff4cc21259579c47d67cfea1
                                                        • Instruction Fuzzy Hash: 7941BF22A18A82D6DB208F65E8443A977A5FF987D4F804039EE4EC7799DF3DD841C740
                                                        Function 00007FF6869DE508 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2050744018.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000001.00000002.2050716641.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050804666.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050904528.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: CurrentDirectory
                                                        • String ID: :
                                                        • API String ID: 1611563598-336475711
                                                        • Opcode ID: 8ec759577f911bbef9ae9f8bcb44b43b6ddd8abf9602cd78119f2d4801990209
                                                        • Instruction ID: 6938a1e89772ed854217799e1f56bdde4b5ad5ab106a7ec56bf2da62c07f0f4e
                                                        • Opcode Fuzzy Hash: 8ec759577f911bbef9ae9f8bcb44b43b6ddd8abf9602cd78119f2d4801990209
                                                        • Instruction Fuzzy Hash: 6D218C72A186C3C1EF209B19E05426D63A1FF88B84F454039DA8D836C6EF7EED85CB51
                                                        Function 00007FF6869C2770 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2050744018.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000001.00000002.2050716641.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050804666.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050904528.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: Message$ByteCharMultiWide
                                                        • String ID: Fatal error detected
                                                        • API String ID: 1878133881-4025702859
                                                        • Opcode ID: f7448773671dbda672e22a82cfe80c2e0aa70ed18289780b2b9e604a2b102c49
                                                        • Instruction ID: 2dd6d9a0a47aff4292d7ec9325005453ec11e4769343b826970d6fc42a1a91cd
                                                        • Opcode Fuzzy Hash: f7448773671dbda672e22a82cfe80c2e0aa70ed18289780b2b9e604a2b102c49
                                                        • Instruction Fuzzy Hash: 4C218372628AC2C1EF209711F4517EA6354FF84784F805139EA8E876DADF7DD605C750
                                                        Function 00007FF6869C2880 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2050744018.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000001.00000002.2050716641.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050804666.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050904528.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: Message$ByteCharMultiWide
                                                        • String ID: Error detected
                                                        • API String ID: 1878133881-3513342764
                                                        • Opcode ID: 412921116a21d042ea7cc01f3b6226aa372ad23cfa1aaecee88db1efd33321aa
                                                        • Instruction ID: 45c2a9012fb860fe0a031c6023aaf8091d2df02b2d8e99ebcbd8de653a3bd08c
                                                        • Opcode Fuzzy Hash: 412921116a21d042ea7cc01f3b6226aa372ad23cfa1aaecee88db1efd33321aa
                                                        • Instruction Fuzzy Hash: 93214172628AC2D1EF209711E4517EA6254FF84784F805139EA8E876DADE3DD605C750
                                                        Function 00007FF6869CEFB0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2050744018.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000001.00000002.2050716641.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050804666.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050904528.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: ExceptionFileHeaderRaise
                                                        • String ID: csm
                                                        • API String ID: 2573137834-1018135373
                                                        • Opcode ID: a9ac3328ea6075577af066dd04772514ea360050604432a87b0551bd96b2ca6b
                                                        • Instruction ID: c932d60b43b6486c7770940b4731d8fe1141add09da7770d80acbafb843adf74
                                                        • Opcode Fuzzy Hash: a9ac3328ea6075577af066dd04772514ea360050604432a87b0551bd96b2ca6b
                                                        • Instruction Fuzzy Hash: 06112832608B82C2EB218F15F44026977A4FF88B94F184239EE8D477A9DF7ED951CB00
                                                        Function 00007FF6869DF00C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2050744018.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000001.00000002.2050716641.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050804666.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050843515.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2050904528.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: DriveType_invalid_parameter_noinfo
                                                        • String ID: :
                                                        • API String ID: 2595371189-336475711
                                                        • Opcode ID: f8eec6a66f3a594e824ddea09938586a7cad5545a492e04bdbecb8d953b03adc
                                                        • Instruction ID: 24bbeeba6ab2ca88f3a380b4ba93c0b649b4d8f41ba0eb4744cb159672555066
                                                        • Opcode Fuzzy Hash: f8eec6a66f3a594e824ddea09938586a7cad5545a492e04bdbecb8d953b03adc
                                                        • Instruction Fuzzy Hash: 48017C21918683C6EF61AF60D46227A23A0FF44758F44103AE54DC76D3DE2EE984DA14

                                                        Execution Graph

                                                        Execution Coverage:5.8%
                                                        Dynamic/Decrypted Code Coverage:0%
                                                        Signature Coverage:0%
                                                        Total number of Nodes:764
                                                        Total number of Limit Nodes:16
                                                        execution_graph 21418 7ff6869c54e0 57 API calls 21419 7ff6869e94de LeaveCriticalSection _fread_nolock 21420 7ffb24bd6260 InterlockedFlushSList free 21422 7ff6869de8dc 55 API calls 4 library calls 21367 7ff6869e07f0 74 API calls 2 library calls 21369 7ff6869db9f0 47 API calls _isindst 21370 7ffb24bdfaf8 21 API calls 2 library calls 21424 7ffb24bd2470 14 API calls 2 library calls 21425 7ff6869cb2c4 GetModuleHandleW __FrameHandler3::FrameUnwindToEmptyState 21348 7ff6869d87b9 21360 7ff6869d90d8 21348->21360 21350 7ff6869d87be 21351 7ff6869d87e5 GetModuleHandleW 21350->21351 21352 7ff6869d882f 21350->21352 21351->21352 21358 7ff6869d87f2 21351->21358 21353 7ff6869d86bc 11 API calls 21352->21353 21354 7ff6869d886b 21353->21354 21355 7ff6869d8872 21354->21355 21356 7ff6869d8888 11 API calls 21354->21356 21357 7ff6869d8884 21356->21357 21358->21352 21359 7ff6869d88e0 GetModuleHandleExW GetProcAddress FreeLibrary 21358->21359 21359->21352 21365 7ff6869da620 45 API calls 3 library calls 21360->21365 21363 7ff6869d90e1 21366 7ff6869d920c 45 API calls 2 library calls 21363->21366 21365->21363 21427 7ffb24be0490 14 API calls ExFilterRethrow 21428 7ffb24bd6490 9 API calls __vcrt_getptd_noinit 21430 7ffb24bd4424 malloc strcpy_s free 21375 7ffb24bd4520 14 API calls 3 library calls 21376 7ffb24bd5520 23 API calls 5 library calls 21432 7ffb24bdfa38 38 API calls ExFilterRethrow 21379 7ff6869c5030 FreeLibrary __vcrt_freefls 21434 7ff6869ca730 12 API calls _wfindfirst32i64 21382 7ff6869dba30 12 API calls 21383 7ffb24bd2530 terminate 21384 7ffb24bd6530 14 API calls ExFilterRethrow 21385 7ff6869c5400 49 API calls _wfindfirst32i64 21437 7ff6869e90fc 55 API calls _CreateFrameInfo 21439 7ff6869d6714 43 API calls 3 library calls 21440 7ffb24bd2a59 abort 21441 7ff6869cb310 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter __security_init_cookie 21443 7ffb24bd604f RtlPcToFileHeader RtlPcToFileHeader RaiseException 21387 7ff6869dfa08 77 API calls 4 library calls 21446 7ff6869c6460 Sleep 21447 7ff6869ce464 59 API calls 5 library calls 21448 7ffb24bde9e0 15 API calls 2 library calls 21390 7ff6869c1f70 81 API calls 20358 7ff6869ca370 20359 7ff6869ca39e 20358->20359 20360 7ff6869ca385 20358->20360 20360->20359 20363 7ff6869dcacc 20360->20363 20364 7ff6869dcb17 20363->20364 20368 7ff6869dcadb _set_fmode 20363->20368 20371 7ff6869d4444 11 API calls _set_fmode 20364->20371 20366 7ff6869dcafe HeapAlloc 20367 7ff6869ca3fc 20366->20367 20366->20368 20368->20364 20368->20366 20370 7ff6869e26b0 EnterCriticalSection LeaveCriticalSection _set_fmode 20368->20370 20370->20368 20371->20367 21454 7ff6869ccc68 45 API calls 21393 7ffb24bd5f0a RtlPcToFileHeader RtlPcToFileHeader RtlPcToFileHeader RaiseException FindMITargetTypeInstance 21394 7ff6869df740 7 API calls 21457 7ffb24bd461a 15 API calls 2 library calls 21396 7ff6869d4150 17 API calls 2 library calls 21458 7ff6869cf050 GetCommandLineA GetCommandLineW 21459 7ff6869e7050 CloseHandle 21460 7ff6869d8a50 11 API calls 21461 7ffb24bdfe10 RtlUnwindEx __C_specific_handler __GSHandlerCheckCommon 21398 7ffb24bd4710 15 API calls 3 library calls 21462 7ff6869ce6a4 37 API calls __std_exception_copy 21463 7ff6869ccaa0 10 API calls 2 library calls 21400 7ff6869e6fa0 65 API calls 21401 7ff6869e25a0 GetProcessHeap 21402 7ff6869e05a0 55 API calls 4 library calls 21465 7ff6869ce89a 55 API calls 2 library calls 21466 7ffb24bdf9a0 43 API calls ExFilterRethrow 20372 7ff6869cb19c 20393 7ff6869cb36c 20372->20393 20375 7ff6869cb2e8 20489 7ff6869cb69c 7 API calls 2 library calls 20375->20489 20376 7ff6869cb1b8 __scrt_acquire_startup_lock 20378 7ff6869cb2f2 20376->20378 20385 7ff6869cb1d6 __scrt_release_startup_lock 20376->20385 20490 7ff6869cb69c 7 API calls 2 library calls 20378->20490 20380 7ff6869cb1fb 20381 7ff6869cb2fd __FrameHandler3::FrameUnwindToEmptyState 20382 7ff6869cb281 20399 7ff6869cb7e8 20382->20399 20384 7ff6869cb286 20402 7ff6869c1000 20384->20402 20385->20380 20385->20382 20486 7ff6869d8984 45 API calls 20385->20486 20390 7ff6869cb2a9 20390->20381 20488 7ff6869cb500 7 API calls __scrt_initialize_crt 20390->20488 20392 7ff6869cb2c0 20392->20380 20491 7ff6869cb96c 20393->20491 20396 7ff6869cb1b0 20396->20375 20396->20376 20397 7ff6869cb39b __scrt_initialize_crt 20397->20396 20493 7ff6869ccac8 7 API calls 2 library calls 20397->20493 20494 7ff6869cc210 20399->20494 20403 7ff6869c100b 20402->20403 20496 7ff6869c7600 20403->20496 20405 7ff6869c101d 20503 7ff6869d4f14 20405->20503 20407 7ff6869c367b 20510 7ff6869c1af0 20407->20510 20410 7ff6869c379a 20625 7ff6869cad80 20410->20625 20414 7ff6869c3699 20414->20410 20526 7ff6869c3b20 20414->20526 20416 7ff6869c36cb 20416->20410 20529 7ff6869c6990 20416->20529 20418 7ff6869c36e7 20419 7ff6869c3733 20418->20419 20421 7ff6869c6990 61 API calls 20418->20421 20544 7ff6869c6f90 20419->20544 20425 7ff6869c3708 __vcrt_freefls 20421->20425 20422 7ff6869c3748 20548 7ff6869c19d0 20422->20548 20425->20419 20428 7ff6869c6f90 58 API calls 20425->20428 20426 7ff6869c3868 20435 7ff6869c38ab 20426->20435 20559 7ff6869c7a30 20426->20559 20427 7ff6869c19d0 121 API calls 20431 7ff6869c377e 20427->20431 20428->20419 20433 7ff6869c37c0 20431->20433 20434 7ff6869c3782 20431->20434 20432 7ff6869c3888 20436 7ff6869c389e SetDllDirectoryW 20432->20436 20437 7ff6869c388d 20432->20437 20452 7ff6869c383d 20433->20452 20634 7ff6869c3cb0 20433->20634 20624 7ff6869c2770 59 API calls 2 library calls 20434->20624 20573 7ff6869c5e40 20435->20573 20436->20435 20659 7ff6869c2770 59 API calls 2 library calls 20437->20659 20444 7ff6869c3906 20449 7ff6869c39c6 20444->20449 20453 7ff6869c3919 20444->20453 20448 7ff6869c3810 20451 7ff6869c3815 20448->20451 20448->20452 20614 7ff6869c3110 20449->20614 20450 7ff6869c38c8 20450->20444 20661 7ff6869c5640 161 API calls 3 library calls 20450->20661 20653 7ff6869cf2ac 20451->20653 20452->20426 20658 7ff6869c3280 59 API calls 20452->20658 20466 7ff6869c3965 20453->20466 20665 7ff6869c1b30 20453->20665 20457 7ff6869c38d9 20460 7ff6869c38dd 20457->20460 20461 7ff6869c38fc 20457->20461 20459 7ff6869c37e2 20657 7ff6869c2770 59 API calls 2 library calls 20459->20657 20662 7ff6869c55d0 91 API calls 20460->20662 20664 7ff6869c5890 FreeLibrary 20461->20664 20466->20410 20577 7ff6869c30b0 20466->20577 20467 7ff6869c38e7 20467->20461 20469 7ff6869c38eb 20467->20469 20468 7ff6869c39fb 20470 7ff6869c6990 61 API calls 20468->20470 20663 7ff6869c5c90 60 API calls 20469->20663 20474 7ff6869c3a07 20470->20474 20472 7ff6869c39a1 20669 7ff6869c5890 FreeLibrary 20472->20669 20474->20410 20476 7ff6869c3a18 20474->20476 20475 7ff6869c38fa 20475->20444 20671 7ff6869c6fd0 63 API calls 2 library calls 20476->20671 20479 7ff6869c3a30 20672 7ff6869c5890 FreeLibrary 20479->20672 20481 7ff6869c3a3c 20482 7ff6869c3a57 20481->20482 20673 7ff6869c6c90 67 API calls 2 library calls 20481->20673 20674 7ff6869c1ab0 74 API calls __vcrt_freefls 20482->20674 20485 7ff6869c3a5f 20485->20410 20486->20382 20487 7ff6869cb82c GetModuleHandleW 20487->20390 20488->20392 20489->20378 20490->20381 20492 7ff6869cb38e __scrt_dllmain_crt_thread_attach 20491->20492 20492->20396 20492->20397 20493->20396 20495 7ff6869cb7ff GetStartupInfoW 20494->20495 20495->20384 20498 7ff6869c761f 20496->20498 20497 7ff6869c7670 WideCharToMultiByte 20497->20498 20499 7ff6869c7718 20497->20499 20498->20497 20498->20499 20500 7ff6869c76c6 WideCharToMultiByte 20498->20500 20502 7ff6869c7627 __vcrt_freefls 20498->20502 20675 7ff6869c2620 57 API calls 2 library calls 20499->20675 20500->20498 20500->20499 20502->20405 20504 7ff6869dec40 20503->20504 20506 7ff6869dece6 20504->20506 20507 7ff6869dec93 20504->20507 20677 7ff6869deb18 71 API calls _fread_nolock 20506->20677 20676 7ff6869d9ce4 37 API calls 2 library calls 20507->20676 20509 7ff6869decbc 20509->20407 20511 7ff6869c1b05 20510->20511 20512 7ff6869c1b20 20511->20512 20678 7ff6869c24d0 59 API calls 3 library calls 20511->20678 20512->20410 20514 7ff6869c3ba0 20512->20514 20679 7ff6869cadb0 20514->20679 20517 7ff6869c3bf2 20682 7ff6869c7b40 59 API calls 20517->20682 20518 7ff6869c3bdb 20681 7ff6869c2620 57 API calls 2 library calls 20518->20681 20521 7ff6869c3bee 20524 7ff6869cad80 _wfindfirst32i64 8 API calls 20521->20524 20522 7ff6869c3c05 20522->20521 20683 7ff6869c2770 59 API calls 2 library calls 20522->20683 20525 7ff6869c3c2f 20524->20525 20525->20414 20527 7ff6869c1b30 49 API calls 20526->20527 20528 7ff6869c3b3d 20527->20528 20528->20416 20530 7ff6869c699a 20529->20530 20531 7ff6869c7a30 57 API calls 20530->20531 20532 7ff6869c69bc GetEnvironmentVariableW 20531->20532 20533 7ff6869c69d4 ExpandEnvironmentStringsW 20532->20533 20534 7ff6869c6a26 20532->20534 20684 7ff6869c7b40 59 API calls 20533->20684 20535 7ff6869cad80 _wfindfirst32i64 8 API calls 20534->20535 20537 7ff6869c6a38 20535->20537 20537->20418 20538 7ff6869c69fc 20538->20534 20539 7ff6869c6a06 20538->20539 20685 7ff6869d910c 37 API calls 2 library calls 20539->20685 20541 7ff6869c6a0e 20542 7ff6869cad80 _wfindfirst32i64 8 API calls 20541->20542 20543 7ff6869c6a1e 20542->20543 20543->20418 20545 7ff6869c7a30 57 API calls 20544->20545 20546 7ff6869c6fa7 SetEnvironmentVariableW 20545->20546 20547 7ff6869c6fbf __vcrt_freefls 20546->20547 20547->20422 20549 7ff6869c1b30 49 API calls 20548->20549 20550 7ff6869c1a00 20549->20550 20551 7ff6869c1b30 49 API calls 20550->20551 20558 7ff6869c1a7a 20550->20558 20552 7ff6869c1a22 20551->20552 20553 7ff6869c3b20 49 API calls 20552->20553 20552->20558 20554 7ff6869c1a3b 20553->20554 20686 7ff6869c17b0 20554->20686 20557 7ff6869cf2ac 74 API calls 20557->20558 20558->20427 20558->20452 20560 7ff6869c7a51 MultiByteToWideChar 20559->20560 20561 7ff6869c7ad7 MultiByteToWideChar 20559->20561 20562 7ff6869c7a77 20560->20562 20563 7ff6869c7a9c 20560->20563 20564 7ff6869c7b1f 20561->20564 20565 7ff6869c7afa 20561->20565 20769 7ff6869c2620 57 API calls 2 library calls 20562->20769 20563->20561 20570 7ff6869c7ab2 20563->20570 20564->20432 20771 7ff6869c2620 57 API calls 2 library calls 20565->20771 20568 7ff6869c7b0d 20568->20432 20569 7ff6869c7a8a 20569->20432 20770 7ff6869c2620 57 API calls 2 library calls 20570->20770 20572 7ff6869c7ac5 20572->20432 20574 7ff6869c5e55 20573->20574 20575 7ff6869c38b0 20574->20575 20772 7ff6869c24d0 59 API calls 3 library calls 20574->20772 20575->20444 20660 7ff6869c5ae0 122 API calls 2 library calls 20575->20660 20773 7ff6869c4960 20577->20773 20580 7ff6869c30fd 20580->20472 20582 7ff6869c30d4 20582->20580 20829 7ff6869c46e0 20582->20829 20584 7ff6869c30e0 20584->20580 20839 7ff6869c4840 20584->20839 20586 7ff6869c30ec 20586->20580 20587 7ff6869c3327 20586->20587 20588 7ff6869c333c 20586->20588 20870 7ff6869c2770 59 API calls 2 library calls 20587->20870 20591 7ff6869c335c 20588->20591 20597 7ff6869c3372 __vcrt_freefls 20588->20597 20590 7ff6869c3333 __vcrt_freefls 20592 7ff6869cad80 _wfindfirst32i64 8 API calls 20590->20592 20871 7ff6869c2770 59 API calls 2 library calls 20591->20871 20594 7ff6869c34ca 20592->20594 20594->20472 20597->20590 20598 7ff6869c1b30 49 API calls 20597->20598 20599 7ff6869c360b 20597->20599 20601 7ff6869c35e5 20597->20601 20603 7ff6869c34d6 20597->20603 20844 7ff6869c12b0 20597->20844 20872 7ff6869c1780 59 API calls 20597->20872 20598->20597 20879 7ff6869c2770 59 API calls 2 library calls 20599->20879 20878 7ff6869c2770 59 API calls 2 library calls 20601->20878 20604 7ff6869c3542 20603->20604 20873 7ff6869d910c 37 API calls 2 library calls 20603->20873 20874 7ff6869c16d0 59 API calls 20604->20874 20607 7ff6869c3564 20608 7ff6869c3569 20607->20608 20609 7ff6869c3577 20607->20609 20875 7ff6869d910c 37 API calls 2 library calls 20608->20875 20876 7ff6869c2ea0 37 API calls 20609->20876 20612 7ff6869c3575 20877 7ff6869c23b0 62 API calls __vcrt_freefls 20612->20877 20621 7ff6869c3183 20614->20621 20623 7ff6869c31c4 20614->20623 20615 7ff6869c3203 20617 7ff6869cad80 _wfindfirst32i64 8 API calls 20615->20617 20618 7ff6869c3215 20617->20618 20618->20410 20670 7ff6869c6f20 57 API calls __vcrt_freefls 20618->20670 20621->20623 20995 7ff6869c2990 20621->20995 21050 7ff6869c1440 161 API calls 2 library calls 20621->21050 21052 7ff6869c1780 59 API calls 20621->21052 20623->20615 21051 7ff6869c1ab0 74 API calls __vcrt_freefls 20623->21051 20624->20410 20626 7ff6869cad89 20625->20626 20627 7ff6869c37ae 20626->20627 20628 7ff6869cae40 IsProcessorFeaturePresent 20626->20628 20627->20487 20629 7ff6869cae58 20628->20629 21150 7ff6869cb034 RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind 20629->21150 20631 7ff6869cae6b 21151 7ff6869cae00 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 20631->21151 20635 7ff6869c3cbc 20634->20635 20636 7ff6869c7a30 57 API calls 20635->20636 20637 7ff6869c3ce7 20636->20637 20638 7ff6869c7a30 57 API calls 20637->20638 20639 7ff6869c3cfa 20638->20639 21152 7ff6869d54c8 20639->21152 20642 7ff6869cad80 _wfindfirst32i64 8 API calls 20643 7ff6869c37da 20642->20643 20643->20459 20644 7ff6869c7200 20643->20644 20645 7ff6869c7224 20644->20645 20646 7ff6869cf934 73 API calls 20645->20646 20647 7ff6869c72fb __vcrt_freefls 20645->20647 20648 7ff6869c723e 20646->20648 20647->20448 20648->20647 21320 7ff6869d7938 20648->21320 20650 7ff6869cf934 73 API calls 20652 7ff6869c7253 20650->20652 20651 7ff6869cf5fc _fread_nolock 53 API calls 20651->20652 20652->20647 20652->20650 20652->20651 20654 7ff6869cf2dc 20653->20654 21336 7ff6869cf088 20654->21336 20656 7ff6869cf2f5 20656->20459 20657->20410 20658->20426 20659->20410 20660->20450 20661->20457 20662->20467 20663->20475 20664->20444 20666 7ff6869c1b55 20665->20666 20667 7ff6869d3be4 49 API calls 20666->20667 20668 7ff6869c1b78 20667->20668 20668->20466 20669->20410 20670->20468 20671->20479 20672->20481 20673->20482 20674->20485 20675->20502 20676->20509 20677->20509 20678->20512 20680 7ff6869c3bac GetModuleFileNameW 20679->20680 20680->20517 20680->20518 20681->20521 20682->20522 20683->20521 20684->20538 20685->20541 20687 7ff6869c17e4 20686->20687 20688 7ff6869c17d4 20686->20688 20690 7ff6869c7200 83 API calls 20687->20690 20718 7ff6869c1842 20687->20718 20689 7ff6869c3cb0 116 API calls 20688->20689 20689->20687 20691 7ff6869c1815 20690->20691 20691->20718 20720 7ff6869cf934 20691->20720 20693 7ff6869cad80 _wfindfirst32i64 8 API calls 20695 7ff6869c19c0 20693->20695 20694 7ff6869c182b 20696 7ff6869c182f 20694->20696 20697 7ff6869c184c 20694->20697 20695->20557 20695->20558 20733 7ff6869c24d0 59 API calls 3 library calls 20696->20733 20724 7ff6869cf5fc 20697->20724 20701 7ff6869c1867 20734 7ff6869c24d0 59 API calls 3 library calls 20701->20734 20702 7ff6869cf934 73 API calls 20704 7ff6869c18d1 20702->20704 20705 7ff6869c18fe 20704->20705 20706 7ff6869c18e3 20704->20706 20708 7ff6869cf5fc _fread_nolock 53 API calls 20705->20708 20735 7ff6869c24d0 59 API calls 3 library calls 20706->20735 20709 7ff6869c1913 20708->20709 20709->20701 20710 7ff6869c1925 20709->20710 20727 7ff6869cf370 20710->20727 20713 7ff6869c193d 20736 7ff6869c2770 59 API calls 2 library calls 20713->20736 20715 7ff6869c1950 20716 7ff6869c1993 20715->20716 20737 7ff6869c2770 59 API calls 2 library calls 20715->20737 20717 7ff6869cf2ac 74 API calls 20716->20717 20716->20718 20717->20718 20718->20693 20721 7ff6869cf964 20720->20721 20738 7ff6869cf6c4 20721->20738 20723 7ff6869cf97d 20723->20694 20751 7ff6869cf61c 20724->20751 20728 7ff6869c1939 20727->20728 20729 7ff6869cf379 20727->20729 20728->20713 20728->20715 20767 7ff6869d4444 11 API calls _set_fmode 20729->20767 20731 7ff6869cf37e 20768 7ff6869d9db0 37 API calls _invalid_parameter_noinfo 20731->20768 20733->20718 20734->20718 20735->20718 20736->20718 20737->20716 20739 7ff6869cf72e 20738->20739 20740 7ff6869cf6ee 20738->20740 20739->20740 20742 7ff6869cf73a 20739->20742 20750 7ff6869d9ce4 37 API calls 2 library calls 20740->20750 20749 7ff6869d42ec EnterCriticalSection 20742->20749 20743 7ff6869cf715 20743->20723 20745 7ff6869cf73f 20746 7ff6869cf848 71 API calls 20745->20746 20747 7ff6869cf751 20746->20747 20748 7ff6869d42f8 _fread_nolock LeaveCriticalSection 20747->20748 20748->20743 20750->20743 20752 7ff6869c1861 20751->20752 20753 7ff6869cf646 20751->20753 20752->20701 20752->20702 20753->20752 20754 7ff6869cf692 20753->20754 20755 7ff6869cf655 memcpy_s 20753->20755 20764 7ff6869d42ec EnterCriticalSection 20754->20764 20765 7ff6869d4444 11 API calls _set_fmode 20755->20765 20757 7ff6869cf69a 20759 7ff6869cf39c _fread_nolock 51 API calls 20757->20759 20762 7ff6869cf6b1 20759->20762 20760 7ff6869cf66a 20766 7ff6869d9db0 37 API calls _invalid_parameter_noinfo 20760->20766 20763 7ff6869d42f8 _fread_nolock LeaveCriticalSection 20762->20763 20763->20752 20765->20760 20767->20731 20769->20569 20770->20572 20771->20568 20772->20575 20774 7ff6869c4970 20773->20774 20775 7ff6869c1b30 49 API calls 20774->20775 20776 7ff6869c49a2 20775->20776 20777 7ff6869c49cb 20776->20777 20778 7ff6869c49ab 20776->20778 20780 7ff6869c4a22 20777->20780 20880 7ff6869c3d30 20777->20880 20893 7ff6869c2770 59 API calls 2 library calls 20778->20893 20781 7ff6869c3d30 49 API calls 20780->20781 20784 7ff6869c4a3b 20781->20784 20782 7ff6869c49c1 20787 7ff6869cad80 _wfindfirst32i64 8 API calls 20782->20787 20788 7ff6869c4a59 20784->20788 20895 7ff6869c2770 59 API calls 2 library calls 20784->20895 20785 7ff6869c49ec 20786 7ff6869c4a0a 20785->20786 20894 7ff6869c2770 59 API calls 2 library calls 20785->20894 20883 7ff6869c3c40 20786->20883 20791 7ff6869c30be 20787->20791 20889 7ff6869c71b0 20788->20889 20791->20580 20801 7ff6869c4ce0 20791->20801 20795 7ff6869c4a66 20796 7ff6869c4a8d 20795->20796 20797 7ff6869c4a6b 20795->20797 20897 7ff6869c3df0 112 API calls 20796->20897 20896 7ff6869c2620 57 API calls 2 library calls 20797->20896 20800 7ff6869c71b0 58 API calls 20800->20780 20802 7ff6869c6990 61 API calls 20801->20802 20804 7ff6869c4cf5 20802->20804 20803 7ff6869c4d10 20805 7ff6869c7a30 57 API calls 20803->20805 20804->20803 20925 7ff6869c2880 59 API calls 2 library calls 20804->20925 20806 7ff6869c4d54 20805->20806 20808 7ff6869c4d70 20806->20808 20809 7ff6869c4d59 20806->20809 20812 7ff6869c7a30 57 API calls 20808->20812 20926 7ff6869c2770 59 API calls 2 library calls 20809->20926 20811 7ff6869c4d65 20811->20582 20813 7ff6869c4da5 20812->20813 20816 7ff6869c1b30 49 API calls 20813->20816 20827 7ff6869c4daa __vcrt_freefls 20813->20827 20815 7ff6869c4f51 20815->20582 20817 7ff6869c4e27 20816->20817 20818 7ff6869c4e2e 20817->20818 20819 7ff6869c4e53 20817->20819 20927 7ff6869c2770 59 API calls 2 library calls 20818->20927 20821 7ff6869c7a30 57 API calls 20819->20821 20823 7ff6869c4e6c 20821->20823 20822 7ff6869c4e43 20822->20582 20823->20827 20898 7ff6869c4ac0 20823->20898 20828 7ff6869c4f3a 20827->20828 20929 7ff6869c2770 59 API calls 2 library calls 20827->20929 20828->20582 20830 7ff6869c46f7 20829->20830 20831 7ff6869c4720 20830->20831 20838 7ff6869c4737 __vcrt_freefls 20830->20838 20945 7ff6869c2770 59 API calls 2 library calls 20831->20945 20833 7ff6869c472c 20833->20584 20834 7ff6869c481b 20834->20584 20835 7ff6869c12b0 122 API calls 20835->20838 20838->20834 20838->20835 20946 7ff6869c2770 59 API calls 2 library calls 20838->20946 20947 7ff6869c1780 59 API calls 20838->20947 20840 7ff6869c4947 20839->20840 20842 7ff6869c485b 20839->20842 20840->20586 20842->20840 20843 7ff6869c2770 59 API calls 20842->20843 20948 7ff6869c1780 59 API calls 20842->20948 20843->20842 20845 7ff6869c12f8 20844->20845 20846 7ff6869c12c6 20844->20846 20848 7ff6869cf934 73 API calls 20845->20848 20847 7ff6869c3cb0 116 API calls 20846->20847 20849 7ff6869c12d6 20847->20849 20850 7ff6869c130a 20848->20850 20849->20845 20851 7ff6869c12de 20849->20851 20852 7ff6869c132f 20850->20852 20853 7ff6869c130e 20850->20853 20967 7ff6869c2770 59 API calls 2 library calls 20851->20967 20858 7ff6869c1364 20852->20858 20859 7ff6869c1344 20852->20859 20968 7ff6869c24d0 59 API calls 3 library calls 20853->20968 20856 7ff6869c12ee 20856->20597 20857 7ff6869c1325 20857->20597 20861 7ff6869c137e 20858->20861 20866 7ff6869c1395 20858->20866 20969 7ff6869c24d0 59 API calls 3 library calls 20859->20969 20949 7ff6869c1050 20861->20949 20863 7ff6869c1421 20863->20597 20864 7ff6869cf5fc _fread_nolock 53 API calls 20864->20866 20865 7ff6869cf2ac 74 API calls 20865->20863 20866->20864 20867 7ff6869c135f __vcrt_freefls 20866->20867 20868 7ff6869c13de 20866->20868 20867->20863 20867->20865 20970 7ff6869c24d0 59 API calls 3 library calls 20868->20970 20870->20590 20871->20590 20872->20597 20873->20604 20874->20607 20875->20612 20876->20612 20877->20590 20878->20590 20879->20590 20881 7ff6869c1b30 49 API calls 20880->20881 20882 7ff6869c3d60 20881->20882 20882->20785 20882->20882 20884 7ff6869c3c4a 20883->20884 20885 7ff6869c7a30 57 API calls 20884->20885 20886 7ff6869c3c72 20885->20886 20887 7ff6869cad80 _wfindfirst32i64 8 API calls 20886->20887 20888 7ff6869c3c9a 20887->20888 20888->20780 20888->20800 20890 7ff6869c7a30 57 API calls 20889->20890 20891 7ff6869c71c7 LoadLibraryExW 20890->20891 20892 7ff6869c71e4 __vcrt_freefls 20891->20892 20892->20795 20893->20782 20894->20786 20895->20788 20896->20782 20897->20782 20899 7ff6869c4ada 20898->20899 20903 7ff6869c4bf3 20899->20903 20906 7ff6869c4cc9 20899->20906 20924 7ff6869c4c91 20899->20924 20930 7ff6869d56d0 47 API calls 20899->20930 20931 7ff6869c1780 59 API calls 20899->20931 20900 7ff6869cad80 _wfindfirst32i64 8 API calls 20902 7ff6869c4cb0 20900->20902 20928 7ff6869c7c30 59 API calls __vcrt_freefls 20902->20928 20903->20924 20932 7ff6869d9184 20903->20932 20942 7ff6869c2770 59 API calls 2 library calls 20906->20942 20910 7ff6869c4c16 20911 7ff6869d9184 _fread_nolock 37 API calls 20910->20911 20912 7ff6869c4c28 20911->20912 20939 7ff6869d57dc 39 API calls 3 library calls 20912->20939 20914 7ff6869c4c34 20940 7ff6869d5d64 73 API calls 20914->20940 20916 7ff6869c4c46 20941 7ff6869d5d64 73 API calls 20916->20941 20918 7ff6869c4c58 20919 7ff6869d4f14 71 API calls 20918->20919 20920 7ff6869c4c69 20919->20920 20921 7ff6869d4f14 71 API calls 20920->20921 20922 7ff6869c4c7d 20921->20922 20923 7ff6869d4f14 71 API calls 20922->20923 20923->20924 20924->20900 20925->20803 20926->20811 20927->20822 20928->20827 20929->20815 20930->20899 20931->20899 20933 7ff6869d918d 20932->20933 20935 7ff6869c4c0a 20932->20935 20943 7ff6869d4444 11 API calls _set_fmode 20933->20943 20938 7ff6869d57dc 39 API calls 3 library calls 20935->20938 20936 7ff6869d9192 20944 7ff6869d9db0 37 API calls _invalid_parameter_noinfo 20936->20944 20938->20910 20939->20914 20940->20916 20941->20918 20942->20924 20943->20936 20945->20833 20946->20838 20947->20838 20948->20842 20950 7ff6869c10a6 20949->20950 20951 7ff6869c10d3 20950->20951 20952 7ff6869c10ad 20950->20952 20955 7ff6869c1109 20951->20955 20956 7ff6869c10ed 20951->20956 20975 7ff6869c2770 59 API calls 2 library calls 20952->20975 20954 7ff6869c10c0 20954->20867 20958 7ff6869c111b 20955->20958 20964 7ff6869c1137 memcpy_s 20955->20964 20976 7ff6869c24d0 59 API calls 3 library calls 20956->20976 20977 7ff6869c24d0 59 API calls 3 library calls 20958->20977 20960 7ff6869cf5fc _fread_nolock 53 API calls 20960->20964 20961 7ff6869c1104 __vcrt_freefls 20961->20867 20962 7ff6869c11fe 20978 7ff6869c2770 59 API calls 2 library calls 20962->20978 20964->20960 20964->20961 20964->20962 20966 7ff6869cf370 37 API calls 20964->20966 20971 7ff6869cfd3c 20964->20971 20966->20964 20967->20856 20968->20857 20969->20867 20970->20867 20972 7ff6869cfd6c 20971->20972 20979 7ff6869cfa8c 20972->20979 20974 7ff6869cfd8a 20974->20964 20975->20954 20976->20961 20977->20961 20978->20961 20980 7ff6869cfaac 20979->20980 20981 7ff6869cfad9 20979->20981 20980->20981 20982 7ff6869cfae1 20980->20982 20983 7ff6869cfab6 20980->20983 20981->20974 20986 7ff6869cf9cc 20982->20986 20993 7ff6869d9ce4 37 API calls 2 library calls 20983->20993 20994 7ff6869d42ec EnterCriticalSection 20986->20994 20988 7ff6869cf9e9 20989 7ff6869cfa0c 74 API calls 20988->20989 20990 7ff6869cf9f2 20989->20990 20991 7ff6869d42f8 _fread_nolock LeaveCriticalSection 20990->20991 20992 7ff6869cf9fd 20991->20992 20992->20981 20993->20981 20996 7ff6869c29a6 20995->20996 20997 7ff6869c1b30 49 API calls 20996->20997 20999 7ff6869c29db 20997->20999 20998 7ff6869c2de1 20999->20998 21000 7ff6869c3b20 49 API calls 20999->21000 21001 7ff6869c2a4f 21000->21001 21053 7ff6869c2e00 21001->21053 21004 7ff6869c2a91 21061 7ff6869c6720 98 API calls 21004->21061 21005 7ff6869c2aca 21007 7ff6869c2e00 75 API calls 21005->21007 21009 7ff6869c2b1c 21007->21009 21008 7ff6869c2a99 21010 7ff6869c2aba 21008->21010 21062 7ff6869c6600 138 API calls 2 library calls 21008->21062 21011 7ff6869c2b20 21009->21011 21012 7ff6869c2b86 21009->21012 21018 7ff6869c2ac3 21010->21018 21065 7ff6869c2770 59 API calls 2 library calls 21010->21065 21063 7ff6869c6720 98 API calls 21011->21063 21016 7ff6869c2e00 75 API calls 21012->21016 21019 7ff6869c2bb2 21016->21019 21017 7ff6869c2b28 21017->21010 21064 7ff6869c6600 138 API calls 2 library calls 21017->21064 21023 7ff6869cad80 _wfindfirst32i64 8 API calls 21018->21023 21020 7ff6869c2c12 21019->21020 21024 7ff6869c2e00 75 API calls 21019->21024 21020->20998 21066 7ff6869c6720 98 API calls 21020->21066 21027 7ff6869c2b7b 21023->21027 21025 7ff6869c2be2 21024->21025 21025->21020 21029 7ff6869c2e00 75 API calls 21025->21029 21026 7ff6869c2b45 21026->21010 21028 7ff6869c2dc6 21026->21028 21027->20621 21070 7ff6869c2770 59 API calls 2 library calls 21028->21070 21029->21020 21030 7ff6869c2c22 21030->20998 21031 7ff6869c1af0 59 API calls 21030->21031 21036 7ff6869c2d3f 21030->21036 21032 7ff6869c2c7f 21031->21032 21032->20998 21034 7ff6869c1b30 49 API calls 21032->21034 21037 7ff6869c2ca7 21034->21037 21041 7ff6869c2dab 21036->21041 21068 7ff6869c1780 59 API calls 21036->21068 21037->21028 21038 7ff6869c1b30 49 API calls 21037->21038 21039 7ff6869c2cd4 21038->21039 21039->21028 21042 7ff6869c1b30 49 API calls 21039->21042 21041->21028 21069 7ff6869c1440 161 API calls 2 library calls 21041->21069 21043 7ff6869c2d01 21042->21043 21043->21028 21045 7ff6869c17b0 121 API calls 21043->21045 21046 7ff6869c2d23 21045->21046 21046->21036 21047 7ff6869c2d27 21046->21047 21067 7ff6869c2770 59 API calls 2 library calls 21047->21067 21049 7ff6869c2d3a 21071 7ff6869c1ab0 74 API calls __vcrt_freefls 21049->21071 21050->20621 21051->20623 21052->20621 21054 7ff6869c2e34 21053->21054 21072 7ff6869d3be4 21054->21072 21057 7ff6869c2e6b 21059 7ff6869cad80 _wfindfirst32i64 8 API calls 21057->21059 21060 7ff6869c2a8d 21059->21060 21060->21004 21060->21005 21061->21008 21062->21010 21063->21017 21064->21026 21065->21018 21066->21030 21067->21049 21068->21036 21069->21041 21070->21049 21071->20998 21076 7ff6869d3c3e 21072->21076 21073 7ff6869d3c63 21107 7ff6869d9ce4 37 API calls 2 library calls 21073->21107 21075 7ff6869d3c9f 21108 7ff6869d1e70 49 API calls _invalid_parameter_noinfo 21075->21108 21076->21073 21076->21075 21078 7ff6869d3c8d 21080 7ff6869cad80 _wfindfirst32i64 8 API calls 21078->21080 21079 7ff6869d3d7c 21111 7ff6869d9e18 11 API calls 2 library calls 21079->21111 21082 7ff6869c2e5a 21080->21082 21082->21057 21090 7ff6869d4e08 21082->21090 21083 7ff6869d3d36 21083->21079 21084 7ff6869d3da0 21083->21084 21085 7ff6869d3d51 21083->21085 21088 7ff6869d3d48 21083->21088 21084->21079 21086 7ff6869d3daa 21084->21086 21109 7ff6869d9e18 11 API calls 2 library calls 21085->21109 21110 7ff6869d9e18 11 API calls 2 library calls 21086->21110 21088->21079 21088->21085 21091 7ff6869d4e25 21090->21091 21092 7ff6869d4e31 21090->21092 21112 7ff6869d4680 21091->21112 21137 7ff6869d4a1c 45 API calls __FrameHandler3::FrameUnwindToEmptyState 21092->21137 21095 7ff6869d4e59 21096 7ff6869d4e69 21095->21096 21138 7ff6869ddfcc 5 API calls __crtLCMapStringW 21095->21138 21139 7ff6869d4504 14 API calls 3 library calls 21096->21139 21099 7ff6869d4ec1 21100 7ff6869d4ed9 21099->21100 21102 7ff6869d4ec5 21099->21102 21103 7ff6869d4680 69 API calls 21100->21103 21101 7ff6869d4e2a 21101->21057 21102->21101 21140 7ff6869d9e18 11 API calls 2 library calls 21102->21140 21105 7ff6869d4ee5 21103->21105 21105->21101 21141 7ff6869d9e18 11 API calls 2 library calls 21105->21141 21107->21078 21108->21083 21109->21078 21110->21078 21111->21078 21113 7ff6869d469a 21112->21113 21114 7ff6869d46b7 21112->21114 21142 7ff6869d4424 11 API calls _set_fmode 21113->21142 21114->21113 21115 7ff6869d46ca CreateFileW 21114->21115 21117 7ff6869d4734 21115->21117 21118 7ff6869d46fe 21115->21118 21146 7ff6869d4cf8 46 API calls 3 library calls 21117->21146 21145 7ff6869d47d4 59 API calls 3 library calls 21118->21145 21119 7ff6869d469f 21143 7ff6869d4444 11 API calls _set_fmode 21119->21143 21123 7ff6869d470c 21126 7ff6869d4713 CloseHandle 21123->21126 21127 7ff6869d4729 CloseHandle 21123->21127 21124 7ff6869d4739 21128 7ff6869d473d 21124->21128 21129 7ff6869d4768 21124->21129 21125 7ff6869d46a7 21144 7ff6869d9db0 37 API calls _invalid_parameter_noinfo 21125->21144 21132 7ff6869d46b2 21126->21132 21127->21132 21147 7ff6869d43b8 11 API calls 2 library calls 21128->21147 21148 7ff6869d4ab8 51 API calls 21129->21148 21132->21101 21134 7ff6869d4775 21149 7ff6869d4bf4 21 API calls _fread_nolock 21134->21149 21136 7ff6869d4747 21136->21132 21137->21095 21138->21096 21139->21099 21140->21101 21141->21101 21142->21119 21143->21125 21145->21123 21146->21124 21147->21136 21148->21134 21149->21136 21150->20631 21154 7ff6869d53fc 21152->21154 21153 7ff6869d5422 21183 7ff6869d4444 11 API calls _set_fmode 21153->21183 21154->21153 21157 7ff6869d5455 21154->21157 21156 7ff6869d5427 21184 7ff6869d9db0 37 API calls _invalid_parameter_noinfo 21156->21184 21159 7ff6869d545b 21157->21159 21160 7ff6869d5468 21157->21160 21185 7ff6869d4444 11 API calls _set_fmode 21159->21185 21171 7ff6869da0f8 21160->21171 21163 7ff6869c3d09 21163->20642 21165 7ff6869d547c 21186 7ff6869d4444 11 API calls _set_fmode 21165->21186 21166 7ff6869d5489 21178 7ff6869df49c 21166->21178 21169 7ff6869d549c 21187 7ff6869d42f8 LeaveCriticalSection 21169->21187 21188 7ff6869df788 EnterCriticalSection 21171->21188 21173 7ff6869da10f 21174 7ff6869da16c 19 API calls 21173->21174 21175 7ff6869da11a 21174->21175 21176 7ff6869df7e8 _isindst LeaveCriticalSection 21175->21176 21177 7ff6869d5472 21176->21177 21177->21165 21177->21166 21189 7ff6869df198 21178->21189 21182 7ff6869df4f6 21182->21169 21183->21156 21185->21163 21186->21163 21190 7ff6869df1d3 __vcrt_InitializeCriticalSectionEx 21189->21190 21199 7ff6869df39a 21190->21199 21204 7ff6869e5474 51 API calls 3 library calls 21190->21204 21192 7ff6869df471 21208 7ff6869d9db0 37 API calls _invalid_parameter_noinfo 21192->21208 21194 7ff6869df3a3 21194->21182 21201 7ff6869e615c 21194->21201 21196 7ff6869df405 21196->21199 21205 7ff6869e5474 51 API calls 3 library calls 21196->21205 21198 7ff6869df424 21198->21199 21206 7ff6869e5474 51 API calls 3 library calls 21198->21206 21199->21194 21207 7ff6869d4444 11 API calls _set_fmode 21199->21207 21209 7ff6869e575c 21201->21209 21204->21196 21205->21198 21206->21199 21207->21192 21210 7ff6869e5773 21209->21210 21211 7ff6869e5791 21209->21211 21263 7ff6869d4444 11 API calls _set_fmode 21210->21263 21211->21210 21214 7ff6869e57ad 21211->21214 21213 7ff6869e5778 21264 7ff6869d9db0 37 API calls _invalid_parameter_noinfo 21213->21264 21220 7ff6869e5d6c 21214->21220 21218 7ff6869e5784 21218->21182 21266 7ff6869e5aa0 21220->21266 21223 7ff6869e5de1 21298 7ff6869d4424 11 API calls _set_fmode 21223->21298 21224 7ff6869e5df9 21286 7ff6869d6cfc 21224->21286 21227 7ff6869e5de6 21299 7ff6869d4444 11 API calls _set_fmode 21227->21299 21235 7ff6869e57d8 21235->21218 21265 7ff6869d6cd4 LeaveCriticalSection 21235->21265 21263->21213 21267 7ff6869e5acc 21266->21267 21268 7ff6869e5ae6 21266->21268 21267->21268 21311 7ff6869d4444 11 API calls _set_fmode 21267->21311 21273 7ff6869e5b64 21268->21273 21313 7ff6869d4444 11 API calls _set_fmode 21268->21313 21270 7ff6869e5adb 21312 7ff6869d9db0 37 API calls _invalid_parameter_noinfo 21270->21312 21272 7ff6869e5bb5 21282 7ff6869e5c12 21272->21282 21317 7ff6869d576c 37 API calls 2 library calls 21272->21317 21273->21272 21315 7ff6869d4444 11 API calls _set_fmode 21273->21315 21276 7ff6869e5c0e 21279 7ff6869e5c90 21276->21279 21276->21282 21277 7ff6869e5baa 21316 7ff6869d9db0 37 API calls _invalid_parameter_noinfo 21277->21316 21318 7ff6869d9dd0 17 API calls _wfindfirst32i64 21279->21318 21281 7ff6869e5b59 21314 7ff6869d9db0 37 API calls _invalid_parameter_noinfo 21281->21314 21282->21223 21282->21224 21319 7ff6869df788 EnterCriticalSection 21286->21319 21298->21227 21299->21235 21311->21270 21313->21281 21315->21277 21317->21276 21321 7ff6869d7968 21320->21321 21324 7ff6869d7444 21321->21324 21323 7ff6869d7981 21323->20652 21325 7ff6869d748e 21324->21325 21326 7ff6869d745f 21324->21326 21334 7ff6869d42ec EnterCriticalSection 21325->21334 21335 7ff6869d9ce4 37 API calls 2 library calls 21326->21335 21329 7ff6869d7493 21331 7ff6869d74b0 38 API calls 21329->21331 21330 7ff6869d747f 21330->21323 21332 7ff6869d749f 21331->21332 21333 7ff6869d42f8 _fread_nolock LeaveCriticalSection 21332->21333 21333->21330 21335->21330 21337 7ff6869cf0a3 21336->21337 21338 7ff6869cf0d1 21336->21338 21347 7ff6869d9ce4 37 API calls 2 library calls 21337->21347 21340 7ff6869cf0c3 21338->21340 21346 7ff6869d42ec EnterCriticalSection 21338->21346 21340->20656 21342 7ff6869cf0e8 21343 7ff6869cf104 72 API calls 21342->21343 21344 7ff6869cf0f4 21343->21344 21345 7ff6869d42f8 _fread_nolock LeaveCriticalSection 21344->21345 21345->21340 21347->21340 21404 7ff6869e09b4 44 API calls 4 library calls 21405 7ffb24bd44b4 free 21467 7ffb24bd4e74 21 API calls 4 library calls 21468 7ff6869cb0b0 57 API calls 2 library calls 21409 7ff6869cb180 38 API calls 2 library calls 21411 7ffb24bd4bef 15 API calls 5 library calls 21472 7ff6869cb890 54 API calls 21473 7ff6869d4290 76 API calls Concurrency::details::SchedulerProxy::DeleteThis 21413 7ffb24bd24d0 13 API calls ExFilterRethrow 21417 7ffb24bd62d0 20 API calls __unDName

                                                        Executed Functions

                                                        Function 00007FF6869E5D6C Relevance: 13.8, APIs: 9, Instructions: 276fileCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 237 7ff6869e5d6c-7ff6869e5ddf call 7ff6869e5aa0 240 7ff6869e5de1-7ff6869e5dea call 7ff6869d4424 237->240 241 7ff6869e5df9-7ff6869e5e03 call 7ff6869d6cfc 237->241 246 7ff6869e5ded-7ff6869e5df4 call 7ff6869d4444 240->246 247 7ff6869e5e05-7ff6869e5e1c call 7ff6869d4424 call 7ff6869d4444 241->247 248 7ff6869e5e1e-7ff6869e5e87 CreateFileW 241->248 260 7ff6869e613a-7ff6869e615a 246->260 247->246 251 7ff6869e5f04-7ff6869e5f0f GetFileType 248->251 252 7ff6869e5e89-7ff6869e5e8f 248->252 254 7ff6869e5f62-7ff6869e5f69 251->254 255 7ff6869e5f11-7ff6869e5f4c GetLastError call 7ff6869d43b8 CloseHandle 251->255 257 7ff6869e5ed1-7ff6869e5eff GetLastError call 7ff6869d43b8 252->257 258 7ff6869e5e91-7ff6869e5e95 252->258 263 7ff6869e5f71-7ff6869e5f74 254->263 264 7ff6869e5f6b-7ff6869e5f6f 254->264 255->246 271 7ff6869e5f52-7ff6869e5f5d call 7ff6869d4444 255->271 257->246 258->257 265 7ff6869e5e97-7ff6869e5ecf CreateFileW 258->265 269 7ff6869e5f7a-7ff6869e5fcf call 7ff6869d6c14 263->269 270 7ff6869e5f76 263->270 264->269 265->251 265->257 275 7ff6869e5fee-7ff6869e601f call 7ff6869e5820 269->275 276 7ff6869e5fd1-7ff6869e5fdd call 7ff6869e5ca8 269->276 270->269 271->246 283 7ff6869e6025-7ff6869e6067 275->283 284 7ff6869e6021-7ff6869e6023 275->284 276->275 282 7ff6869e5fdf 276->282 285 7ff6869e5fe1-7ff6869e5fe9 call 7ff6869d9f90 282->285 286 7ff6869e6089-7ff6869e6094 283->286 287 7ff6869e6069-7ff6869e606d 283->287 284->285 285->260 288 7ff6869e609a-7ff6869e609e 286->288 289 7ff6869e6138 286->289 287->286 291 7ff6869e606f-7ff6869e6084 287->291 288->289 292 7ff6869e60a4-7ff6869e60e9 CloseHandle CreateFileW 288->292 289->260 291->286 294 7ff6869e611e-7ff6869e6133 292->294 295 7ff6869e60eb-7ff6869e6119 GetLastError call 7ff6869d43b8 call 7ff6869d6e3c 292->295 294->289 295->294
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2048652558.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000002.00000002.2048633689.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048683425.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A00000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048831964.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
                                                        • String ID:
                                                        • API String ID: 1617910340-0
                                                        • Opcode ID: f9714f3a8e10acd42ca2d2c5b2c2c8a966f4ca54d5d677232d284773bb45134f
                                                        • Instruction ID: ffb95471b4a742d7601a96979353f00057265813c4828013fc064cbb673f0455
                                                        • Opcode Fuzzy Hash: f9714f3a8e10acd42ca2d2c5b2c2c8a966f4ca54d5d677232d284773bb45134f
                                                        • Instruction Fuzzy Hash: 6FC1A236B24A82C6EF51CF69C4906AC3761FB49BA8B015239DA1E977D6CF7AD851C300
                                                        Function 00007FF6869C17B0 Relevance: 21.1, APIs: 2, Strings: 10, Instructions: 144COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2048652558.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000002.00000002.2048633689.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048683425.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A00000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048831964.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: _fread_nolock$Message_invalid_parameter_noinfo
                                                        • String ID: Cannot read Table of Contents.$Could not allocate buffer for TOC!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$fread$fseek$malloc
                                                        • API String ID: 2153230061-4158440160
                                                        • Opcode ID: 9101801a2d3ac821dc45f3c210c6535dcaecc234eedfce769c1e2387d8d123d1
                                                        • Instruction ID: 6baa0f4772c03c00f59c1df640cf9658c2e9d7bfcb866351f80806edd549a0fc
                                                        • Opcode Fuzzy Hash: 9101801a2d3ac821dc45f3c210c6535dcaecc234eedfce769c1e2387d8d123d1
                                                        • Instruction Fuzzy Hash: 33511A72A09683C6EF54CF28E45517833A0FF48B58B518139DA0EC77DAEE6EE944C744
                                                        Function 00007FF6869C12B0 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 106COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2048652558.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000002.00000002.2048633689.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048683425.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A00000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048831964.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: Message
                                                        • String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
                                                        • API String ID: 2030045667-3659356012
                                                        • Opcode ID: b9527ed25a08e027e619c0f48f7f69b51d33915f4b886b1c04b788e0506d998c
                                                        • Instruction ID: 9fa2b0cfd654436aeca4cb589196669ed3e15a82a63e47ed4d4c030ee9d81fac
                                                        • Opcode Fuzzy Hash: b9527ed25a08e027e619c0f48f7f69b51d33915f4b886b1c04b788e0506d998c
                                                        • Instruction Fuzzy Hash: DA415E21A086C3C2EE24DB15E4512BA63A0FF44B94F44443ADE4E87BD7EE7EE942C704
                                                        Function 00007FF6869C1000 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 273COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 300 7ff6869c1000-7ff6869c3686 call 7ff6869cf080 call 7ff6869cf078 call 7ff6869c7600 call 7ff6869cf078 call 7ff6869cadb0 call 7ff6869d4270 call 7ff6869d4f14 call 7ff6869c1af0 318 7ff6869c368c-7ff6869c369b call 7ff6869c3ba0 300->318 319 7ff6869c379a 300->319 318->319 324 7ff6869c36a1-7ff6869c36b4 call 7ff6869c3a70 318->324 321 7ff6869c379f-7ff6869c37bf call 7ff6869cad80 319->321 324->319 328 7ff6869c36ba-7ff6869c36cd call 7ff6869c3b20 324->328 328->319 331 7ff6869c36d3-7ff6869c36fa call 7ff6869c6990 328->331 334 7ff6869c373c-7ff6869c3764 call 7ff6869c6f90 call 7ff6869c19d0 331->334 335 7ff6869c36fc-7ff6869c370b call 7ff6869c6990 331->335 346 7ff6869c384d-7ff6869c385e 334->346 347 7ff6869c376a-7ff6869c3780 call 7ff6869c19d0 334->347 335->334 341 7ff6869c370d-7ff6869c3713 335->341 342 7ff6869c371f-7ff6869c3739 call 7ff6869d409c call 7ff6869c6f90 341->342 343 7ff6869c3715-7ff6869c371d 341->343 342->334 343->342 349 7ff6869c3860-7ff6869c386a call 7ff6869c3280 346->349 350 7ff6869c3873-7ff6869c388b call 7ff6869c7a30 346->350 359 7ff6869c37c0-7ff6869c37c3 347->359 360 7ff6869c3782-7ff6869c3795 call 7ff6869c2770 347->360 362 7ff6869c386c 349->362 363 7ff6869c38ab-7ff6869c38b8 call 7ff6869c5e40 349->363 364 7ff6869c389e-7ff6869c38a5 SetDllDirectoryW 350->364 365 7ff6869c388d-7ff6869c3899 call 7ff6869c2770 350->365 359->346 361 7ff6869c37c9-7ff6869c37e0 call 7ff6869c3cb0 359->361 360->319 375 7ff6869c37e2-7ff6869c37e5 361->375 376 7ff6869c37e7-7ff6869c3813 call 7ff6869c7200 361->376 362->350 373 7ff6869c3906-7ff6869c390b call 7ff6869c5dc0 363->373 374 7ff6869c38ba-7ff6869c38ca call 7ff6869c5ae0 363->374 364->363 365->319 382 7ff6869c3910-7ff6869c3913 373->382 374->373 388 7ff6869c38cc-7ff6869c38db call 7ff6869c5640 374->388 379 7ff6869c3822-7ff6869c3838 call 7ff6869c2770 375->379 389 7ff6869c3815-7ff6869c381d call 7ff6869cf2ac 376->389 390 7ff6869c383d-7ff6869c384b 376->390 379->319 386 7ff6869c3919-7ff6869c3926 382->386 387 7ff6869c39c6-7ff6869c39ce call 7ff6869c3110 382->387 391 7ff6869c3930-7ff6869c393a 386->391 398 7ff6869c39d3-7ff6869c39d5 387->398 402 7ff6869c38dd-7ff6869c38e9 call 7ff6869c55d0 388->402 403 7ff6869c38fc-7ff6869c3901 call 7ff6869c5890 388->403 389->379 390->349 395 7ff6869c3943-7ff6869c3945 391->395 396 7ff6869c393c-7ff6869c3941 391->396 400 7ff6869c3991-7ff6869c39a6 call 7ff6869c3270 call 7ff6869c30b0 call 7ff6869c3260 395->400 401 7ff6869c3947-7ff6869c396a call 7ff6869c1b30 395->401 396->391 396->395 398->319 404 7ff6869c39db-7ff6869c3a12 call 7ff6869c6f20 call 7ff6869c6990 call 7ff6869c53e0 398->404 426 7ff6869c39ab-7ff6869c39c1 call 7ff6869c5890 call 7ff6869c5dc0 400->426 401->319 414 7ff6869c3970-7ff6869c397b 401->414 402->403 415 7ff6869c38eb-7ff6869c38fa call 7ff6869c5c90 402->415 403->373 404->319 427 7ff6869c3a18-7ff6869c3a4d call 7ff6869c3270 call 7ff6869c6fd0 call 7ff6869c5890 call 7ff6869c5dc0 404->427 419 7ff6869c3980-7ff6869c398f 414->419 415->382 419->400 419->419 426->321 440 7ff6869c3a4f-7ff6869c3a52 call 7ff6869c6c90 427->440 441 7ff6869c3a57-7ff6869c3a61 call 7ff6869c1ab0 427->441 440->441 441->321
                                                        APIs
                                                          • Part of subcall function 00007FF6869C3BA0: GetModuleFileNameW.KERNEL32(?,00007FF6869C3699), ref: 00007FF6869C3BD1
                                                        • SetDllDirectoryW.KERNEL32 ref: 00007FF6869C38A5
                                                          • Part of subcall function 00007FF6869C6990: GetEnvironmentVariableW.KERNEL32(00007FF6869C36E7), ref: 00007FF6869C69CA
                                                          • Part of subcall function 00007FF6869C6990: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF6869C69E7
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2048652558.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000002.00000002.2048633689.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048683425.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A00000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048831964.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: Environment$DirectoryExpandFileModuleNameStringsVariable
                                                        • String ID: Cannot open PyInstaller archive from executable (%s) or external archive (%s)$Cannot side-load external archive %s (code %d)!$Failed to convert DLL search path!$MEI$_MEIPASS2$_PYI_ONEDIR_MODE
                                                        • API String ID: 2344891160-3602715111
                                                        • Opcode ID: a9d80687edf50720008c1c19d3c188cb07f31f297c6ec28e510237156a3f44f3
                                                        • Instruction ID: 8a413891b6935212a964e5ed665dfd365a39070ce06dff9cbd96d0c9a3657484
                                                        • Opcode Fuzzy Hash: a9d80687edf50720008c1c19d3c188cb07f31f297c6ec28e510237156a3f44f3
                                                        • Instruction Fuzzy Hash: D1B18121A1CAC3D1EE65AB2194512FD6390BF44784F80413AEA4FC76DBEE2EEE05D740
                                                        Function 00007FF6869C1050 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 156COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 445 7ff6869c1050-7ff6869c10ab call 7ff6869ca610 448 7ff6869c10d3-7ff6869c10eb call 7ff6869d40b0 445->448 449 7ff6869c10ad-7ff6869c10d2 call 7ff6869c2770 445->449 454 7ff6869c1109-7ff6869c1119 call 7ff6869d40b0 448->454 455 7ff6869c10ed-7ff6869c1104 call 7ff6869c24d0 448->455 461 7ff6869c1137-7ff6869c1147 454->461 462 7ff6869c111b-7ff6869c1132 call 7ff6869c24d0 454->462 460 7ff6869c126c-7ff6869c12a0 call 7ff6869ca2f0 call 7ff6869d409c * 2 455->460 465 7ff6869c1150-7ff6869c1175 call 7ff6869cf5fc 461->465 462->460 471 7ff6869c125e 465->471 472 7ff6869c117b-7ff6869c1185 call 7ff6869cf370 465->472 474 7ff6869c1264 471->474 472->471 479 7ff6869c118b-7ff6869c1197 472->479 474->460 480 7ff6869c11a0-7ff6869c11c8 call 7ff6869c8a60 479->480 483 7ff6869c1241-7ff6869c125c call 7ff6869c2770 480->483 484 7ff6869c11ca-7ff6869c11cd 480->484 483->474 485 7ff6869c11cf-7ff6869c11d9 484->485 486 7ff6869c123c 484->486 488 7ff6869c1203-7ff6869c1206 485->488 489 7ff6869c11db-7ff6869c11e8 call 7ff6869cfd3c 485->489 486->483 491 7ff6869c1219-7ff6869c121e 488->491 492 7ff6869c1208-7ff6869c1216 call 7ff6869cbb60 488->492 496 7ff6869c11ed-7ff6869c11f0 489->496 491->480 495 7ff6869c1220-7ff6869c1223 491->495 492->491 498 7ff6869c1225-7ff6869c1228 495->498 499 7ff6869c1237-7ff6869c123a 495->499 500 7ff6869c11fe-7ff6869c1201 496->500 501 7ff6869c11f2-7ff6869c11fc call 7ff6869cf370 496->501 498->483 502 7ff6869c122a-7ff6869c1232 498->502 499->474 500->483 501->491 501->500 502->465
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2048652558.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000002.00000002.2048633689.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048683425.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A00000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048831964.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: Message
                                                        • String ID: 1.2.13$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
                                                        • API String ID: 2030045667-1655038675
                                                        • Opcode ID: 3a29cac6c315e89fd1a339ce373b4b8305977fdf4dc839f12d0ce977f9400e5b
                                                        • Instruction ID: 955c61dbf2f9955b0a763ad5e6a27ffde3007a405058485060dfca9b9a955f49
                                                        • Opcode Fuzzy Hash: 3a29cac6c315e89fd1a339ce373b4b8305977fdf4dc839f12d0ce977f9400e5b
                                                        • Instruction Fuzzy Hash: 8551BC22A086C3C5EE609B55E4503BA6290BF86BA4F444139DE4EC77DAEF3EE945C704
                                                        Function 00007FF6869DDDB8 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMONLIBRARYCODE
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • FreeLibrary.KERNEL32(?,00000000,?,00007FF6869DE152,?,?,-00000018,00007FF6869DA223,?,?,?,00007FF6869DA11A,?,?,?,00007FF6869D5472), ref: 00007FF6869DDF34
                                                        • GetProcAddress.KERNEL32(?,00000000,?,00007FF6869DE152,?,?,-00000018,00007FF6869DA223,?,?,?,00007FF6869DA11A,?,?,?,00007FF6869D5472), ref: 00007FF6869DDF40
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2048652558.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000002.00000002.2048633689.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048683425.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A00000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048831964.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: AddressFreeLibraryProc
                                                        • String ID: api-ms-$ext-ms-
                                                        • API String ID: 3013587201-537541572
                                                        • Opcode ID: 01869d8b0b1ae08ce046380e8c955ca032c286979885a37836ee5a28d8bde6d1
                                                        • Instruction ID: 9d107852cfc4aa0f868c5404c2d617d4e674a6d402143d49c1fa439845df7a03
                                                        • Opcode Fuzzy Hash: 01869d8b0b1ae08ce046380e8c955ca032c286979885a37836ee5a28d8bde6d1
                                                        • Instruction Fuzzy Hash: 9341E122B19693C1FE25CB1698005756299BF15BA0F4A413DDD0DC77DAEE7EEC49C310
                                                        Function 00007FF6869DAF2C Relevance: 10.8, APIs: 7, Instructions: 290COMMONLIBRARYCODE
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 531 7ff6869daf2c-7ff6869daf52 532 7ff6869daf54-7ff6869daf68 call 7ff6869d4424 call 7ff6869d4444 531->532 533 7ff6869daf6d-7ff6869daf71 531->533 550 7ff6869db35e 532->550 535 7ff6869db347-7ff6869db353 call 7ff6869d4424 call 7ff6869d4444 533->535 536 7ff6869daf77-7ff6869daf7e 533->536 553 7ff6869db359 call 7ff6869d9db0 535->553 536->535 538 7ff6869daf84-7ff6869dafb2 536->538 538->535 541 7ff6869dafb8-7ff6869dafbf 538->541 544 7ff6869dafc1-7ff6869dafd3 call 7ff6869d4424 call 7ff6869d4444 541->544 545 7ff6869dafd8-7ff6869dafdb 541->545 544->553 548 7ff6869db343-7ff6869db345 545->548 549 7ff6869dafe1-7ff6869dafe7 545->549 554 7ff6869db361-7ff6869db378 548->554 549->548 555 7ff6869dafed-7ff6869daff0 549->555 550->554 553->550 555->544 558 7ff6869daff2-7ff6869db017 555->558 560 7ff6869db04a-7ff6869db051 558->560 561 7ff6869db019-7ff6869db01b 558->561 562 7ff6869db053-7ff6869db07b call 7ff6869dcacc call 7ff6869d9e18 * 2 560->562 563 7ff6869db026-7ff6869db03d call 7ff6869d4424 call 7ff6869d4444 call 7ff6869d9db0 560->563 564 7ff6869db042-7ff6869db048 561->564 565 7ff6869db01d-7ff6869db024 561->565 594 7ff6869db07d-7ff6869db093 call 7ff6869d4444 call 7ff6869d4424 562->594 595 7ff6869db098-7ff6869db0c3 call 7ff6869db754 562->595 592 7ff6869db1d0 563->592 566 7ff6869db0c8-7ff6869db0df 564->566 565->563 565->564 569 7ff6869db0e1-7ff6869db0e9 566->569 570 7ff6869db15a-7ff6869db164 call 7ff6869e2a3c 566->570 569->570 573 7ff6869db0eb-7ff6869db0ed 569->573 583 7ff6869db1ee 570->583 584 7ff6869db16a-7ff6869db17f 570->584 573->570 577 7ff6869db0ef-7ff6869db105 573->577 577->570 581 7ff6869db107-7ff6869db113 577->581 581->570 586 7ff6869db115-7ff6869db117 581->586 588 7ff6869db1f3-7ff6869db213 ReadFile 583->588 584->583 589 7ff6869db181-7ff6869db193 GetConsoleMode 584->589 586->570 593 7ff6869db119-7ff6869db131 586->593 596 7ff6869db30d-7ff6869db316 GetLastError 588->596 597 7ff6869db219-7ff6869db221 588->597 589->583 591 7ff6869db195-7ff6869db19d 589->591 591->588 598 7ff6869db19f-7ff6869db1c1 ReadConsoleW 591->598 601 7ff6869db1d3-7ff6869db1dd call 7ff6869d9e18 592->601 593->570 602 7ff6869db133-7ff6869db13f 593->602 594->592 595->566 599 7ff6869db333-7ff6869db336 596->599 600 7ff6869db318-7ff6869db32e call 7ff6869d4444 call 7ff6869d4424 596->600 597->596 604 7ff6869db227 597->604 607 7ff6869db1c3 GetLastError 598->607 608 7ff6869db1e2-7ff6869db1ec 598->608 612 7ff6869db33c-7ff6869db33e 599->612 613 7ff6869db1c9-7ff6869db1cb call 7ff6869d43b8 599->613 600->592 601->554 602->570 611 7ff6869db141-7ff6869db143 602->611 615 7ff6869db22e-7ff6869db243 604->615 607->613 608->615 611->570 619 7ff6869db145-7ff6869db155 611->619 612->601 613->592 615->601 621 7ff6869db245-7ff6869db250 615->621 619->570 622 7ff6869db252-7ff6869db26b call 7ff6869dab44 621->622 623 7ff6869db277-7ff6869db27f 621->623 631 7ff6869db270-7ff6869db272 622->631 627 7ff6869db281-7ff6869db293 623->627 628 7ff6869db2fb-7ff6869db308 call 7ff6869da984 623->628 632 7ff6869db295 627->632 633 7ff6869db2ee-7ff6869db2f6 627->633 628->631 631->601 635 7ff6869db29a-7ff6869db2a1 632->635 633->601 636 7ff6869db2a3-7ff6869db2a7 635->636 637 7ff6869db2dd-7ff6869db2e8 635->637 638 7ff6869db2c3 636->638 639 7ff6869db2a9-7ff6869db2b0 636->639 637->633 641 7ff6869db2c9-7ff6869db2d9 638->641 639->638 640 7ff6869db2b2-7ff6869db2b6 639->640 640->638 642 7ff6869db2b8-7ff6869db2c1 640->642 641->635 643 7ff6869db2db 641->643 642->641 643->633
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2048652558.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000002.00000002.2048633689.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048683425.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A00000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048831964.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: _invalid_parameter_noinfo
                                                        • String ID:
                                                        • API String ID: 3215553584-0
                                                        • Opcode ID: 6f2067f9e2b798d7e4aa60285487f192dd8020c4dcad372bd04a148e1f9d7242
                                                        • Instruction ID: 35f6306d704fc450e07160b12ce18835cde31332b95a2372a797c17fbde69450
                                                        • Opcode Fuzzy Hash: 6f2067f9e2b798d7e4aa60285487f192dd8020c4dcad372bd04a148e1f9d7242
                                                        • Instruction Fuzzy Hash: 13C1B262A086C7C2EF609B1594402BD6BA6FF91B90F550139DA4E837DBCE7EEC45C300
                                                        Function 00007FF6869CB19C Relevance: 6.1, APIs: 4, Instructions: 94COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2048652558.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000002.00000002.2048633689.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048683425.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A00000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048831964.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_initialize_crt__scrt_release_startup_lock
                                                        • String ID:
                                                        • API String ID: 1452418845-0
                                                        • Opcode ID: 90a7fcc3a81af5bf04ad81541e301d7d9fb9f11ea0fdd18d74326f9016f6428e
                                                        • Instruction ID: c44b0a608571c3da6aa2a096032fc1fad657fba48939cd9cdd61962a0bcf5723
                                                        • Opcode Fuzzy Hash: 90a7fcc3a81af5bf04ad81541e301d7d9fb9f11ea0fdd18d74326f9016f6428e
                                                        • Instruction Fuzzy Hash: A5313911E08183C6FE14AB6095613BD3282BFA5384F45003CD94FCB2EBDE6FAE06C201
                                                        Function 00007FF6869D4680 Relevance: 6.1, APIs: 4, Instructions: 90fileCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2048652558.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000002.00000002.2048633689.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048683425.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A00000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048831964.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: CloseCreateFileHandle_invalid_parameter_noinfo
                                                        • String ID:
                                                        • API String ID: 1279662727-0
                                                        • Opcode ID: 8a464286a4aee93ad09e46d96520f5fa22b2a313ca22bba1db5411dbdbef7e96
                                                        • Instruction ID: 54af97e77354bbb2b2d59b266c33b0ebdf1e0cd9b2f329112b284c0e020acf48
                                                        • Opcode Fuzzy Hash: 8a464286a4aee93ad09e46d96520f5fa22b2a313ca22bba1db5411dbdbef7e96
                                                        • Instruction Fuzzy Hash: 5E418322E187C2C3EB948B61951037962A0FF95B64F109338E69C47AD7DF6DA9E0C700
                                                        Function 00007FF6869D8888 Relevance: 4.5, APIs: 3, Instructions: 14COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2048652558.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000002.00000002.2048633689.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048683425.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A00000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048831964.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: Process$CurrentExitTerminate
                                                        • String ID:
                                                        • API String ID: 1703294689-0
                                                        • Opcode ID: d426427e4f48dbbb9dc5f253e5f2c69f0b75b8518679dacd75070a6bbb583433
                                                        • Instruction ID: 3dfb40239b053b8c91d6a486a76a98fa43dadd9ed469e1c9b6dae5d383991e51
                                                        • Opcode Fuzzy Hash: d426427e4f48dbbb9dc5f253e5f2c69f0b75b8518679dacd75070a6bbb583433
                                                        • Instruction Fuzzy Hash: ABD06C10B18683C2EE182BB0599517912127F88B61B11283CC81A8A7E7CDAEAC49C300
                                                        Function 00007FF6869CF39C Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 807 7ff6869cf39c-7ff6869cf3c9 808 7ff6869cf3e5 807->808 809 7ff6869cf3cb-7ff6869cf3ce 807->809 810 7ff6869cf3e7-7ff6869cf3fb 808->810 809->808 811 7ff6869cf3d0-7ff6869cf3d3 809->811 812 7ff6869cf3d5-7ff6869cf3da call 7ff6869d4444 811->812 813 7ff6869cf3fc-7ff6869cf3ff 811->813 823 7ff6869cf3e0 call 7ff6869d9db0 812->823 815 7ff6869cf40f-7ff6869cf413 813->815 816 7ff6869cf401-7ff6869cf40d 813->816 819 7ff6869cf415-7ff6869cf41f call 7ff6869cc210 815->819 820 7ff6869cf427-7ff6869cf42a 815->820 816->815 818 7ff6869cf43a-7ff6869cf443 816->818 821 7ff6869cf445-7ff6869cf448 818->821 822 7ff6869cf44a 818->822 819->820 820->812 825 7ff6869cf42c-7ff6869cf438 820->825 826 7ff6869cf44f-7ff6869cf46e 821->826 822->826 823->808 825->812 825->818 829 7ff6869cf474-7ff6869cf482 826->829 830 7ff6869cf5b5-7ff6869cf5b8 826->830 831 7ff6869cf484-7ff6869cf48b 829->831 832 7ff6869cf4fa-7ff6869cf4ff 829->832 830->810 831->832 833 7ff6869cf48d 831->833 834 7ff6869cf501-7ff6869cf50d 832->834 835 7ff6869cf56c-7ff6869cf56f call 7ff6869db37c 832->835 837 7ff6869cf493-7ff6869cf49d 833->837 838 7ff6869cf5e0 833->838 839 7ff6869cf50f-7ff6869cf516 834->839 840 7ff6869cf519-7ff6869cf51f 834->840 841 7ff6869cf574-7ff6869cf577 835->841 842 7ff6869cf4a3-7ff6869cf4a9 837->842 843 7ff6869cf5bd-7ff6869cf5c1 837->843 845 7ff6869cf5e5-7ff6869cf5f0 838->845 839->840 840->843 844 7ff6869cf525-7ff6869cf542 call 7ff6869d9184 call 7ff6869daf2c 840->844 841->845 846 7ff6869cf579-7ff6869cf57c 841->846 847 7ff6869cf4e1-7ff6869cf4f5 842->847 848 7ff6869cf4ab-7ff6869cf4ae 842->848 849 7ff6869cf5c3-7ff6869cf5cb call 7ff6869cc210 843->849 850 7ff6869cf5d0-7ff6869cf5db call 7ff6869d4444 843->850 867 7ff6869cf547-7ff6869cf549 844->867 845->810 846->843 852 7ff6869cf57e-7ff6869cf595 846->852 853 7ff6869cf59c-7ff6869cf5a7 847->853 854 7ff6869cf4b0-7ff6869cf4b6 848->854 855 7ff6869cf4cc-7ff6869cf4d7 call 7ff6869d4444 call 7ff6869d9db0 848->855 849->850 850->823 852->853 853->829 860 7ff6869cf5ad 853->860 861 7ff6869cf4c2-7ff6869cf4c7 call 7ff6869cc210 854->861 862 7ff6869cf4b8-7ff6869cf4c0 call 7ff6869cbb60 854->862 873 7ff6869cf4dc 855->873 860->830 861->855 862->873 871 7ff6869cf5f5-7ff6869cf5fa 867->871 872 7ff6869cf54f 867->872 871->845 872->838 874 7ff6869cf555-7ff6869cf56a 872->874 873->847 874->853
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2048652558.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000002.00000002.2048633689.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048683425.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A00000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048831964.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: _invalid_parameter_noinfo
                                                        • String ID:
                                                        • API String ID: 3215553584-0
                                                        • Opcode ID: e6b31fcbb010569d964db91d6e465c54053a5eb593f9b70391a20bf1ad845ba7
                                                        • Instruction ID: 1ddfc6e910e589cafb0d55d111a27352bfd63f83c7b17d911d935b6c52a2941c
                                                        • Opcode Fuzzy Hash: e6b31fcbb010569d964db91d6e465c54053a5eb593f9b70391a20bf1ad845ba7
                                                        • Instruction Fuzzy Hash: BB51D461B092C3C6EE689E25950467A6691BF44BE4F148638DE6EC77CBCF3EDC01C601
                                                        Function 00007FF6869DB604 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • SetFilePointerEx.KERNELBASE(?,?,?,?,00000000,00007FF6869DB79D), ref: 00007FF6869DB650
                                                        • GetLastError.KERNEL32(?,?,?,?,00000000,00007FF6869DB79D), ref: 00007FF6869DB65A
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2048652558.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000002.00000002.2048633689.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048683425.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A00000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048831964.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: ErrorFileLastPointer
                                                        • String ID:
                                                        • API String ID: 2976181284-0
                                                        • Opcode ID: ff2257711b1d275b862e663729d543ef4812b290fbf882e2e1232765a84f7875
                                                        • Instruction ID: 55e0760c798f35c2569b785a52dc0337a394420d47c0e93d2944f701cd1159ca
                                                        • Opcode Fuzzy Hash: ff2257711b1d275b862e663729d543ef4812b290fbf882e2e1232765a84f7875
                                                        • Instruction Fuzzy Hash: 2A118FA2A18B82C1DE108B25A40416D7762BF45BF4F944339EA7D877EACF7DD851C700
                                                        Function 00007FF6869DA028 Relevance: 2.6, APIs: 2, Instructions: 59COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CloseHandle.KERNELBASE(?,?,?,00007FF6869D9EA5,?,?,00000000,00007FF6869D9F5A), ref: 00007FF6869DA096
                                                        • GetLastError.KERNEL32(?,?,?,00007FF6869D9EA5,?,?,00000000,00007FF6869D9F5A), ref: 00007FF6869DA0A0
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2048652558.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000002.00000002.2048633689.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048683425.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A00000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048831964.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: CloseErrorHandleLast
                                                        • String ID:
                                                        • API String ID: 918212764-0
                                                        • Opcode ID: 649148bb364a2e2bb6c01b4b98e8ba63ccdb9764b03dbbc10b4a89a301f042aa
                                                        • Instruction ID: d737a1cc6f16eeebada49c06781e2be62655489af6c7ef62383d8b29d848b388
                                                        • Opcode Fuzzy Hash: 649148bb364a2e2bb6c01b4b98e8ba63ccdb9764b03dbbc10b4a89a301f042aa
                                                        • Instruction Fuzzy Hash: 68219F21B186C3C5EE509765D4542791292BF85BF0F14423DEA2EC77D3CE6EAC65C300
                                                        Function 00007FF6869DB37C Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2048652558.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000002.00000002.2048633689.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048683425.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A00000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048831964.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: _invalid_parameter_noinfo
                                                        • String ID:
                                                        • API String ID: 3215553584-0
                                                        • Opcode ID: 7edcb5c19051daea02f21c4053ec30bf8603933813fd22e9cae156a3527bc5bd
                                                        • Instruction ID: 231b8e70e92c901180214fd3ef494851442aee016d0e91d6841f46d27fdd9029
                                                        • Opcode Fuzzy Hash: 7edcb5c19051daea02f21c4053ec30bf8603933813fd22e9cae156a3527bc5bd
                                                        • Instruction Fuzzy Hash: C941CF72909283C7EE24DA19E540279B3A2FF95B54F100239D68EC76D6CF2EE802C751
                                                        Function 00007FF6869C7200 Relevance: 1.6, APIs: 1, Instructions: 85COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2048652558.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000002.00000002.2048633689.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048683425.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A00000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048831964.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: _fread_nolock
                                                        • String ID:
                                                        • API String ID: 840049012-0
                                                        • Opcode ID: 033a4210891c7de0e80cf35636e901d9f642a42152a779333d6082372dd68c1a
                                                        • Instruction ID: 64991a8481fd01b862e2bf2ecb1abfc886ec1adce2d048773d07bdb5ced14326
                                                        • Opcode Fuzzy Hash: 033a4210891c7de0e80cf35636e901d9f642a42152a779333d6082372dd68c1a
                                                        • Instruction Fuzzy Hash: A7218021B092D3C6EE119A12A5147BAA651BF45BD4F884438EF0E8B7C7CE3EE946C600
                                                        Function 00007FF6869DAE0C Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2048652558.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000002.00000002.2048633689.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048683425.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A00000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048831964.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: _invalid_parameter_noinfo
                                                        • String ID:
                                                        • API String ID: 3215553584-0
                                                        • Opcode ID: 47f2cb7360056a46563935c31beadd7a45ae652dec1b657f4a22353b163fa2db
                                                        • Instruction ID: cb0f4aae9aa6e56c07f7b2345923d5c3fc933e9148756c73f83a58709fd9c366
                                                        • Opcode Fuzzy Hash: 47f2cb7360056a46563935c31beadd7a45ae652dec1b657f4a22353b163fa2db
                                                        • Instruction Fuzzy Hash: 0C316722A18683C9EF91AF15C8413782690BF40BA0F410239EA1D833D3CFBEEC91C725
                                                        Function 00007FF6869D87B9 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2048652558.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000002.00000002.2048633689.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048683425.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A00000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048831964.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: HandleModule$AddressFreeLibraryProc
                                                        • String ID:
                                                        • API String ID: 3947729631-0
                                                        • Opcode ID: e9a7e304643df4a79f5f92f113a909c0855d61e5f1cd2648997e34e72053eb35
                                                        • Instruction ID: 2f5a657defdde97fecea673e24998d2ae17fb294642703dd0b7496241ee72114
                                                        • Opcode Fuzzy Hash: e9a7e304643df4a79f5f92f113a909c0855d61e5f1cd2648997e34e72053eb35
                                                        • Instruction Fuzzy Hash: 3B216932E04A86CAEF259F64D4402AC33A0FF44718F15163AD62C8AAD7DF39D984CB80
                                                        Function 00007FF6869D54C8 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2048652558.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000002.00000002.2048633689.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048683425.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A00000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048831964.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: _invalid_parameter_noinfo
                                                        • String ID:
                                                        • API String ID: 3215553584-0
                                                        • Opcode ID: be1079961907d1906d587a3e65c1e024338dd0a3e917ec7f85ba85c18500dcb2
                                                        • Instruction ID: dbd4f0277b0e975a140a45a9be0193ea1b0fb7296ff64198b296dd7a40225499
                                                        • Opcode Fuzzy Hash: be1079961907d1906d587a3e65c1e024338dd0a3e917ec7f85ba85c18500dcb2
                                                        • Instruction Fuzzy Hash: BD115E21A0E6C3C1EE619F5194012B9A2A0BF85B84F444439EA8C97BD7CF7EDC51C742
                                                        Function 00007FF6869E575C Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2048652558.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000002.00000002.2048633689.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048683425.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A00000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048831964.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: _invalid_parameter_noinfo
                                                        • String ID:
                                                        • API String ID: 3215553584-0
                                                        • Opcode ID: bc68aba4551d34184bb05bda2552568f64e358e9307c55527e30db01171bb599
                                                        • Instruction ID: baeb1ffdf0cccce4bb1848af9da19655a8c0a8ee857090300bcd218459b548fb
                                                        • Opcode Fuzzy Hash: bc68aba4551d34184bb05bda2552568f64e358e9307c55527e30db01171bb599
                                                        • Instruction Fuzzy Hash: 29214172A18682C6DF619F18E44036976A0FF84B54F144239EA5D876DADF7FD810CB00
                                                        Function 00007FF6869CF61C Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2048652558.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000002.00000002.2048633689.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048683425.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A00000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048831964.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: _invalid_parameter_noinfo
                                                        • String ID:
                                                        • API String ID: 3215553584-0
                                                        • Opcode ID: f8ccbbb08b6b64fca274b3102351a157ba9f641dbe881e0fbefe782dfe020abd
                                                        • Instruction ID: 19d8271c81482c0947bf7c50bb4d989528cd58a8303711f9ebab4c5e849c13f6
                                                        • Opcode Fuzzy Hash: f8ccbbb08b6b64fca274b3102351a157ba9f641dbe881e0fbefe782dfe020abd
                                                        • Instruction Fuzzy Hash: AC01A521A08BC7C1EE049B529A01069A695BF85FE4F084639DE5D97BD7CE3ED901C700
                                                        Function 00007FF6869C71B0 Relevance: 1.5, APIs: 1, Instructions: 20libraryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00007FF6869C7A30: MultiByteToWideChar.KERNEL32 ref: 00007FF6869C7A6A
                                                        • LoadLibraryExW.KERNELBASE(?,?,00000000,00007FF6869C30BE), ref: 00007FF6869C71D3
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2048652558.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000002.00000002.2048633689.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048683425.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A00000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048831964.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: ByteCharLibraryLoadMultiWide
                                                        • String ID:
                                                        • API String ID: 2592636585-0
                                                        • Opcode ID: 63080640ee8bd5a5197bc5957a639ee791a00d05320db4a40cef4a6e5ab977c0
                                                        • Instruction ID: be8fd8da8384e09e8a8ef89a04a806c3cc1f1f19858e26b699db91344436cb25
                                                        • Opcode Fuzzy Hash: 63080640ee8bd5a5197bc5957a639ee791a00d05320db4a40cef4a6e5ab977c0
                                                        • Instruction Fuzzy Hash: 40E08611B1858682DF589BA7E50546AA251BF8CFC0B489039DF0E47796DD2DD8908A00
                                                        Function 00007FF6869DDD40 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • HeapAlloc.KERNEL32(?,?,00000000,00007FF6869DA8B6,?,?,?,00007FF6869D9A73,?,?,00000000,00007FF6869D9D0E), ref: 00007FF6869DDD95
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2048652558.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000002.00000002.2048633689.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048683425.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A00000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048831964.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: AllocHeap
                                                        • String ID:
                                                        • API String ID: 4292702814-0
                                                        • Opcode ID: 2e0f3e4b2c9ccc38d96cb592f5054ed38be707e8bf6a1ab6843b3be497aa41a7
                                                        • Instruction ID: 00c93ae9c86ed463d8c4816b99b927637622d912605ba3f5c2904ae2bb6c4832
                                                        • Opcode Fuzzy Hash: 2e0f3e4b2c9ccc38d96cb592f5054ed38be707e8bf6a1ab6843b3be497aa41a7
                                                        • Instruction Fuzzy Hash: 7AF09054B19683C0FE956BA299413B5128C7F99B90F4CA43EC90ED6BD3DD5EEC88C710
                                                        Function 00007FF6869DCACC Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • HeapAlloc.KERNEL32(?,?,?,00007FF6869CFE44,?,?,?,00007FF6869D1356,?,?,?,?,?,00007FF6869D2949), ref: 00007FF6869DCB0A
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2048652558.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000002.00000002.2048633689.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048683425.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A00000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048831964.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: AllocHeap
                                                        • String ID:
                                                        • API String ID: 4292702814-0
                                                        • Opcode ID: c69b2b415516246c39874758743c65376e97b2ba2b88f646b423658d781f7dfd
                                                        • Instruction ID: 857b5f3d8c902fd6cf67e3c247b7c297b20072a85fee0e46adc12bd882366ae4
                                                        • Opcode Fuzzy Hash: c69b2b415516246c39874758743c65376e97b2ba2b88f646b423658d781f7dfd
                                                        • Instruction Fuzzy Hash: ADF05810B092C3C0FE646AB159413752188BF58BF0F080638D82ED76C3EE6EEC80C610

                                                        Non-executed Functions

                                                        Function 00007FF6869C1B90 Relevance: 43.9, APIs: 20, Strings: 5, Instructions: 188windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2048652558.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000002.00000002.2048633689.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048683425.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A00000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048831964.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: MessageSend$Window$Create$Move$ObjectSelect$#380BaseClientDialogDrawFontIndirectInfoParametersRectReleaseSystemTextUnits
                                                        • String ID: BUTTON$Close$EDIT$Failed to execute script '%ls' due to unhandled exception: %ls$STATIC
                                                        • API String ID: 2446303242-1601438679
                                                        • Opcode ID: 47b3578659853d453a5822a751c8e2f63cfdf798862dd1eeebf7592aa26dc86d
                                                        • Instruction ID: 0477b2ba14464ed9a822cbd2da8e6cd8e0b4b4d0c1d87d4f7dff378c594421b7
                                                        • Opcode Fuzzy Hash: 47b3578659853d453a5822a751c8e2f63cfdf798862dd1eeebf7592aa26dc86d
                                                        • Instruction Fuzzy Hash: 2EA15B32208B82C7DB148F11E55479AB360FB88BA0F50412ADB8D43B65DFBEE565CB40
                                                        Function 00007FF6869C6780 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 139COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetTempPathW.KERNEL32(?,00000000,?,00007FF6869C674D), ref: 00007FF6869C681A
                                                          • Part of subcall function 00007FF6869C6990: GetEnvironmentVariableW.KERNEL32(00007FF6869C36E7), ref: 00007FF6869C69CA
                                                          • Part of subcall function 00007FF6869C6990: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF6869C69E7
                                                          • Part of subcall function 00007FF6869D66B4: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6869D66CD
                                                        • SetEnvironmentVariableW.KERNEL32(?,TokenIntegrityLevel), ref: 00007FF6869C68D1
                                                          • Part of subcall function 00007FF6869C2770: MessageBoxW.USER32 ref: 00007FF6869C2841
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2048652558.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000002.00000002.2048633689.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048683425.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A00000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048831964.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: Environment$Variable$ExpandMessagePathStringsTemp_invalid_parameter_noinfo
                                                        • String ID: LOADER: Failed to set the TMP environment variable.$TMP$TMP$_MEI%d
                                                        • API String ID: 3752271684-1116378104
                                                        • Opcode ID: b4ad522e37175ac7074a900ecec4c645a4870e05ba81b0992846085732047fb7
                                                        • Instruction ID: 12615383b6e2257a10b6f3c23b9eacad0eb6fbf4281c3efd35d3c732767b3415
                                                        • Opcode Fuzzy Hash: b4ad522e37175ac7074a900ecec4c645a4870e05ba81b0992846085732047fb7
                                                        • Instruction Fuzzy Hash: 84515921B1D6C3C1FE54AB62A9556BA5251BF89BD0F484439ED0ECB7D7EE2EEC01C600
                                                        Function 00007FF6869CB69C Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2048652558.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000002.00000002.2048633689.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048683425.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A00000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048831964.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                        • String ID:
                                                        • API String ID: 3140674995-0
                                                        • Opcode ID: 24fff5600ca101af0e2334446d678d156eb325a0e0e0c0538aba544f51e330ab
                                                        • Instruction ID: e6bfce1863a5ba720a7819482a11e462114de780809be9d01ece5cbd1e777c48
                                                        • Opcode Fuzzy Hash: 24fff5600ca101af0e2334446d678d156eb325a0e0e0c0538aba544f51e330ab
                                                        • Instruction Fuzzy Hash: 14313C72608AC2C6EF608F60E8803E97361FB84754F444439DA4E87A99DF7DDA48C710
                                                        Function 00007FF6869E4E20 Relevance: 9.3, APIs: 6, Instructions: 334timeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _get_daylight.LIBCMT ref: 00007FF6869E4E65
                                                          • Part of subcall function 00007FF6869E47B8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6869E47CC
                                                          • Part of subcall function 00007FF6869D9E18: HeapFree.KERNEL32(?,?,?,00007FF6869E1E42,?,?,?,00007FF6869E1E7F,?,?,00000000,00007FF6869E2345,?,?,?,00007FF6869E2277), ref: 00007FF6869D9E2E
                                                          • Part of subcall function 00007FF6869D9E18: GetLastError.KERNEL32(?,?,?,00007FF6869E1E42,?,?,?,00007FF6869E1E7F,?,?,00000000,00007FF6869E2345,?,?,?,00007FF6869E2277), ref: 00007FF6869D9E38
                                                          • Part of subcall function 00007FF6869D9DD0: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF6869D9DAF,?,?,?,?,?,00007FF6869D21EC), ref: 00007FF6869D9DD9
                                                          • Part of subcall function 00007FF6869D9DD0: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF6869D9DAF,?,?,?,?,?,00007FF6869D21EC), ref: 00007FF6869D9DFE
                                                        • _get_daylight.LIBCMT ref: 00007FF6869E4E54
                                                          • Part of subcall function 00007FF6869E4818: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6869E482C
                                                        • _get_daylight.LIBCMT ref: 00007FF6869E50CA
                                                        • _get_daylight.LIBCMT ref: 00007FF6869E50DB
                                                        • _get_daylight.LIBCMT ref: 00007FF6869E50EC
                                                        • GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF6869E532C), ref: 00007FF6869E5113
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2048652558.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000002.00000002.2048633689.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048683425.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A00000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048831964.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: _get_daylight$_invalid_parameter_noinfo$CurrentErrorFeatureFreeHeapInformationLastPresentProcessProcessorTimeZone
                                                        • String ID:
                                                        • API String ID: 4070488512-0
                                                        • Opcode ID: a9f1dad40c5644c1829df854b35cf2cff202b4769108a1d535aac39d904cb9be
                                                        • Instruction ID: 4a730f5b140078a5de538043c89b975cabd17c3897cac6644a78913b76a902d4
                                                        • Opcode Fuzzy Hash: a9f1dad40c5644c1829df854b35cf2cff202b4769108a1d535aac39d904cb9be
                                                        • Instruction Fuzzy Hash: 44D17C66A18283C6EF20AF25D4511B967A1FF84B94F45813EEA0D876C6DF7EEC42C740
                                                        Function 00007FF6869D9AE4 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2048652558.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000002.00000002.2048633689.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048683425.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A00000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048831964.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                        • String ID:
                                                        • API String ID: 1239891234-0
                                                        • Opcode ID: 4204087c2144b4154cc610f07160e172692864cccd6c23e577d201b1c5d7dbdf
                                                        • Instruction ID: a1e27d5aacefb87dfccb981d6cb2b78c9e86ffb13a174d6217a010ff4b3b5a92
                                                        • Opcode Fuzzy Hash: 4204087c2144b4154cc610f07160e172692864cccd6c23e577d201b1c5d7dbdf
                                                        • Instruction Fuzzy Hash: 4A313E32618B82C6DF609B65E8402AE73A4FF84764F500139EA8D83BA6DF7DD945CB00
                                                        Function 00007FF6869E09B4 Relevance: 7.8, APIs: 5, Instructions: 282COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2048652558.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000002.00000002.2048633689.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048683425.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A00000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048831964.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: FileFindFirst_invalid_parameter_noinfo
                                                        • String ID:
                                                        • API String ID: 2227656907-0
                                                        • Opcode ID: 0bdd7a8416f1e28eb8c09c6b5c037a8b7871395a979be626bc7410ef92a9cb5d
                                                        • Instruction ID: 0571d8a96a6ab2270c820fbaabde35dea725f2852ef88dde61022697707ef2cd
                                                        • Opcode Fuzzy Hash: 0bdd7a8416f1e28eb8c09c6b5c037a8b7871395a979be626bc7410ef92a9cb5d
                                                        • Instruction Fuzzy Hash: ADB1B022B186D7C1EE619B21A4042B963A0FF44BE4F44417AEA5D97BC6DFBEEC51C700
                                                        Function 00007FF6869E509C Relevance: 6.1, APIs: 4, Instructions: 143timeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _get_daylight.LIBCMT ref: 00007FF6869E50CA
                                                          • Part of subcall function 00007FF6869E4818: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6869E482C
                                                        • _get_daylight.LIBCMT ref: 00007FF6869E50DB
                                                          • Part of subcall function 00007FF6869E47B8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6869E47CC
                                                        • _get_daylight.LIBCMT ref: 00007FF6869E50EC
                                                          • Part of subcall function 00007FF6869E47E8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6869E47FC
                                                          • Part of subcall function 00007FF6869D9E18: HeapFree.KERNEL32(?,?,?,00007FF6869E1E42,?,?,?,00007FF6869E1E7F,?,?,00000000,00007FF6869E2345,?,?,?,00007FF6869E2277), ref: 00007FF6869D9E2E
                                                          • Part of subcall function 00007FF6869D9E18: GetLastError.KERNEL32(?,?,?,00007FF6869E1E42,?,?,?,00007FF6869E1E7F,?,?,00000000,00007FF6869E2345,?,?,?,00007FF6869E2277), ref: 00007FF6869D9E38
                                                        • GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF6869E532C), ref: 00007FF6869E5113
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2048652558.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000002.00000002.2048633689.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048683425.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A00000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048831964.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: _get_daylight_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
                                                        • String ID:
                                                        • API String ID: 3458911817-0
                                                        • Opcode ID: 8dda7e1bb43cce3069c61b2343a9d469707a009ccb87a98b23344d3931a91aef
                                                        • Instruction ID: f05a120133836877883eb79a7598f4e417a44c09cbd800705c14821e6c1c51b4
                                                        • Opcode Fuzzy Hash: 8dda7e1bb43cce3069c61b2343a9d469707a009ccb87a98b23344d3931a91aef
                                                        • Instruction Fuzzy Hash: F9516A72A18683C6EB20EF21E9911A96760BF88784F45513EEA4DC36D6DF7EEC01C740
                                                        Function 00007FF6869C3DF0 Relevance: 291.0, APIs: 55, Strings: 111, Instructions: 457libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2048652558.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000002.00000002.2048633689.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048683425.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A00000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048831964.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: AddressProc
                                                        • String ID: Failed to get address for PyDict_GetItemString$Failed to get address for PyErr_Clear$Failed to get address for PyErr_Fetch$Failed to get address for PyErr_NormalizeException$Failed to get address for PyErr_Occurred$Failed to get address for PyErr_Print$Failed to get address for PyErr_Restore$Failed to get address for PyEval_EvalCode$Failed to get address for PyImport_AddModule$Failed to get address for PyImport_ExecCodeModule$Failed to get address for PyImport_ImportModule$Failed to get address for PyList_Append$Failed to get address for PyList_New$Failed to get address for PyLong_AsLong$Failed to get address for PyMarshal_ReadObjectFromString$Failed to get address for PyMem_RawFree$Failed to get address for PyModule_GetDict$Failed to get address for PyObject_CallFunction$Failed to get address for PyObject_CallFunctionObjArgs$Failed to get address for PyObject_GetAttrString$Failed to get address for PyObject_SetAttrString$Failed to get address for PyObject_Str$Failed to get address for PyRun_SimpleStringFlags$Failed to get address for PySys_AddWarnOption$Failed to get address for PySys_GetObject$Failed to get address for PySys_SetArgvEx$Failed to get address for PySys_SetObject$Failed to get address for PySys_SetPath$Failed to get address for PyUnicode_AsUTF8$Failed to get address for PyUnicode_Decode$Failed to get address for PyUnicode_DecodeFSDefault$Failed to get address for PyUnicode_FromFormat$Failed to get address for PyUnicode_FromString$Failed to get address for PyUnicode_Join$Failed to get address for PyUnicode_Replace$Failed to get address for Py_BuildValue$Failed to get address for Py_DecRef$Failed to get address for Py_DecodeLocale$Failed to get address for Py_DontWriteBytecodeFlag$Failed to get address for Py_FileSystemDefaultEncoding$Failed to get address for Py_Finalize$Failed to get address for Py_FrozenFlag$Failed to get address for Py_GetPath$Failed to get address for Py_IgnoreEnvironmentFlag$Failed to get address for Py_IncRef$Failed to get address for Py_Initialize$Failed to get address for Py_NoSiteFlag$Failed to get address for Py_NoUserSiteDirectory$Failed to get address for Py_OptimizeFlag$Failed to get address for Py_SetPath$Failed to get address for Py_SetProgramName$Failed to get address for Py_SetPythonHome$Failed to get address for Py_UTF8Mode$Failed to get address for Py_UnbufferedStdioFlag$Failed to get address for Py_VerboseFlag$GetProcAddress$PyDict_GetItemString$PyErr_Clear$PyErr_Fetch$PyErr_NormalizeException$PyErr_Occurred$PyErr_Print$PyErr_Restore$PyEval_EvalCode$PyImport_AddModule$PyImport_ExecCodeModule$PyImport_ImportModule$PyList_Append$PyList_New$PyLong_AsLong$PyMarshal_ReadObjectFromString$PyMem_RawFree$PyModule_GetDict$PyObject_CallFunction$PyObject_CallFunctionObjArgs$PyObject_GetAttrString$PyObject_SetAttrString$PyObject_Str$PyRun_SimpleStringFlags$PySys_AddWarnOption$PySys_GetObject$PySys_SetArgvEx$PySys_SetObject$PySys_SetPath$PyUnicode_AsUTF8$PyUnicode_Decode$PyUnicode_DecodeFSDefault$PyUnicode_FromFormat$PyUnicode_FromString$PyUnicode_Join$PyUnicode_Replace$Py_BuildValue$Py_DecRef$Py_DecodeLocale$Py_DontWriteBytecodeFlag$Py_FileSystemDefaultEncoding$Py_Finalize$Py_FrozenFlag$Py_GetPath$Py_IgnoreEnvironmentFlag$Py_IncRef$Py_Initialize$Py_NoSiteFlag$Py_NoUserSiteDirectory$Py_OptimizeFlag$Py_SetPath$Py_SetProgramName$Py_SetPythonHome$Py_UTF8Mode$Py_UnbufferedStdioFlag$Py_VerboseFlag
                                                        • API String ID: 190572456-3109299426
                                                        • Opcode ID: 67747be8a076f706c1c9372e7d2496993eaa02b7082083ef588a9e8b618be952
                                                        • Instruction ID: c8d9f9b5edfaa15344947d12d845e44874886091f7758a2788adb69aff7ce728
                                                        • Opcode Fuzzy Hash: 67747be8a076f706c1c9372e7d2496993eaa02b7082083ef588a9e8b618be952
                                                        • Instruction Fuzzy Hash: 9E42A164A0DB87D1FE55CB08E95017423A6BF157A5B84503ED80E863EAFFBEAD58D300
                                                        Function 00007FF6869C55D0 Relevance: 166.5, APIs: 31, Strings: 64, Instructions: 287libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2048652558.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000002.00000002.2048633689.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048683425.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A00000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048831964.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: AddressProc$LibraryLoad
                                                        • String ID: Failed to get address for Tcl_Alloc$Failed to get address for Tcl_ConditionFinalize$Failed to get address for Tcl_ConditionNotify$Failed to get address for Tcl_ConditionWait$Failed to get address for Tcl_CreateInterp$Failed to get address for Tcl_CreateObjCommand$Failed to get address for Tcl_CreateThread$Failed to get address for Tcl_DeleteInterp$Failed to get address for Tcl_DoOneEvent$Failed to get address for Tcl_EvalEx$Failed to get address for Tcl_EvalFile$Failed to get address for Tcl_EvalObjv$Failed to get address for Tcl_Finalize$Failed to get address for Tcl_FinalizeThread$Failed to get address for Tcl_FindExecutable$Failed to get address for Tcl_Free$Failed to get address for Tcl_GetCurrentThread$Failed to get address for Tcl_GetObjResult$Failed to get address for Tcl_GetString$Failed to get address for Tcl_GetVar2$Failed to get address for Tcl_Init$Failed to get address for Tcl_MutexLock$Failed to get address for Tcl_MutexUnlock$Failed to get address for Tcl_NewByteArrayObj$Failed to get address for Tcl_NewStringObj$Failed to get address for Tcl_SetVar2$Failed to get address for Tcl_SetVar2Ex$Failed to get address for Tcl_ThreadAlert$Failed to get address for Tcl_ThreadQueueEvent$Failed to get address for Tk_GetNumMainWindows$Failed to get address for Tk_Init$GetProcAddress$LOADER: Failed to load tcl/tk libraries$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
                                                        • API String ID: 2238633743-1453502826
                                                        • Opcode ID: ba523ba2b13c4ea14ee618d69630f35f7ff64aa3d65f3ca8e14aa07d75cb9247
                                                        • Instruction ID: a2811b3cd48626fc7b102f29f6d7b8bb0c45153efacc1a6ff7f91671dfc5caf5
                                                        • Opcode Fuzzy Hash: ba523ba2b13c4ea14ee618d69630f35f7ff64aa3d65f3ca8e14aa07d75cb9247
                                                        • Instruction Fuzzy Hash: 72E1F760A0DB83D5FE59CB08A95027423A9BF15791B84503DC85EC63EAEFBEBD58D301
                                                        Function 00007FFB24BD8C24 Relevance: 54.6, APIs: 3, Strings: 28, Instructions: 352COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2049831443.00007FFB24BD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFB24BD0000, based on PE: true
                                                        • Associated: 00000002.00000002.2049804152.00007FFB24BD0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000002.00000002.2049874435.00007FFB24BE1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000002.00000002.2049899857.00007FFB24BE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000002.00000002.2049922649.00007FFB24BE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ffb24bd0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: Name::operator+
                                                        • String ID: volatile$<unknown>$UNKNOWN$__int128$__int16$__int32$__int64$__int8$__w64 $auto$bool$char$char16_t$char32_t$char8_t$const$decltype(auto)$double$float$int$long$long $short$signed $unsigned $void$volatile$wchar_t
                                                        • API String ID: 2943138195-1388207849
                                                        • Opcode ID: 34b20832b4d5a9c82cdd9a34609b0a596913eac70dfc3082442192f721d64891
                                                        • Instruction ID: 627931c52628c668441d8a444d90438cdc0ecf8ae9925fd0575e6e88dc4beaf8
                                                        • Opcode Fuzzy Hash: 34b20832b4d5a9c82cdd9a34609b0a596913eac70dfc3082442192f721d64891
                                                        • Instruction Fuzzy Hash: 53F180B9F08A92D4FB1A8B74DDC82BC36B0BB48744F804575CA1D16EAADF7DA645C340
                                                        Function 00007FFB24BDC3C8 Relevance: 28.3, APIs: 15, Strings: 1, Instructions: 288COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2049831443.00007FFB24BD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFB24BD0000, based on PE: true
                                                        • Associated: 00000002.00000002.2049804152.00007FFB24BD0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000002.00000002.2049874435.00007FFB24BE1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000002.00000002.2049899857.00007FFB24BE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000002.00000002.2049922649.00007FFB24BE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ffb24bd0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: Name::operator+
                                                        • String ID: `anonymous namespace'
                                                        • API String ID: 2943138195-3062148218
                                                        • Opcode ID: c36001f134547c1fc12f70ffa9b86d35a9d04869d0c52a2f257cd9dd74f3dfc9
                                                        • Instruction ID: 743e3990fe4c01aa7f718cd6e64c73e766cf14377f292ce3e908304f9265f726
                                                        • Opcode Fuzzy Hash: c36001f134547c1fc12f70ffa9b86d35a9d04869d0c52a2f257cd9dd74f3dfc9
                                                        • Instruction Fuzzy Hash: 05E146BAA08BC2D5EB12CF34D9881AD77A0FB89748F804176EA4D17E56DF38E555CB00
                                                        Function 00007FFB24BDA83C Relevance: 22.9, APIs: 15, Instructions: 358COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2049831443.00007FFB24BD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFB24BD0000, based on PE: true
                                                        • Associated: 00000002.00000002.2049804152.00007FFB24BD0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000002.00000002.2049874435.00007FFB24BE1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000002.00000002.2049899857.00007FFB24BE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000002.00000002.2049922649.00007FFB24BE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ffb24bd0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: Name::operator+
                                                        • String ID:
                                                        • API String ID: 2943138195-0
                                                        • Opcode ID: 63ad456de8db332c0b347e2e514b887ab112aaee213ccda8367cb7f767930e9c
                                                        • Instruction ID: e5fc52487f7a39c43e21f501120fdf85647314331092f359b393b94c3d844820
                                                        • Opcode Fuzzy Hash: 63ad456de8db332c0b347e2e514b887ab112aaee213ccda8367cb7f767930e9c
                                                        • Instruction Fuzzy Hash: 77F17CBAB08AC2DAEB12DF74D8941EC37B0EB4974CB444171EA4D57E9ADE38D51AC340
                                                        Function 00007FFB24BDD20C Relevance: 21.3, APIs: 7, Strings: 5, Instructions: 349COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2049831443.00007FFB24BD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFB24BD0000, based on PE: true
                                                        • Associated: 00000002.00000002.2049804152.00007FFB24BD0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000002.00000002.2049874435.00007FFB24BE1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000002.00000002.2049899857.00007FFB24BE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000002.00000002.2049922649.00007FFB24BE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ffb24bd0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: Name::operator+
                                                        • String ID: NULL$`generic-class-parameter-$`generic-method-parameter-$`template-type-parameter-$nullptr
                                                        • API String ID: 2943138195-2309034085
                                                        • Opcode ID: 767f6b35ed257beddb1ea2fff1390adae3ecab9bc22a75a6672164d643aa4b64
                                                        • Instruction ID: 4ae4ce60ac60ec6f8e27ff031277cb7f054e68430663c424df62b7b8ec8ad41a
                                                        • Opcode Fuzzy Hash: 767f6b35ed257beddb1ea2fff1390adae3ecab9bc22a75a6672164d643aa4b64
                                                        • Instruction Fuzzy Hash: 74E16CEAE08692C4FB169B74CDDC1BC37A9AF56748F4401B5CA8E16E9BDE3CA505C340
                                                        Function 00007FF6869C1440 Relevance: 21.1, APIs: 1, Strings: 11, Instructions: 133COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2048652558.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000002.00000002.2048633689.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048683425.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A00000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048831964.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: Failed to extract %s: failed to allocate temporary buffer!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to open target file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$Failed to extract %s: failed to write data chunk!$fopen$fread$fseek$fwrite$malloc
                                                        • API String ID: 0-666925554
                                                        • Opcode ID: 1bbb5a14678834b1a958f942c3490a164635d270f47cc7c371ea8b9b6d09e3c4
                                                        • Instruction ID: ec3dde29b07e951715218c0a3e8332ebf4329088ddccf8077d0ee4201b64d0fe
                                                        • Opcode Fuzzy Hash: 1bbb5a14678834b1a958f942c3490a164635d270f47cc7c371ea8b9b6d09e3c4
                                                        • Instruction Fuzzy Hash: F5517861B08AC3C1EE209B21E5546B963A0BF45BE8F444539DE0EC76E7EE7EE945C304
                                                        Function 00007FF6869C78A0 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 91COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2048652558.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000002.00000002.2048633689.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048683425.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A00000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048831964.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: Token$ConvertDescriptorInformationProcessSecurityString$CloseCreateCurrentDirectoryErrorFreeHandleLastLocalOpen
                                                        • String ID: D:(A;;FA;;;%s)$S-1-3-4
                                                        • API String ID: 4998090-2855260032
                                                        • Opcode ID: 325d64cfb385d23493eb0389c0ea059c6d59262dbafda5a72abe8264351e6c2a
                                                        • Instruction ID: 8da2eea8deb8d7015943f864ab9d974cea02c40b2eda5059854a239fdba017de
                                                        • Opcode Fuzzy Hash: 325d64cfb385d23493eb0389c0ea059c6d59262dbafda5a72abe8264351e6c2a
                                                        • Instruction Fuzzy Hash: 96413D3161C6C3C2EF509F61E4446AA7361FF857A4F440239EA9E866E6DF7DD944CB00
                                                        Function 00007FFB24BD2CE4 Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 309COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2049831443.00007FFB24BD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFB24BD0000, based on PE: true
                                                        • Associated: 00000002.00000002.2049804152.00007FFB24BD0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000002.00000002.2049874435.00007FFB24BE1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000002.00000002.2049899857.00007FFB24BE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000002.00000002.2049922649.00007FFB24BE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ffb24bd0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: Frame$BlockEstablisherHandler3::Unwindabortterminate$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                        • String ID: csm$csm$csm
                                                        • API String ID: 3436797354-393685449
                                                        • Opcode ID: d5e0e3ab29c15918133307a59fdea49d8ed4f7431b693d67295d57de9f2acebd
                                                        • Instruction ID: 22253bd0a67ce83eca04542697196deb54eeb22597ff63cb915149abcad003b1
                                                        • Opcode Fuzzy Hash: d5e0e3ab29c15918133307a59fdea49d8ed4f7431b693d67295d57de9f2acebd
                                                        • Instruction Fuzzy Hash: C2D16FBAA08782C6EB169F75D8882AD77A0FB49B98F001175DE4D57B57CF38E491C700
                                                        Function 00007FF6869C2030 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2048652558.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000002.00000002.2048633689.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048683425.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A00000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048831964.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: MoveWindow$ObjectSelect$DrawReleaseText
                                                        • String ID: P%
                                                        • API String ID: 2147705588-2959514604
                                                        • Opcode ID: 2abf96d7e756ec95747b6225775113f5ca3bbb9c1d9d148edce5ba3104c9dbe9
                                                        • Instruction ID: 10a2cfe017bc9901790bd3251bd4720250bdaebab6c13eb73d989123c7bdfc82
                                                        • Opcode Fuzzy Hash: 2abf96d7e756ec95747b6225775113f5ca3bbb9c1d9d148edce5ba3104c9dbe9
                                                        • Instruction Fuzzy Hash: 90512626608BE2C6DA349F26E0181BAB7A1FB98B61F004125EFCF83695DF7DD445DB10
                                                        Function 00007FFB24BDE350 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 196COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2049831443.00007FFB24BD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFB24BD0000, based on PE: true
                                                        • Associated: 00000002.00000002.2049804152.00007FFB24BD0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000002.00000002.2049874435.00007FFB24BE1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000002.00000002.2049899857.00007FFB24BE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000002.00000002.2049922649.00007FFB24BE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ffb24bd0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: `generic-type-$`template-parameter-$generic-type-$template-parameter-
                                                        • API String ID: 0-3207858774
                                                        • Opcode ID: 6f458657f8fae6e2f2557f40169539ea56a3e6fb73d2116d9b83691f1491e61c
                                                        • Instruction ID: 1a5f2b36762db7e93f5bd4a59581bd0c29a4200a6fb0a0a3653499aee2d57950
                                                        • Opcode Fuzzy Hash: 6f458657f8fae6e2f2557f40169539ea56a3e6fb73d2116d9b83691f1491e61c
                                                        • Instruction Fuzzy Hash: 3B9153AAB08AC6C5EB16CB34D8D82BC37A0AB54B48F8441B5DA4D07B97DF3CE506C740
                                                        Function 00007FFB24BDA13C Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 120COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2049831443.00007FFB24BD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFB24BD0000, based on PE: true
                                                        • Associated: 00000002.00000002.2049804152.00007FFB24BD0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000002.00000002.2049874435.00007FFB24BE1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000002.00000002.2049899857.00007FFB24BE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000002.00000002.2049922649.00007FFB24BE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ffb24bd0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: Name::operator+$Name::operator+=
                                                        • String ID: `unknown ecsu'$class $coclass $cointerface $enum $struct $union
                                                        • API String ID: 179159573-1464470183
                                                        • Opcode ID: 2fc61dd6c602e97fa3c1e55ca06bd20aebc659b0b394667bc2b1a0081ee2f141
                                                        • Instruction ID: 05f27eff3722ec41a6732f213f0318a135cb17778df60048b47fb83a02ada125
                                                        • Opcode Fuzzy Hash: 2fc61dd6c602e97fa3c1e55ca06bd20aebc659b0b394667bc2b1a0081ee2f141
                                                        • Instruction Fuzzy Hash: 0B515BBAF18A96C9FB16CB75EC885AC37B0BB1A744F500135DA0D56E5ADF29E542C300
                                                        Function 00007FF6869C74B0 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 52windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLastError.KERNEL32(00000000,00007FF6869C26A0), ref: 00007FF6869C74D7
                                                        • FormatMessageW.KERNEL32(00000000,00007FF6869C26A0), ref: 00007FF6869C7506
                                                        • WideCharToMultiByte.KERNEL32 ref: 00007FF6869C755C
                                                          • Part of subcall function 00007FF6869C2620: GetLastError.KERNEL32(00000000,00000000,00000000,00007FF6869C7744,?,?,?,?,?,?,?,?,?,?,?,00007FF6869C101D), ref: 00007FF6869C2654
                                                          • Part of subcall function 00007FF6869C2620: MessageBoxW.USER32 ref: 00007FF6869C272C
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2048652558.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000002.00000002.2048633689.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048683425.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A00000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048831964.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: ErrorLastMessage$ByteCharFormatMultiWide
                                                        • String ID: Failed to encode wchar_t as UTF-8.$FormatMessageW$No error messages generated.$PyInstaller: FormatMessageW failed.$PyInstaller: pyi_win32_utils_to_utf8 failed.$WideCharToMultiByte
                                                        • API String ID: 2920928814-2573406579
                                                        • Opcode ID: 8b0166d5a5045c769a8e77ad43af0852bc728ff9b5502801be361ecb61f6b2fa
                                                        • Instruction ID: b033085725c13a7986ea97f6fe2a985c09bd342bac3ea676cab11986621025a0
                                                        • Opcode Fuzzy Hash: 8b0166d5a5045c769a8e77ad43af0852bc728ff9b5502801be361ecb61f6b2fa
                                                        • Instruction Fuzzy Hash: 58213031A18AC3C2EF209B11E8413766265BF48394F84003DE69EC66E6EFBEE945C740
                                                        Function 00007FFB24BD88E4 Relevance: 15.2, APIs: 10, Instructions: 150COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2049831443.00007FFB24BD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFB24BD0000, based on PE: true
                                                        • Associated: 00000002.00000002.2049804152.00007FFB24BD0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000002.00000002.2049874435.00007FFB24BE1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000002.00000002.2049899857.00007FFB24BE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000002.00000002.2049922649.00007FFB24BE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ffb24bd0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: Name::operator+
                                                        • String ID:
                                                        • API String ID: 2943138195-0
                                                        • Opcode ID: 28d39e64d2900046752fe00e0d170ae61e4b908a297697eb59c3c366de5be272
                                                        • Instruction ID: aa630a2fd13f470023e11ce266dd3ce77c75b319b4eaf4afe395305b6609a5b1
                                                        • Opcode Fuzzy Hash: 28d39e64d2900046752fe00e0d170ae61e4b908a297697eb59c3c366de5be272
                                                        • Instruction Fuzzy Hash: 396149A6B04AA2D8FB02DBB0DC841EC37B1BB44788B805476DE5D2BE5ADF78D546C340
                                                        Function 00007FF6869D0228 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2048652558.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000002.00000002.2048633689.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048683425.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A00000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048831964.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: _invalid_parameter_noinfo
                                                        • String ID: f$f$p$p$f
                                                        • API String ID: 3215553584-1325933183
                                                        • Opcode ID: 864902cbb2e935f55fbb0b0f358a3d1305b233c90ffe52d12db1516ed6b7c985
                                                        • Instruction ID: 2eb7f65ec5b1043f3e062cde9a2dc9a687b26e1f4d8482bebcea5b9c5b4a7a12
                                                        • Opcode Fuzzy Hash: 864902cbb2e935f55fbb0b0f358a3d1305b233c90ffe52d12db1516ed6b7c985
                                                        • Instruction Fuzzy Hash: ED128C62E0C1C3C6FF209E15A0546BA76A1FF90754F884179E68987AC6DF7EEC80CB54
                                                        Function 00007FFB24BD31A0 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 314COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2049831443.00007FFB24BD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFB24BD0000, based on PE: true
                                                        • Associated: 00000002.00000002.2049804152.00007FFB24BD0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000002.00000002.2049874435.00007FFB24BE1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000002.00000002.2049899857.00007FFB24BE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000002.00000002.2049922649.00007FFB24BE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ffb24bd0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: abortterminate$Is_bad_exception_allowedstd::bad_alloc::bad_alloc
                                                        • String ID: csm$csm$csm
                                                        • API String ID: 211107550-393685449
                                                        • Opcode ID: 1f2c6e9c8ad6c1917ecaa8d6efe9c468c91fc9baef10e6d9588306a72b9f3ebc
                                                        • Instruction ID: 11fa96110d2d60835ee5aacfe2a485cdb37829e2e58e93698b54acbda6a88b7c
                                                        • Opcode Fuzzy Hash: 1f2c6e9c8ad6c1917ecaa8d6efe9c468c91fc9baef10e6d9588306a72b9f3ebc
                                                        • Instruction Fuzzy Hash: B8E18FBAA086C2CAE7129F74D8C82AD7BA0FB44B58F145175DA8D47B57CF78E485CB00
                                                        Function 00007FFB24BDBE24 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 111COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2049831443.00007FFB24BD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFB24BD0000, based on PE: true
                                                        • Associated: 00000002.00000002.2049804152.00007FFB24BD0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000002.00000002.2049874435.00007FFB24BE1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000002.00000002.2049899857.00007FFB24BE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000002.00000002.2049922649.00007FFB24BE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ffb24bd0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: Name::operator+
                                                        • String ID: cli::array<$cli::pin_ptr<$std::nullptr_t$std::nullptr_t $void$void
                                                        • API String ID: 2943138195-2239912363
                                                        • Opcode ID: e2dcc5ac231621b7bb9adceaede0f9dd180f9bba2b8fff5e7c5622460418e45f
                                                        • Instruction ID: 6a761304d69853cfb0e0d241b0341df66daf2444d248bc89ac77070990102442
                                                        • Opcode Fuzzy Hash: e2dcc5ac231621b7bb9adceaede0f9dd180f9bba2b8fff5e7c5622460418e45f
                                                        • Instruction Fuzzy Hash: D65156AAE0CB86C9FB16CB70DD892BC77A0BB48744F844576CA4D16E96DF7CA045C710
                                                        Function 00007FF6869C6FD0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 90processsynchronizationCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2048652558.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000002.00000002.2048633689.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048683425.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A00000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048831964.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: Process_invalid_parameter_noinfo$ByteCharCodeCommandConsoleCreateCtrlExitHandlerInfoLineMultiObjectSingleStartupWaitWide
                                                        • String ID: CreateProcessW$Error creating child process!
                                                        • API String ID: 2895956056-3524285272
                                                        • Opcode ID: 818e29d337d92c80142cd965dc47d4137e35c853672c1fb6e5a7bce6e7f526a1
                                                        • Instruction ID: 7f8df44f7d045042c4078dee0a01664aadb41bf48f778d8dee9f7bd61b584d72
                                                        • Opcode Fuzzy Hash: 818e29d337d92c80142cd965dc47d4137e35c853672c1fb6e5a7bce6e7f526a1
                                                        • Instruction Fuzzy Hash: A4412032A087C3C2DE209B64E8552AAB364FF95364F400339E6AD87AE6DF7DD454CB40
                                                        Function 00007FF6869CDC30 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2048652558.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000002.00000002.2048633689.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048683425.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A00000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048831964.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                        • String ID: csm$csm$csm
                                                        • API String ID: 849930591-393685449
                                                        • Opcode ID: 64a04dea20eab758f09741b49381e36ae6aa3d4dbdf263ead872da10faeebcc4
                                                        • Instruction ID: ea632bb401eb1443126ce2c3b0a2881f2bef4ac76ed3a491a3bb03b45bd34a6b
                                                        • Opcode Fuzzy Hash: 64a04dea20eab758f09741b49381e36ae6aa3d4dbdf263ead872da10faeebcc4
                                                        • Instruction Fuzzy Hash: 37E16072A08786CAEF209F65A4402AD77A4FF45798F100139EE4E97B96CF39E895C740
                                                        Function 00007FFB24BD5F0A Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 162COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2049831443.00007FFB24BD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFB24BD0000, based on PE: true
                                                        • Associated: 00000002.00000002.2049804152.00007FFB24BD0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000002.00000002.2049874435.00007FFB24BE1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000002.00000002.2049899857.00007FFB24BE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000002.00000002.2049922649.00007FFB24BE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ffb24bd0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: FileHeader$ExceptionFindInstanceRaiseTargetType
                                                        • String ID: Access violation - no RTTI data!$Attempted a typeid of nullptr pointer!$Bad dynamic_cast!$Bad read pointer - no RTTI data!
                                                        • API String ID: 1852475696-928371585
                                                        • Opcode ID: 7f6c35cefbfcfc98e88ebc0aa35afe6c2c6ede9eabcdb344d1914a97fbaad475
                                                        • Instruction ID: 38806a0242552bcdf588175c6a40ac5a4af1a15a4f9e02fec659ff7386e829b9
                                                        • Opcode Fuzzy Hash: 7f6c35cefbfcfc98e88ebc0aa35afe6c2c6ede9eabcdb344d1914a97fbaad475
                                                        • Instruction Fuzzy Hash: 09516CAAB19A86D2EF26DB34ECD85BD7360FB84B94F404471DA4D07A66DE3CE506C700
                                                        Function 00007FFB24BDE148 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 127COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2049831443.00007FFB24BD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFB24BD0000, based on PE: true
                                                        • Associated: 00000002.00000002.2049804152.00007FFB24BD0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000002.00000002.2049874435.00007FFB24BE1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000002.00000002.2049899857.00007FFB24BE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000002.00000002.2049922649.00007FFB24BE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ffb24bd0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: Name::operator+$Name::operator+=
                                                        • String ID: {for
                                                        • API String ID: 179159573-864106941
                                                        • Opcode ID: edc966f78679f2c80b6a90da374f91d2d358e76260b44eb27b7c84d8a506cb89
                                                        • Instruction ID: 951343bcf83c4ec9b40d1cb65b9e12b431c7f391266da7e1e7c2524bd4cd3a93
                                                        • Opcode Fuzzy Hash: edc966f78679f2c80b6a90da374f91d2d358e76260b44eb27b7c84d8a506cb89
                                                        • Instruction Fuzzy Hash: 8E5129BAA08AC5D9EB128F34D9893EC73A1EB45758F8080B1EA4C4BE96DF7CD555C340
                                                        Function 00007FF6869C7600 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 103COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF6869C101D), ref: 00007FF6869C769F
                                                        • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF6869C101D), ref: 00007FF6869C76EF
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2048652558.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000002.00000002.2048633689.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048683425.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A00000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048831964.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: ByteCharMultiWide
                                                        • String ID: Failed to encode wchar_t as UTF-8.$Failed to get UTF-8 buffer size.$Out of memory.$WideCharToMultiByte$win32_utils_to_utf8
                                                        • API String ID: 626452242-27947307
                                                        • Opcode ID: 43851299e65b878553ee9477cdfb9aa8b38a7a1e3001ba9c1eb6bb9cebf00e3a
                                                        • Instruction ID: b7ba52b738895a4525354db50a6cb80c1245ccdb882ed0a2bbf737f81afecc0c
                                                        • Opcode Fuzzy Hash: 43851299e65b878553ee9477cdfb9aa8b38a7a1e3001ba9c1eb6bb9cebf00e3a
                                                        • Instruction Fuzzy Hash: A3416B32A08BC3C6EA20CF15B44026AA7A5FF84B90F584139DA9E87BD6DF7DD851D700
                                                        Function 00007FFB24BD68AC Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadLibraryExW.KERNEL32(?,?,?,00007FFB24BD6A6B,?,?,00000000,00007FFB24BD689C,?,?,?,?,00007FFB24BD65E5), ref: 00007FFB24BD6931
                                                        • GetLastError.KERNEL32(?,?,?,00007FFB24BD6A6B,?,?,00000000,00007FFB24BD689C,?,?,?,?,00007FFB24BD65E5), ref: 00007FFB24BD693F
                                                        • wcsncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFB24BD6A6B,?,?,00000000,00007FFB24BD689C,?,?,?,?,00007FFB24BD65E5), ref: 00007FFB24BD6958
                                                        • LoadLibraryExW.KERNEL32(?,?,?,00007FFB24BD6A6B,?,?,00000000,00007FFB24BD689C,?,?,?,?,00007FFB24BD65E5), ref: 00007FFB24BD696A
                                                        • FreeLibrary.KERNEL32(?,?,?,00007FFB24BD6A6B,?,?,00000000,00007FFB24BD689C,?,?,?,?,00007FFB24BD65E5), ref: 00007FFB24BD69B0
                                                        • GetProcAddress.KERNEL32(?,?,?,00007FFB24BD6A6B,?,?,00000000,00007FFB24BD689C,?,?,?,?,00007FFB24BD65E5), ref: 00007FFB24BD69BC
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2049831443.00007FFB24BD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFB24BD0000, based on PE: true
                                                        • Associated: 00000002.00000002.2049804152.00007FFB24BD0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000002.00000002.2049874435.00007FFB24BE1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000002.00000002.2049899857.00007FFB24BE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000002.00000002.2049922649.00007FFB24BE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ffb24bd0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: Library$Load$AddressErrorFreeLastProcwcsncmp
                                                        • String ID: api-ms-
                                                        • API String ID: 916704608-2084034818
                                                        • Opcode ID: 45bb9c456b18d615664943834e4003b355ea3ec7f5874fc1f64106649d67ca5c
                                                        • Instruction ID: b44a165fa87099ba85b9d82c2a55e1eb0ef4c565923e17005353e437bdcece7c
                                                        • Opcode Fuzzy Hash: 45bb9c456b18d615664943834e4003b355ea3ec7f5874fc1f64106649d67ca5c
                                                        • Instruction Fuzzy Hash: D431DF69B0A681D1EE178B32DD881AC3294BB58FA0F594135DD1D06B8ADF3CE5458700
                                                        Function 00007FF6869C7B40 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 63COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • WideCharToMultiByte.KERNEL32(?,00007FF6869C3699), ref: 00007FF6869C7B81
                                                          • Part of subcall function 00007FF6869C2620: GetLastError.KERNEL32(00000000,00000000,00000000,00007FF6869C7744,?,?,?,?,?,?,?,?,?,?,?,00007FF6869C101D), ref: 00007FF6869C2654
                                                          • Part of subcall function 00007FF6869C2620: MessageBoxW.USER32 ref: 00007FF6869C272C
                                                        • WideCharToMultiByte.KERNEL32(?,00007FF6869C3699), ref: 00007FF6869C7BF5
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2048652558.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000002.00000002.2048633689.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048683425.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A00000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048831964.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: ByteCharMultiWide$ErrorLastMessage
                                                        • String ID: Failed to encode wchar_t as UTF-8.$Failed to get UTF-8 buffer size.$Out of memory.$WideCharToMultiByte$win32_utils_to_utf8
                                                        • API String ID: 3723044601-27947307
                                                        • Opcode ID: aced5f46d53ba3e30c592e5434d0d7ab1f54160dd14b943fd141642a19c75b6b
                                                        • Instruction ID: 0e6415bdf981e6651d9d08d5523d0540f31ba27183a7b3bfc18f44f97b668878
                                                        • Opcode Fuzzy Hash: aced5f46d53ba3e30c592e5434d0d7ab1f54160dd14b943fd141642a19c75b6b
                                                        • Instruction Fuzzy Hash: CE218B21A08B83C5EE109F22A8411797661BF84B90F48453EDA9E877D6EFBEED41C300
                                                        Function 00007FFB24BD25E8 Relevance: 12.1, APIs: 8, Instructions: 148COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2049831443.00007FFB24BD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFB24BD0000, based on PE: true
                                                        • Associated: 00000002.00000002.2049804152.00007FFB24BD0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000002.00000002.2049874435.00007FFB24BE1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000002.00000002.2049899857.00007FFB24BE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000002.00000002.2049922649.00007FFB24BE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ffb24bd0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: abort$AdjustPointer
                                                        • String ID:
                                                        • API String ID: 1501936508-0
                                                        • Opcode ID: d386002f74db6febb42ef9b4bac4e43e25a554ab645870d9c47f674d5a84533b
                                                        • Instruction ID: 0d7140ad0db4cac8471afabbb621e3b259b31aeeab4974afb646107602aafef4
                                                        • Opcode Fuzzy Hash: d386002f74db6febb42ef9b4bac4e43e25a554ab645870d9c47f674d5a84533b
                                                        • Instruction Fuzzy Hash: F0515CA9E0A6C2C1EA6B9B31DDCC63C7394AF54B84F4544B5CA4D0AB97DE2CE8428301
                                                        Function 00007FFB24BD27CC Relevance: 12.1, APIs: 8, Instructions: 148COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2049831443.00007FFB24BD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFB24BD0000, based on PE: true
                                                        • Associated: 00000002.00000002.2049804152.00007FFB24BD0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000002.00000002.2049874435.00007FFB24BE1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000002.00000002.2049899857.00007FFB24BE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000002.00000002.2049922649.00007FFB24BE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ffb24bd0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: abort$AdjustPointer
                                                        • String ID:
                                                        • API String ID: 1501936508-0
                                                        • Opcode ID: ad7bbbe6b4c289a22ae1e43e79ef4439cf3ee9b14764b2eff01f06dd25f3f236
                                                        • Instruction ID: e78f3776f9507e37a89ed0622627f815bbe51a2f6cd150d54c7a156e5c28d296
                                                        • Opcode Fuzzy Hash: ad7bbbe6b4c289a22ae1e43e79ef4439cf3ee9b14764b2eff01f06dd25f3f236
                                                        • Instruction Fuzzy Hash: F85174A9E096C3C1EA6F9B75DDCC23C7794AF54B90F0944B5D94D0AB8BDE2DD4428301
                                                        Function 00007FF6869D9264 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 494COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2048652558.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000002.00000002.2048633689.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048683425.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A00000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048831964.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: _invalid_parameter_noinfo
                                                        • String ID: f$p$p
                                                        • API String ID: 3215553584-1995029353
                                                        • Opcode ID: 8b43f30c9b627f105c9440690760d813b6cbc2015482011a3dd154e3df4de9b0
                                                        • Instruction ID: a96dcb0d4494875c93fdbcf7cd4024e1224f9d98fd82ceae0567bdbadeedb9d8
                                                        • Opcode Fuzzy Hash: 8b43f30c9b627f105c9440690760d813b6cbc2015482011a3dd154e3df4de9b0
                                                        • Instruction Fuzzy Hash: 3B126B62E0C183C6FF24BA55E0542B97691FF80B54F944039E69A876CADF3EED80CB50
                                                        Function 00007FFB24BD5520 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 132COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2049831443.00007FFB24BD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFB24BD0000, based on PE: true
                                                        • Associated: 00000002.00000002.2049804152.00007FFB24BD0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000002.00000002.2049874435.00007FFB24BE1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000002.00000002.2049899857.00007FFB24BE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000002.00000002.2049922649.00007FFB24BE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ffb24bd0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: FileHeader_local_unwind
                                                        • String ID: MOC$RCC$csm$csm
                                                        • API String ID: 2627209546-1441736206
                                                        • Opcode ID: 385ada566cdd30ad99b7ac5e1d5c8025a7264eea7c22efa234297d7bd0e399d8
                                                        • Instruction ID: 154b267cdf3871e861c23d67fe10ad40f550a317b912e2efe67e0e37ec036e4b
                                                        • Opcode Fuzzy Hash: 385ada566cdd30ad99b7ac5e1d5c8025a7264eea7c22efa234297d7bd0e399d8
                                                        • Instruction Fuzzy Hash: 62518FBAE09691C6EB629F35DC8837D36A0EF84B98F540071DE4D02B8BDE3CE4418B01
                                                        Function 00007FF6869C7C30 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 98COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2048652558.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000002.00000002.2048633689.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048683425.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A00000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048831964.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: ByteCharMultiWide
                                                        • String ID: Failed to decode wchar_t from UTF-8$Failed to get wchar_t buffer size.$MultiByteToWideChar$Out of memory.$win32_utils_from_utf8
                                                        • API String ID: 626452242-876015163
                                                        • Opcode ID: b7b82ea576924ca1617b662870f2c7e243fa9a5b0eddeb3ea6719f1292c4487d
                                                        • Instruction ID: 44916e53939b998e8b0cba986ac7e26fc6889c3c25040a2eb5644fbf58a520fb
                                                        • Opcode Fuzzy Hash: b7b82ea576924ca1617b662870f2c7e243fa9a5b0eddeb3ea6719f1292c4487d
                                                        • Instruction Fuzzy Hash: BA414D32A08A83C2EA50DF15A44017966A5FF44B90F54513ADB9E8BBE6EF3DD852C700
                                                        Function 00007FFB24BDD740 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2049831443.00007FFB24BD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFB24BD0000, based on PE: true
                                                        • Associated: 00000002.00000002.2049804152.00007FFB24BD0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000002.00000002.2049874435.00007FFB24BE1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000002.00000002.2049899857.00007FFB24BE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000002.00000002.2049922649.00007FFB24BE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ffb24bd0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: NameName::atol
                                                        • String ID: `template-parameter$void
                                                        • API String ID: 2130343216-4057429177
                                                        • Opcode ID: 2821a58495c29764098872c6b010649cccddcb6c42941e500fb92a9452cac6b1
                                                        • Instruction ID: 70f7c38e193b61955d9ec58e4af0a37a53dff4a10f9dd14e35540f338f051fa3
                                                        • Opcode Fuzzy Hash: 2821a58495c29764098872c6b010649cccddcb6c42941e500fb92a9452cac6b1
                                                        • Instruction Fuzzy Hash: 81414AA9F08B96C8FB069B74DC982AC33B1BB44B84F940175CE4D16E56DF38A406C340
                                                        Function 00007FF6869CCEE8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadLibraryExW.KERNEL32(?,?,?,00007FF6869CD19A,?,?,?,00007FF6869CCE8C,?,?,00000001,00007FF6869CCAA9), ref: 00007FF6869CCF6D
                                                        • GetLastError.KERNEL32(?,?,?,00007FF6869CD19A,?,?,?,00007FF6869CCE8C,?,?,00000001,00007FF6869CCAA9), ref: 00007FF6869CCF7B
                                                        • LoadLibraryExW.KERNEL32(?,?,?,00007FF6869CD19A,?,?,?,00007FF6869CCE8C,?,?,00000001,00007FF6869CCAA9), ref: 00007FF6869CCFA5
                                                        • FreeLibrary.KERNEL32(?,?,?,00007FF6869CD19A,?,?,?,00007FF6869CCE8C,?,?,00000001,00007FF6869CCAA9), ref: 00007FF6869CCFEB
                                                        • GetProcAddress.KERNEL32(?,?,?,00007FF6869CD19A,?,?,?,00007FF6869CCE8C,?,?,00000001,00007FF6869CCAA9), ref: 00007FF6869CCFF7
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2048652558.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000002.00000002.2048633689.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048683425.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A00000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048831964.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: Library$Load$AddressErrorFreeLastProc
                                                        • String ID: api-ms-
                                                        • API String ID: 2559590344-2084034818
                                                        • Opcode ID: 46f8882ba5516ded8d0f67aa9085a497a0d646e74245b223b6bb25c85e55adca
                                                        • Instruction ID: bbb9c3032bee128a5ba59f16534db5e3efb5c7a8733a0c745b01688d9e528c9a
                                                        • Opcode Fuzzy Hash: 46f8882ba5516ded8d0f67aa9085a497a0d646e74245b223b6bb25c85e55adca
                                                        • Instruction Fuzzy Hash: CD31E221A0AA83D5FE61DB06A40067427D4FF08BA4F49453DED1E8A3D2DF3EE845D700
                                                        Function 00007FF6869C6480 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 88COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00007FF6869C7A30: MultiByteToWideChar.KERNEL32 ref: 00007FF6869C7A6A
                                                        • ExpandEnvironmentStringsW.KERNEL32(00000000,00007FF6869C67CF,?,00000000,?,TokenIntegrityLevel), ref: 00007FF6869C64DF
                                                          • Part of subcall function 00007FF6869C2770: MessageBoxW.USER32 ref: 00007FF6869C2841
                                                        Strings
                                                        • LOADER: Failed to convert runtime-tmpdir to a wide string., xrefs: 00007FF6869C64B6
                                                        • LOADER: Failed to expand environment variables in the runtime-tmpdir., xrefs: 00007FF6869C64F3
                                                        • LOADER: Failed to obtain the absolute path of the runtime-tmpdir., xrefs: 00007FF6869C653A
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2048652558.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000002.00000002.2048633689.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048683425.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A00000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048831964.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: ByteCharEnvironmentExpandMessageMultiStringsWide
                                                        • String ID: LOADER: Failed to convert runtime-tmpdir to a wide string.$LOADER: Failed to expand environment variables in the runtime-tmpdir.$LOADER: Failed to obtain the absolute path of the runtime-tmpdir.
                                                        • API String ID: 1662231829-3498232454
                                                        • Opcode ID: 2dc19ef5ba30c1755b370eb24f27a07330b7d4ecbeaa7c6206d14ea3a4c7ebc1
                                                        • Instruction ID: 211546259d5930b174fa4072088a24e1c9dad8520c3b73b1a569c00bdd5ffada
                                                        • Opcode Fuzzy Hash: 2dc19ef5ba30c1755b370eb24f27a07330b7d4ecbeaa7c6206d14ea3a4c7ebc1
                                                        • Instruction Fuzzy Hash: 3C316021B1C7C3C1FE21AB21A5553BA5291BF98780F84443ADA4FC66DBEE2EED04C700
                                                        Function 00007FFB24BD8624 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 85COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2049831443.00007FFB24BD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFB24BD0000, based on PE: true
                                                        • Associated: 00000002.00000002.2049804152.00007FFB24BD0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000002.00000002.2049874435.00007FFB24BE1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000002.00000002.2049899857.00007FFB24BE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000002.00000002.2049922649.00007FFB24BE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ffb24bd0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: Name::operator+
                                                        • String ID: ,...$,<ellipsis>$...$<ellipsis>$void
                                                        • API String ID: 2943138195-2211150622
                                                        • Opcode ID: 16d5b7056506ac1aa3be62c87a897449e0af35361c1a5b370ad614f7e7c3f2e7
                                                        • Instruction ID: 4144d1aced2d1b193277e7136afa28cc33431c36322782a0d0272920ab827f42
                                                        • Opcode Fuzzy Hash: 16d5b7056506ac1aa3be62c87a897449e0af35361c1a5b370ad614f7e7c3f2e7
                                                        • Instruction Fuzzy Hash: D9413BBAE18B86C8FB028B38DDC81AC37B4BB48B08F844175DA5D16B56DF3CA546C740
                                                        Function 00007FFB24BDA31C Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 83COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2049831443.00007FFB24BD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFB24BD0000, based on PE: true
                                                        • Associated: 00000002.00000002.2049804152.00007FFB24BD0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000002.00000002.2049874435.00007FFB24BE1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000002.00000002.2049899857.00007FFB24BE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000002.00000002.2049922649.00007FFB24BE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ffb24bd0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: Name::operator+
                                                        • String ID: char $int $long $short $unsigned
                                                        • API String ID: 2943138195-3894466517
                                                        • Opcode ID: 1a667bf595c3f0eddcec5e75b1b20bf055c895b242c78c01af1086ecda962d52
                                                        • Instruction ID: b03fe65b89aba1d1d93a7609eb50ccceb38b1fafea11811665ada3ac1ef4206d
                                                        • Opcode Fuzzy Hash: 1a667bf595c3f0eddcec5e75b1b20bf055c895b242c78c01af1086ecda962d52
                                                        • Instruction Fuzzy Hash: 77414CBAE18A96C9EB168F78DC881BC37B2BB4A754F848175CA0C16F5ADF2C9545C700
                                                        Function 00007FF6869C7A30 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 68COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • MultiByteToWideChar.KERNEL32 ref: 00007FF6869C7A6A
                                                          • Part of subcall function 00007FF6869C2620: GetLastError.KERNEL32(00000000,00000000,00000000,00007FF6869C7744,?,?,?,?,?,?,?,?,?,?,?,00007FF6869C101D), ref: 00007FF6869C2654
                                                          • Part of subcall function 00007FF6869C2620: MessageBoxW.USER32 ref: 00007FF6869C272C
                                                        • MultiByteToWideChar.KERNEL32 ref: 00007FF6869C7AF0
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2048652558.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000002.00000002.2048633689.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048683425.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A00000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048831964.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: ByteCharMultiWide$ErrorLastMessage
                                                        • String ID: Failed to decode wchar_t from UTF-8$Failed to get wchar_t buffer size.$MultiByteToWideChar$Out of memory.$win32_utils_from_utf8
                                                        • API String ID: 3723044601-876015163
                                                        • Opcode ID: a067ef3949ab1c43b8cad70a8c207a907739284b21da8d2c9820fdf83144c31f
                                                        • Instruction ID: bdfdb10566961ccc46bb778b9362552f6f61e686f08c5cf040d876fdf01faed9
                                                        • Opcode Fuzzy Hash: a067ef3949ab1c43b8cad70a8c207a907739284b21da8d2c9820fdf83144c31f
                                                        • Instruction Fuzzy Hash: 0D214122B08A83C1EF50CB29F401169A361FF98794F584539DB5DD7BAAEE6DD941C700
                                                        Function 00007FF6869DA620 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLastError.KERNEL32(?,?,?,00007FF6869E2433,?,?,?,00007FF6869DCB8C,?,?,00000000,00007FF6869D3A5F,?,?,?,00007FF6869D9313), ref: 00007FF6869DA62F
                                                        • FlsGetValue.KERNEL32(?,?,?,00007FF6869E2433,?,?,?,00007FF6869DCB8C,?,?,00000000,00007FF6869D3A5F,?,?,?,00007FF6869D9313), ref: 00007FF6869DA644
                                                        • FlsSetValue.KERNEL32(?,?,?,00007FF6869E2433,?,?,?,00007FF6869DCB8C,?,?,00000000,00007FF6869D3A5F,?,?,?,00007FF6869D9313), ref: 00007FF6869DA665
                                                        • FlsSetValue.KERNEL32(?,?,?,00007FF6869E2433,?,?,?,00007FF6869DCB8C,?,?,00000000,00007FF6869D3A5F,?,?,?,00007FF6869D9313), ref: 00007FF6869DA692
                                                        • FlsSetValue.KERNEL32(?,?,?,00007FF6869E2433,?,?,?,00007FF6869DCB8C,?,?,00000000,00007FF6869D3A5F,?,?,?,00007FF6869D9313), ref: 00007FF6869DA6A3
                                                        • FlsSetValue.KERNEL32(?,?,?,00007FF6869E2433,?,?,?,00007FF6869DCB8C,?,?,00000000,00007FF6869D3A5F,?,?,?,00007FF6869D9313), ref: 00007FF6869DA6B4
                                                        • SetLastError.KERNEL32(?,?,?,00007FF6869E2433,?,?,?,00007FF6869DCB8C,?,?,00000000,00007FF6869D3A5F,?,?,?,00007FF6869D9313), ref: 00007FF6869DA6CF
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2048652558.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000002.00000002.2048633689.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048683425.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A00000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048831964.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: Value$ErrorLast
                                                        • String ID:
                                                        • API String ID: 2506987500-0
                                                        • Opcode ID: 6b14f4b34ada3312421ba959f39f9715d9be68c8868fa5de67aefdf45a5e0ce4
                                                        • Instruction ID: ece477d59959cdede41b8ff40de3083e6623be3e49112ee5f8df792e2b848621
                                                        • Opcode Fuzzy Hash: 6b14f4b34ada3312421ba959f39f9715d9be68c8868fa5de67aefdf45a5e0ce4
                                                        • Instruction Fuzzy Hash: 6F213820B0C2C3C6FE58A729A65513D62427F44BB4F54063CE83E87ADBDE6EAC21C700
                                                        Function 00007FF6869E706C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2048652558.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000002.00000002.2048633689.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048683425.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A00000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048831964.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                        • String ID: CONOUT$
                                                        • API String ID: 3230265001-3130406586
                                                        • Opcode ID: 1a41989b306c04176fbb8ce5d038fb17b2eb18ca34d01c5ff4cda60dd112554e
                                                        • Instruction ID: 4cfeb9e46bd16a98249ccfbb4e13b428a17b834ced2703a599a15c012f6961ba
                                                        • Opcode Fuzzy Hash: 1a41989b306c04176fbb8ce5d038fb17b2eb18ca34d01c5ff4cda60dd112554e
                                                        • Instruction Fuzzy Hash: CE115121A18A82C6EB508B56E85432972A4FF88BE5F454238EA5DC77E5CFBDDD04C740
                                                        Function 00007FFB24BD62D0 Relevance: 9.1, APIs: 6, Instructions: 84stringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2049831443.00007FFB24BD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFB24BD0000, based on PE: true
                                                        • Associated: 00000002.00000002.2049804152.00007FFB24BD0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000002.00000002.2049874435.00007FFB24BE1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000002.00000002.2049899857.00007FFB24BE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000002.00000002.2049922649.00007FFB24BE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ffb24bd0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: free$EntryInterlockedListNamePush__unmallocstrcpy_s
                                                        • String ID:
                                                        • API String ID: 3741236498-0
                                                        • Opcode ID: 6447550c70440ae48e9dc09acfbe7fa3055870e3a5d625089a78ddc05dba8847
                                                        • Instruction ID: 62109d0d4b4b96491f073502833a3beac00630aac19d071c1d80af2780a6f01e
                                                        • Opcode Fuzzy Hash: 6447550c70440ae48e9dc09acfbe7fa3055870e3a5d625089a78ddc05dba8847
                                                        • Instruction Fuzzy Hash: 0931A369B19791C0EA168B3AEC4856D3390FB49FE4B554575DD1D03B82EE3DD452C300
                                                        Function 00007FF6869DA798 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLastError.KERNEL32(?,?,?,00007FF6869D444D,?,?,?,?,00007FF6869DDDA7,?,?,00000000,00007FF6869DA8B6,?,?,?), ref: 00007FF6869DA7A7
                                                        • FlsSetValue.KERNEL32(?,?,?,00007FF6869D444D,?,?,?,?,00007FF6869DDDA7,?,?,00000000,00007FF6869DA8B6,?,?,?), ref: 00007FF6869DA7DD
                                                        • FlsSetValue.KERNEL32(?,?,?,00007FF6869D444D,?,?,?,?,00007FF6869DDDA7,?,?,00000000,00007FF6869DA8B6,?,?,?), ref: 00007FF6869DA80A
                                                        • FlsSetValue.KERNEL32(?,?,?,00007FF6869D444D,?,?,?,?,00007FF6869DDDA7,?,?,00000000,00007FF6869DA8B6,?,?,?), ref: 00007FF6869DA81B
                                                        • FlsSetValue.KERNEL32(?,?,?,00007FF6869D444D,?,?,?,?,00007FF6869DDDA7,?,?,00000000,00007FF6869DA8B6,?,?,?), ref: 00007FF6869DA82C
                                                        • SetLastError.KERNEL32(?,?,?,00007FF6869D444D,?,?,?,?,00007FF6869DDDA7,?,?,00000000,00007FF6869DA8B6,?,?,?), ref: 00007FF6869DA847
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2048652558.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000002.00000002.2048633689.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048683425.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A00000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048831964.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: Value$ErrorLast
                                                        • String ID:
                                                        • API String ID: 2506987500-0
                                                        • Opcode ID: de2209737f62c3ef05340c1457763ccac6bfd4de9bf3f87891e85fc6fda23dbb
                                                        • Instruction ID: 4b4bb2676ddba638a4b37d52e88cdb0656d3cd592af1f9b3a22d44298cfe5015
                                                        • Opcode Fuzzy Hash: de2209737f62c3ef05340c1457763ccac6bfd4de9bf3f87891e85fc6fda23dbb
                                                        • Instruction Fuzzy Hash: 41113B30F0C2C3C6FE586725AA4117961527F44BB0F04463CE82E876DBDE6EAC22C710
                                                        Function 00007FFB24BD38A8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 189COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2049831443.00007FFB24BD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFB24BD0000, based on PE: true
                                                        • Associated: 00000002.00000002.2049804152.00007FFB24BD0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000002.00000002.2049874435.00007FFB24BE1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000002.00000002.2049899857.00007FFB24BE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000002.00000002.2049922649.00007FFB24BE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ffb24bd0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: abort$CallEncodePointerTranslator
                                                        • String ID: MOC$RCC
                                                        • API String ID: 2889003569-2084237596
                                                        • Opcode ID: 63425386b35f735f5eb303e83bfbe55818570f32e5447e3767ff35a3eaf3afb3
                                                        • Instruction ID: e794848079adad06f83fcbc15049eb42e12c0951a4e8bb8066b6b8b421689c47
                                                        • Opcode Fuzzy Hash: 63425386b35f735f5eb303e83bfbe55818570f32e5447e3767ff35a3eaf3afb3
                                                        • Instruction Fuzzy Hash: 9D918EB7A08785CAE712CB75E8842AD7BA0FB44788F14412AEE8D17B5ADF3CD195C700
                                                        Function 00007FFB24BDBB70 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 167COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2049831443.00007FFB24BD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFB24BD0000, based on PE: true
                                                        • Associated: 00000002.00000002.2049804152.00007FFB24BD0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000002.00000002.2049874435.00007FFB24BE1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000002.00000002.2049899857.00007FFB24BE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000002.00000002.2049922649.00007FFB24BE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ffb24bd0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: Name::operator+
                                                        • String ID: std::nullptr_t$std::nullptr_t $volatile$volatile
                                                        • API String ID: 2943138195-757766384
                                                        • Opcode ID: 8ec89114dc1e92fb087ff84a90b975bd849231731579a14e6ae3ff20f009c8f1
                                                        • Instruction ID: 90ea155aae3e9571e19d9cb395ed2ab0596ae4d5f6e5d8bacea5a29480b68e80
                                                        • Opcode Fuzzy Hash: 8ec89114dc1e92fb087ff84a90b975bd849231731579a14e6ae3ff20f009c8f1
                                                        • Instruction Fuzzy Hash: 57714CFAA0CA86C4EB168F34DDC81BC76A4BB15B84F844575DA5E06E9ADF3CE251C300
                                                        Function 00007FFB24BD3690 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 145COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2049831443.00007FFB24BD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFB24BD0000, based on PE: true
                                                        • Associated: 00000002.00000002.2049804152.00007FFB24BD0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000002.00000002.2049874435.00007FFB24BE1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000002.00000002.2049899857.00007FFB24BE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000002.00000002.2049922649.00007FFB24BE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ffb24bd0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: abort$CallEncodePointerTranslator
                                                        • String ID: MOC$RCC
                                                        • API String ID: 2889003569-2084237596
                                                        • Opcode ID: bda6881e4fb6ddd96fb50e60b72b5d1eaa618bcc944dda4a5bc0b193bb5b3b27
                                                        • Instruction ID: 9b2aa4ab770d2f07ea81335bfb1796ab99c25f54c4e9f6b30fb513a328ae45f1
                                                        • Opcode Fuzzy Hash: bda6881e4fb6ddd96fb50e60b72b5d1eaa618bcc944dda4a5bc0b193bb5b3b27
                                                        • Instruction Fuzzy Hash: A96166BBA08A85CAE7268F75D8847AD77A0FB44B88F045175EE4D13B5ACF78E055C700
                                                        Function 00007FF6869CC8A8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2048652558.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000002.00000002.2048633689.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048683425.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A00000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048831964.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                        • String ID: csm$f
                                                        • API String ID: 2395640692-629598281
                                                        • Opcode ID: 42fbbb83cedbe148bfcc1de87ea3e914151e174f0a46670c6939306692d2d31c
                                                        • Instruction ID: c90eca7a9b005616e058376d9a00c63bd52cdf54d878512b52edc02a1a9f5295
                                                        • Opcode Fuzzy Hash: 42fbbb83cedbe148bfcc1de87ea3e914151e174f0a46670c6939306692d2d31c
                                                        • Instruction Fuzzy Hash: 8F515D32A19683C6EF14CB15E404B292B95FF84B98F558138DA4B877CADE7AED41C704
                                                        Function 00007FF6869C2240 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2048652558.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000002.00000002.2048633689.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048683425.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A00000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048831964.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: DeleteDestroyDialogHandleIconIndirectModuleObjectParam
                                                        • String ID: Unhandled exception in script
                                                        • API String ID: 3081866767-2699770090
                                                        • Opcode ID: fcf731bf2ceca6e070dbdbaa780c49a73cf052ed135755c936a54f607c2ce467
                                                        • Instruction ID: 45f8982eae29a4ee10a04d3992fc7989e800afaf002ebdc46c46ec770681cefc
                                                        • Opcode Fuzzy Hash: fcf731bf2ceca6e070dbdbaa780c49a73cf052ed135755c936a54f607c2ce467
                                                        • Instruction Fuzzy Hash: 5D314032A096C3C9EF24DF61E8552E96360FF88B94F440139EA4E8BA96DF7DD945C700
                                                        Function 00007FF6869C2620 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 67windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLastError.KERNEL32(00000000,00000000,00000000,00007FF6869C7744,?,?,?,?,?,?,?,?,?,?,?,00007FF6869C101D), ref: 00007FF6869C2654
                                                          • Part of subcall function 00007FF6869C74B0: GetLastError.KERNEL32(00000000,00007FF6869C26A0), ref: 00007FF6869C74D7
                                                          • Part of subcall function 00007FF6869C74B0: FormatMessageW.KERNEL32(00000000,00007FF6869C26A0), ref: 00007FF6869C7506
                                                          • Part of subcall function 00007FF6869C7A30: MultiByteToWideChar.KERNEL32 ref: 00007FF6869C7A6A
                                                        • MessageBoxW.USER32 ref: 00007FF6869C272C
                                                        • MessageBoxA.USER32 ref: 00007FF6869C2748
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2048652558.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000002.00000002.2048633689.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048683425.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A00000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048831964.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: Message$ErrorLast$ByteCharFormatMultiWide
                                                        • String ID: %s%s: %s$Fatal error detected
                                                        • API String ID: 2806210788-2410924014
                                                        • Opcode ID: bd2085b38ade222d48c53e4b242a54a19eedc60d0d0276a39b8304b5fd6b5430
                                                        • Instruction ID: a795bd3ae84f8295e75a048542b5d8d81aebf6f9b372a5db8fab28017994bc99
                                                        • Opcode Fuzzy Hash: bd2085b38ade222d48c53e4b242a54a19eedc60d0d0276a39b8304b5fd6b5430
                                                        • Instruction Fuzzy Hash: 91314372628AC3D1EB209B11E4517EA6364FF84794F40403AE68E876DADF7DDB05CB40
                                                        Function 00007FF6869D88E0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2048652558.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000002.00000002.2048633689.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048683425.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A00000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048831964.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: AddressFreeHandleLibraryModuleProc
                                                        • String ID: CorExitProcess$mscoree.dll
                                                        • API String ID: 4061214504-1276376045
                                                        • Opcode ID: 611779d08fafb8db9f6fab045cd04065641a8af0ffd245d6ff06f44facfa83ea
                                                        • Instruction ID: 9632cce19e2929d99617a2dc5a42b04faf92f32887ac1b3eac2aacaf03a4b974
                                                        • Opcode Fuzzy Hash: 611779d08fafb8db9f6fab045cd04065641a8af0ffd245d6ff06f44facfa83ea
                                                        • Instruction Fuzzy Hash: 24F0C271A19A83C1EF108B64E4443391320BF857B1F45023DD5AD8A2F6DF6ED848C340
                                                        Function 00007FFB24BD9FA4 Relevance: 7.6, APIs: 5, Instructions: 94COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2049831443.00007FFB24BD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFB24BD0000, based on PE: true
                                                        • Associated: 00000002.00000002.2049804152.00007FFB24BD0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000002.00000002.2049874435.00007FFB24BE1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000002.00000002.2049899857.00007FFB24BE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000002.00000002.2049922649.00007FFB24BE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ffb24bd0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: NameName::$Name::operator+
                                                        • String ID:
                                                        • API String ID: 826178784-0
                                                        • Opcode ID: 7682a6ebcb32bf14f43659220100a1b4a5a4a6e3db385e7ce84af32120df353b
                                                        • Instruction ID: fb2fe1b049e27b403133bfd1100fba02ebc0e22858b82a22fbc269bdd9256ece
                                                        • Opcode Fuzzy Hash: 7682a6ebcb32bf14f43659220100a1b4a5a4a6e3db385e7ce84af32120df353b
                                                        • Instruction Fuzzy Hash: 754161BAB08A96C4E712CB31DDD81BC37A4BB5AB80B944072DA5D53B96DF38E556C300
                                                        Function 00007FF6869E87A4 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2048652558.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000002.00000002.2048633689.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048683425.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A00000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048831964.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: _set_statfp
                                                        • String ID:
                                                        • API String ID: 1156100317-0
                                                        • Opcode ID: 69d38c35bd33e64192705e47d806ebaffe6519085bb8d16871af39b095092657
                                                        • Instruction ID: 98c1f238f0251762a9ed4d43b6dfb64728edccf0f167f4d9a9ebc168e7bb5ba5
                                                        • Opcode Fuzzy Hash: 69d38c35bd33e64192705e47d806ebaffe6519085bb8d16871af39b095092657
                                                        • Instruction Fuzzy Hash: EE11C122E2CA87C1FE9521E4E65137514417F583B4F86063CED7E8E6D7CEAEAC41C140
                                                        Function 00007FF6869DA860 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • FlsGetValue.KERNEL32(?,?,?,00007FF6869D9A73,?,?,00000000,00007FF6869D9D0E,?,?,?,?,?,00007FF6869D21EC), ref: 00007FF6869DA87F
                                                        • FlsSetValue.KERNEL32(?,?,?,00007FF6869D9A73,?,?,00000000,00007FF6869D9D0E,?,?,?,?,?,00007FF6869D21EC), ref: 00007FF6869DA89E
                                                        • FlsSetValue.KERNEL32(?,?,?,00007FF6869D9A73,?,?,00000000,00007FF6869D9D0E,?,?,?,?,?,00007FF6869D21EC), ref: 00007FF6869DA8C6
                                                        • FlsSetValue.KERNEL32(?,?,?,00007FF6869D9A73,?,?,00000000,00007FF6869D9D0E,?,?,?,?,?,00007FF6869D21EC), ref: 00007FF6869DA8D7
                                                        • FlsSetValue.KERNEL32(?,?,?,00007FF6869D9A73,?,?,00000000,00007FF6869D9D0E,?,?,?,?,?,00007FF6869D21EC), ref: 00007FF6869DA8E8
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2048652558.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000002.00000002.2048633689.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048683425.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A00000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048831964.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: Value
                                                        • String ID:
                                                        • API String ID: 3702945584-0
                                                        • Opcode ID: daef540501b22c12116ffc374b0892d30f9c5b790841e2ef32b7e795c096c5e6
                                                        • Instruction ID: 97a706f6f50e4edfd3735707793969674984d4f56940fa6fb7249e3a5a1f9330
                                                        • Opcode Fuzzy Hash: daef540501b22c12116ffc374b0892d30f9c5b790841e2ef32b7e795c096c5e6
                                                        • Instruction Fuzzy Hash: B0112930F0C2C385FE58A726AA4117A62457F447B0E04463CE93E866D7DE2EAC62C711
                                                        Function 00007FF6869DA6F4 Relevance: 7.6, APIs: 5, Instructions: 50COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • FlsGetValue.KERNEL32(?,?,?,?,?,?,?,00007FF6869E2433,?,?,?,00007FF6869DCB8C,?,?,00000000,00007FF6869D3A5F), ref: 00007FF6869DA705
                                                        • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FF6869E2433,?,?,?,00007FF6869DCB8C,?,?,00000000,00007FF6869D3A5F), ref: 00007FF6869DA724
                                                        • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FF6869E2433,?,?,?,00007FF6869DCB8C,?,?,00000000,00007FF6869D3A5F), ref: 00007FF6869DA74C
                                                        • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FF6869E2433,?,?,?,00007FF6869DCB8C,?,?,00000000,00007FF6869D3A5F), ref: 00007FF6869DA75D
                                                        • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FF6869E2433,?,?,?,00007FF6869DCB8C,?,?,00000000,00007FF6869D3A5F), ref: 00007FF6869DA76E
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2048652558.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000002.00000002.2048633689.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048683425.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A00000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048831964.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: Value
                                                        • String ID:
                                                        • API String ID: 3702945584-0
                                                        • Opcode ID: 73fca214f1e943932ff67b95d9a940e5d6c6a0bd2e4835b222ff28ae142fb13c
                                                        • Instruction ID: d0ac504a9255f30b9c725926041b77177e5e0caed2dc1baed0341d437d289319
                                                        • Opcode Fuzzy Hash: 73fca214f1e943932ff67b95d9a940e5d6c6a0bd2e4835b222ff28ae142fb13c
                                                        • Instruction Fuzzy Hash: A511D624F0D283D5FE58A725981217A22967F45774F140B3CE93E8A2DBDE2EBC61C311
                                                        Function 00007FF6869DF198 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2048652558.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000002.00000002.2048633689.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048683425.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A00000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048831964.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: _invalid_parameter_noinfo
                                                        • String ID: UTF-16LEUNICODE$UTF-8$ccs
                                                        • API String ID: 3215553584-1196891531
                                                        • Opcode ID: e657aeb740c2ac826b77e83addb2cc82262a2e6e3b5be7210a8d66ad85871f1f
                                                        • Instruction ID: dea5d836526d7f32542a13b1b3bd3c0257a6f2339b2220473f637304729b08c6
                                                        • Opcode Fuzzy Hash: e657aeb740c2ac826b77e83addb2cc82262a2e6e3b5be7210a8d66ad85871f1f
                                                        • Instruction Fuzzy Hash: CC817D76E086C3C5EF645E29821627866A0BF11BC8F568039DA0DD76D7DF2FED02D242
                                                        Function 00007FFB24BD4044 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 163COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00007FFB24BD6710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFB24BD239E), ref: 00007FFB24BD671E
                                                        • abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFB24BD41C3
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2049831443.00007FFB24BD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFB24BD0000, based on PE: true
                                                        • Associated: 00000002.00000002.2049804152.00007FFB24BD0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000002.00000002.2049874435.00007FFB24BE1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000002.00000002.2049899857.00007FFB24BE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000002.00000002.2049922649.00007FFB24BE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ffb24bd0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: abort
                                                        • String ID: $csm$csm
                                                        • API String ID: 4206212132-1512788406
                                                        • Opcode ID: a1e41bd14f4dc8a012b9b6851bae8dba3a2639313cd67671a1d4b299b7556132
                                                        • Instruction ID: f3ab1c0592c8a04f8a61a7ae6b8bb166b8ad36e22faa52a4d9585049ac0b7fcc
                                                        • Opcode Fuzzy Hash: a1e41bd14f4dc8a012b9b6851bae8dba3a2639313cd67671a1d4b299b7556132
                                                        • Instruction Fuzzy Hash: C8719FBA9086D1C6DB6A8F35D88877D7BA1FB44B88F148175DF8C07E8ACA2CD461C741
                                                        Function 00007FF6869CE108 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2048652558.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000002.00000002.2048633689.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048683425.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A00000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048831964.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: CallEncodePointerTranslator
                                                        • String ID: MOC$RCC
                                                        • API String ID: 3544855599-2084237596
                                                        • Opcode ID: e66b2a899b3be21a272ca3efbe1e1fab7eec351de36f73ff2a6cc06a45c4f2b1
                                                        • Instruction ID: fff2bc78147d69bd18f4cf5fbbf11df836cd58d6b1147b4cf610286a91cd6065
                                                        • Opcode Fuzzy Hash: e66b2a899b3be21a272ca3efbe1e1fab7eec351de36f73ff2a6cc06a45c4f2b1
                                                        • Instruction Fuzzy Hash: EE613D37A08B86C6EB10CF69E4803AD77A0FB44B88F144229DE4E57B96DF79E955C700
                                                        Function 00007FF6869CE464 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2048652558.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000002.00000002.2048633689.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048683425.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A00000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048831964.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                        • String ID: csm$csm
                                                        • API String ID: 3896166516-3733052814
                                                        • Opcode ID: 37bca86698e542f9df3f1c5971c843800452ce466371b2576d682bdca002ed1e
                                                        • Instruction ID: 157fd54d32650b1124cd0de8053910a0ab0ddfb52b357d1d642059d4dc686bd9
                                                        • Opcode Fuzzy Hash: 37bca86698e542f9df3f1c5971c843800452ce466371b2576d682bdca002ed1e
                                                        • Instruction Fuzzy Hash: 22516B329186C3C6EF748B19A24426876A0BF54B98F144139EB9F87BD6CF3DE851CB00
                                                        Function 00007FFB24BD3E1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 144COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00007FFB24BD6710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFB24BD239E), ref: 00007FFB24BD671E
                                                        • abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFB24BD3F13
                                                        • __FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FFB24BD3F23
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2049831443.00007FFB24BD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFB24BD0000, based on PE: true
                                                        • Associated: 00000002.00000002.2049804152.00007FFB24BD0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000002.00000002.2049874435.00007FFB24BE1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000002.00000002.2049899857.00007FFB24BE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000002.00000002.2049922649.00007FFB24BE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ffb24bd0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: Frameabort$EmptyHandler3::StateUnwind
                                                        • String ID: csm$csm
                                                        • API String ID: 4108983575-3733052814
                                                        • Opcode ID: 723d316c6bb1492db26d318ced58129fbbb71e04f86aecbd325fb3d3c805e488
                                                        • Instruction ID: bfa8ac03e69ad69f7df4f87b14b87833129e51b631daa203e73e49c32a62c2e0
                                                        • Opcode Fuzzy Hash: 723d316c6bb1492db26d318ced58129fbbb71e04f86aecbd325fb3d3c805e488
                                                        • Instruction Fuzzy Hash: 5A516BBA9086C2C6EA6A8B31D88826C76A0FB50B84F185176DB8D47ED7CF7CE451C700
                                                        Function 00007FFB24BDA714 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2049831443.00007FFB24BD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFB24BD0000, based on PE: true
                                                        • Associated: 00000002.00000002.2049804152.00007FFB24BD0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000002.00000002.2049874435.00007FFB24BE1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000002.00000002.2049899857.00007FFB24BE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000002.00000002.2049922649.00007FFB24BE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ffb24bd0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: NameName::
                                                        • String ID: %lf
                                                        • API String ID: 1333004437-2891890143
                                                        • Opcode ID: f37b8968dc856f8c22d72c120ca4476383f363961e161f929d9d255907aecf6d
                                                        • Instruction ID: 9493546766ced60c2c5d8f12b6c943a2017d9f155a3fd6bff2619d061e14c8b4
                                                        • Opcode Fuzzy Hash: f37b8968dc856f8c22d72c120ca4476383f363961e161f929d9d255907aecf6d
                                                        • Instruction Fuzzy Hash: 533184AAA0CAC5C5EB22CB34ED9427D7760FB89B84F848171E99D47A47CF3CD5428740
                                                        Function 00007FF6869C24D0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2048652558.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000002.00000002.2048633689.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048683425.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A00000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048831964.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: Message$ByteCharMultiWide
                                                        • String ID: %s%s: %s$Fatal error detected
                                                        • API String ID: 1878133881-2410924014
                                                        • Opcode ID: 1ad8658de8dbd2e7b08889bff9c9537d6e44ae678795f4b96bc9f189f6c45e5f
                                                        • Instruction ID: 6b9ae77ebcc3041d8ea54aa4f0e416c000911eee618bbda18a9c92c78883b683
                                                        • Opcode Fuzzy Hash: 1ad8658de8dbd2e7b08889bff9c9537d6e44ae678795f4b96bc9f189f6c45e5f
                                                        • Instruction Fuzzy Hash: 61314172628AC3D1EA20DB11E4517EA6364FF84794F80403AEA8D876DADE7DDA45CB40
                                                        Function 00007FF6869C3BA0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleFileNameW.KERNEL32(?,00007FF6869C3699), ref: 00007FF6869C3BD1
                                                          • Part of subcall function 00007FF6869C2620: GetLastError.KERNEL32(00000000,00000000,00000000,00007FF6869C7744,?,?,?,?,?,?,?,?,?,?,?,00007FF6869C101D), ref: 00007FF6869C2654
                                                          • Part of subcall function 00007FF6869C2620: MessageBoxW.USER32 ref: 00007FF6869C272C
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2048652558.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000002.00000002.2048633689.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048683425.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A00000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048831964.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: ErrorFileLastMessageModuleName
                                                        • String ID: Failed to convert executable path to UTF-8.$Failed to get executable path.$GetModuleFileNameW
                                                        • API String ID: 2581892565-1977442011
                                                        • Opcode ID: fe87d08da65b513e87772ab3e16eb14927cda1b8744753a26f3e7d7b1799e4b8
                                                        • Instruction ID: c7d30d38b17b5b97308c0a3f614f5726d0ee270d3fa06f5c76a17cf4f67fbedd
                                                        • Opcode Fuzzy Hash: fe87d08da65b513e87772ab3e16eb14927cda1b8744753a26f3e7d7b1799e4b8
                                                        • Instruction Fuzzy Hash: 65014F21B1CAC3C1FE619B20E8563B92295BF58794F40103ED94FCA6D7EE9EEA45D700
                                                        Function 00007FFB24BD2400 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 28COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00007FFB24BD6710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFB24BD239E), ref: 00007FFB24BD671E
                                                        • terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFB24BD243E
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2049831443.00007FFB24BD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFB24BD0000, based on PE: true
                                                        • Associated: 00000002.00000002.2049804152.00007FFB24BD0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000002.00000002.2049874435.00007FFB24BE1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000002.00000002.2049899857.00007FFB24BE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000002.00000002.2049922649.00007FFB24BE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ffb24bd0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: abortterminate
                                                        • String ID: MOC$RCC$csm
                                                        • API String ID: 661698970-2671469338
                                                        • Opcode ID: b838753ef247b2fc749e3877e0128dea9035de62b0ba29f15289213c97603889
                                                        • Instruction ID: a79d5a8399d4d4998b519700dab374032f6111fdb61674513767841ceffedf89
                                                        • Opcode Fuzzy Hash: b838753ef247b2fc749e3877e0128dea9035de62b0ba29f15289213c97603889
                                                        • Instruction Fuzzy Hash: 8AF04F7A9186C6C1EB555F75E9C916D3664FB88B40F0960B1DB4807A53CF3CD4A1CB41
                                                        Function 00007FFB24BDE9E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 22COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • __C_specific_handler.LIBVCRUNTIME ref: 00007FFB24BDE9F0
                                                          • Part of subcall function 00007FFB24BDEC30: _IsNonwritableInCurrentImage.LIBCMT ref: 00007FFB24BDECF0
                                                          • Part of subcall function 00007FFB24BDEC30: RtlUnwindEx.KERNEL32(?,?,?,?,?,?,?,00007FFB24BDE9F5), ref: 00007FFB24BDED3F
                                                          • Part of subcall function 00007FFB24BD6710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFB24BD239E), ref: 00007FFB24BD671E
                                                        • terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFB24BDEA1A
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2049831443.00007FFB24BD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFB24BD0000, based on PE: true
                                                        • Associated: 00000002.00000002.2049804152.00007FFB24BD0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000002.00000002.2049874435.00007FFB24BE1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000002.00000002.2049899857.00007FFB24BE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000002.00000002.2049922649.00007FFB24BE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ffb24bd0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: C_specific_handlerCurrentImageNonwritableUnwindabortterminate
                                                        • String ID: csm$f
                                                        • API String ID: 2451123448-629598281
                                                        • Opcode ID: c9fb23446a5b638453e0304dd207887769bfaeb8010eb75ee95ffcfd07f137de
                                                        • Instruction ID: daf77a7b91a5d1eb6602e3dc07e72930e54af34f9163cb5a3e73ef5ef7536409
                                                        • Opcode Fuzzy Hash: c9fb23446a5b638453e0304dd207887769bfaeb8010eb75ee95ffcfd07f137de
                                                        • Instruction Fuzzy Hash: 06E0E5BDD18AC6C0E7226B70F9C813C36A0BF14B50F1490B4DA4807A47CF3CE4A18301
                                                        Function 00007FF6869DBA70 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2048652558.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000002.00000002.2048633689.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048683425.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A00000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048831964.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: FileWrite$ConsoleErrorLastOutput
                                                        • String ID:
                                                        • API String ID: 2718003287-0
                                                        • Opcode ID: f750311aff661a04a86bbbada4284786bf27b8065a17484a8f486471230e888d
                                                        • Instruction ID: 0b81d6ea8600c74eb9049009ca2889d4c82c8e42b04c0a4bba3986407ce612a7
                                                        • Opcode Fuzzy Hash: f750311aff661a04a86bbbada4284786bf27b8065a17484a8f486471230e888d
                                                        • Instruction Fuzzy Hash: 2FD1D372B18A86C9EB10CF75D4502BC37A2FB44798B44423ACE5E97BDADE39D816C740
                                                        Function 00007FF6869DC430 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?,00000000,00000000,00007FF6869DC41B), ref: 00007FF6869DC54C
                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?,00000000,00000000,00007FF6869DC41B), ref: 00007FF6869DC5D7
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2048652558.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000002.00000002.2048633689.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048683425.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A00000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048831964.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: ConsoleErrorLastMode
                                                        • String ID:
                                                        • API String ID: 953036326-0
                                                        • Opcode ID: f410d9e07cb2d854853af875ff306a0e9c9ee922f70c4cde11a48ef332fbc2ec
                                                        • Instruction ID: a9441e32a3afeeca4ddadcb5b85b1b15deb759aef26ec62ca785a7e1ea7d543a
                                                        • Opcode Fuzzy Hash: f410d9e07cb2d854853af875ff306a0e9c9ee922f70c4cde11a48ef332fbc2ec
                                                        • Instruction Fuzzy Hash: BE918C62A18693C5FB608F6594403BD2BA9BF44BC8F54513DDA0EA7AD6DF3AD842C700
                                                        Function 00007FFB24BD9CC0 Relevance: 6.2, APIs: 4, Instructions: 193COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2049831443.00007FFB24BD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFB24BD0000, based on PE: true
                                                        • Associated: 00000002.00000002.2049804152.00007FFB24BD0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000002.00000002.2049874435.00007FFB24BE1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000002.00000002.2049899857.00007FFB24BE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000002.00000002.2049922649.00007FFB24BE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ffb24bd0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: Name::operator+
                                                        • String ID:
                                                        • API String ID: 2943138195-0
                                                        • Opcode ID: f50f9f5b0f4c072e52125a456639a7d4e2bd829a5a5137cb56b4f6bb80237050
                                                        • Instruction ID: 033228c355ef745ab01a41bf220a1b570d41b824157a336ac073cbc0e2700299
                                                        • Opcode Fuzzy Hash: f50f9f5b0f4c072e52125a456639a7d4e2bd829a5a5137cb56b4f6bb80237050
                                                        • Instruction Fuzzy Hash: 85916EAAE08796C9F7168B74DC883AC37B0BB58708F944175DE4D17A9BDF78A846C340
                                                        Function 00007FF6869DE8DC Relevance: 6.2, APIs: 4, Instructions: 162COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2048652558.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000002.00000002.2048633689.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048683425.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A00000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048831964.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: _get_daylight$_isindst
                                                        • String ID:
                                                        • API String ID: 4170891091-0
                                                        • Opcode ID: d5d13d1c94d14ccfec0c44e7243bbda22246c77cf8c41a11f0b86d98f8b3a05c
                                                        • Instruction ID: 9284604e2a3f059722f4b685aee7ca3fc47244255e99c7c081658d03c1867a06
                                                        • Opcode Fuzzy Hash: d5d13d1c94d14ccfec0c44e7243bbda22246c77cf8c41a11f0b86d98f8b3a05c
                                                        • Instruction Fuzzy Hash: 2351C572F04693CAEF14DB68A9816BC27A5BF50368F54423DED1E92AD6DF39AC41C700
                                                        Function 00007FFB24BDA44C Relevance: 6.1, APIs: 4, Instructions: 134COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2049831443.00007FFB24BD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFB24BD0000, based on PE: true
                                                        • Associated: 00000002.00000002.2049804152.00007FFB24BD0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000002.00000002.2049874435.00007FFB24BE1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000002.00000002.2049899857.00007FFB24BE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000002.00000002.2049922649.00007FFB24BE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ffb24bd0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: Name::operator+$NameName::
                                                        • String ID:
                                                        • API String ID: 168861036-0
                                                        • Opcode ID: fdc850366a52cc8509fdc883a27d076c67a20e363f2b2ed3a2a440fa302089d7
                                                        • Instruction ID: 9ca7a26381354373d6cac3e7718ba6fa26ddeafa17b5aac5102048bf203b04d2
                                                        • Opcode Fuzzy Hash: fdc850366a52cc8509fdc883a27d076c67a20e363f2b2ed3a2a440fa302089d7
                                                        • Instruction Fuzzy Hash: 24514DBAA18A96C8E712CF74ED843BC37A0BB89B48F944071DA0D47B96DF39D442C740
                                                        Function 00007FF6869D47D4 Relevance: 6.1, APIs: 4, Instructions: 119pipeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2048652558.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000002.00000002.2048633689.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048683425.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A00000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048831964.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: File$ErrorHandleInformationLastNamedPeekPipeType
                                                        • String ID:
                                                        • API String ID: 2780335769-0
                                                        • Opcode ID: 1c70a69b05d9cb3f6248f84cd75ebf1bef0caf7e7cf88daad42b4853df974b62
                                                        • Instruction ID: 099a8028040e6d1ef781c9be5da36b6f2381bf2fd562a8bf29b57826324be4c0
                                                        • Opcode Fuzzy Hash: 1c70a69b05d9cb3f6248f84cd75ebf1bef0caf7e7cf88daad42b4853df974b62
                                                        • Instruction Fuzzy Hash: 6D516822E08682CAFB90DFA1D5403BD23A1BF58B98F158139DE4D9769ADF39D891C740
                                                        Function 00007FFB24BDC87C Relevance: 6.1, APIs: 4, Instructions: 85COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2049831443.00007FFB24BD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFB24BD0000, based on PE: true
                                                        • Associated: 00000002.00000002.2049804152.00007FFB24BD0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000002.00000002.2049874435.00007FFB24BE1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000002.00000002.2049899857.00007FFB24BE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000002.00000002.2049922649.00007FFB24BE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ffb24bd0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: Name::operator+
                                                        • String ID:
                                                        • API String ID: 2943138195-0
                                                        • Opcode ID: 010c9cc7b649f2daabbc83b7255f351f4a32df461fe661a6f710ba75eaae01a6
                                                        • Instruction ID: 7e9299427cbf6ee1f04a398a6ce18f1a3a52029333452a203375b5d315d88db9
                                                        • Opcode Fuzzy Hash: 010c9cc7b649f2daabbc83b7255f351f4a32df461fe661a6f710ba75eaae01a6
                                                        • Instruction Fuzzy Hash: 934148B6A08B95C9F702CF78D8893AC37B0BB98B48F948025DA4D57B5ADF7C9442C710
                                                        Function 00007FF6869C1F70 Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2048652558.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000002.00000002.2048633689.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048683425.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A00000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048831964.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: LongWindow$DialogInvalidateRect
                                                        • String ID:
                                                        • API String ID: 1956198572-0
                                                        • Opcode ID: 162ef6909b0da24e61350fefbcaa0130b5f771c4d53ef42d88aea1c24daf7f6c
                                                        • Instruction ID: 4b11804335e80d8ff71ed52055bfcf1b5eaf3c3cbccfdb02dbeacbfdaa4f918c
                                                        • Opcode Fuzzy Hash: 162ef6909b0da24e61350fefbcaa0130b5f771c4d53ef42d88aea1c24daf7f6c
                                                        • Instruction Fuzzy Hash: CF11E921E181C3C2FE508769E5442B91292FF897D0F445039E94A86BDFDE2EDCC1D204
                                                        Function 00007FF6869E4D3C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2048652558.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000002.00000002.2048633689.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048683425.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A00000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048831964.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: _get_daylight$_invalid_parameter_noinfo
                                                        • String ID: ?
                                                        • API String ID: 1286766494-1684325040
                                                        • Opcode ID: 8b5d587ec6f6b7eed71ba39116b338de031c50ce5c8dd23bba2b14458f06a6e4
                                                        • Instruction ID: c5fa129c8d873c276f2d0dc1b09e848e784fff689e3df1ff861b6b0124fc59b6
                                                        • Opcode Fuzzy Hash: 8b5d587ec6f6b7eed71ba39116b338de031c50ce5c8dd23bba2b14458f06a6e4
                                                        • Instruction Fuzzy Hash: 8641E612A086C3D6FF649B25940137A6690FF80BA4F14423DEF5C86AD6DE7ED891C700
                                                        Function 00007FFB24BD4710 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2049831443.00007FFB24BD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFB24BD0000, based on PE: true
                                                        • Associated: 00000002.00000002.2049804152.00007FFB24BD0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000002.00000002.2049874435.00007FFB24BE1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000002.00000002.2049899857.00007FFB24BE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000002.00000002.2049922649.00007FFB24BE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ffb24bd0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: abort$CreateFrameInfo
                                                        • String ID: csm
                                                        • API String ID: 2697087660-1018135373
                                                        • Opcode ID: f6943bea1c78c8542bb5a279c29cdd6a6ec40214996e776607272464948ef889
                                                        • Instruction ID: 2aecc38583494dc6c10d4f0548b3827029756ee48ec4c46e708a16d8eb1c0096
                                                        • Opcode Fuzzy Hash: f6943bea1c78c8542bb5a279c29cdd6a6ec40214996e776607272464948ef889
                                                        • Instruction Fuzzy Hash: 13514ABA618681C6E621AF36E88426E77A4FB88B90F141575DF8D07B56CF3CE461CB00
                                                        Function 00007FF6869D7E6C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _invalid_parameter_noinfo.LIBCMT ref: 00007FF6869D7E9E
                                                          • Part of subcall function 00007FF6869D9E18: HeapFree.KERNEL32(?,?,?,00007FF6869E1E42,?,?,?,00007FF6869E1E7F,?,?,00000000,00007FF6869E2345,?,?,?,00007FF6869E2277), ref: 00007FF6869D9E2E
                                                          • Part of subcall function 00007FF6869D9E18: GetLastError.KERNEL32(?,?,?,00007FF6869E1E42,?,?,?,00007FF6869E1E7F,?,?,00000000,00007FF6869E2345,?,?,?,00007FF6869E2277), ref: 00007FF6869D9E38
                                                        • GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF6869CB105), ref: 00007FF6869D7EBC
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2048652558.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000002.00000002.2048633689.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048683425.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A00000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048831964.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: ErrorFileFreeHeapLastModuleName_invalid_parameter_noinfo
                                                        • String ID: C:\Users\user\Desktop\oneDrive.exe
                                                        • API String ID: 3580290477-2215394283
                                                        • Opcode ID: 7be78eb059dea3495cc358456d23a898a8a026444ba3d0a56d0d7994263981b4
                                                        • Instruction ID: beb2f3adef401bd025e1c9dc72d2a71517280ef65c44d507e8c1c01a85c26c0c
                                                        • Opcode Fuzzy Hash: 7be78eb059dea3495cc358456d23a898a8a026444ba3d0a56d0d7994263981b4
                                                        • Instruction Fuzzy Hash: 46412B32A08B93C5EF249F2594801B867A4FF44B94B544039EA4E87BD6DF3EEC91C350
                                                        Function 00007FF6869DC108 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2048652558.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000002.00000002.2048633689.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048683425.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A00000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048831964.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: ErrorFileLastWrite
                                                        • String ID: U
                                                        • API String ID: 442123175-4171548499
                                                        • Opcode ID: 4134df34369bde334de186fcdf44a7df93ab1702ff4cc21259579c47d67cfea1
                                                        • Instruction ID: b470332bb7105c81cbfaf1d0b361a93fe564f7c3fb2ab3a9a2fb93b7eb822e8c
                                                        • Opcode Fuzzy Hash: 4134df34369bde334de186fcdf44a7df93ab1702ff4cc21259579c47d67cfea1
                                                        • Instruction Fuzzy Hash: 7941BF22A18A82D6DB208F65E8443A977A5FF987D4F804039EE4EC7799DF3DD841C740
                                                        Function 00007FFB24BD9BAC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2049831443.00007FFB24BD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFB24BD0000, based on PE: true
                                                        • Associated: 00000002.00000002.2049804152.00007FFB24BD0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000002.00000002.2049874435.00007FFB24BE1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000002.00000002.2049899857.00007FFB24BE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000002.00000002.2049922649.00007FFB24BE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ffb24bd0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: Name::operator+
                                                        • String ID: void$void
                                                        • API String ID: 2943138195-3746155364
                                                        • Opcode ID: ff67bb32e799e4a453516f5f2b265aba841f0c9d9f12838b8a28f15594d75a10
                                                        • Instruction ID: 26fa28f19fd5c7be8a06d07188a3dcb44e0c2d61c337e5dc4ac8542ef2ccbb23
                                                        • Opcode Fuzzy Hash: ff67bb32e799e4a453516f5f2b265aba841f0c9d9f12838b8a28f15594d75a10
                                                        • Instruction Fuzzy Hash: B53125AAE18B95D8FB06CB74DC850EC37B0BB48748F840176DE4E22A5ADF389145C750
                                                        Function 00007FF6869DE508 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2048652558.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000002.00000002.2048633689.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048683425.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A00000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048831964.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: CurrentDirectory
                                                        • String ID: :
                                                        • API String ID: 1611563598-336475711
                                                        • Opcode ID: 89ffee479c464830a404f371819462673addff3e4a0adbddceaf6599ad198d2e
                                                        • Instruction ID: 6938a1e89772ed854217799e1f56bdde4b5ad5ab106a7ec56bf2da62c07f0f4e
                                                        • Opcode Fuzzy Hash: 89ffee479c464830a404f371819462673addff3e4a0adbddceaf6599ad198d2e
                                                        • Instruction Fuzzy Hash: 6D218C72A186C3C1EF209B19E05426D63A1FF88B84F454039DA8D836C6EF7EED85CB51
                                                        Function 00007FF6869C2770 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2048652558.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000002.00000002.2048633689.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048683425.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A00000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048831964.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: Message$ByteCharMultiWide
                                                        • String ID: Fatal error detected
                                                        • API String ID: 1878133881-4025702859
                                                        • Opcode ID: f7448773671dbda672e22a82cfe80c2e0aa70ed18289780b2b9e604a2b102c49
                                                        • Instruction ID: 2dd6d9a0a47aff4292d7ec9325005453ec11e4769343b826970d6fc42a1a91cd
                                                        • Opcode Fuzzy Hash: f7448773671dbda672e22a82cfe80c2e0aa70ed18289780b2b9e604a2b102c49
                                                        • Instruction Fuzzy Hash: 4C218372628AC2C1EF209711F4517EA6354FF84784F805139EA8E876DADF7DD605C750
                                                        Function 00007FF6869C2880 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2048652558.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000002.00000002.2048633689.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048683425.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A00000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048831964.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: Message$ByteCharMultiWide
                                                        • String ID: Error detected
                                                        • API String ID: 1878133881-3513342764
                                                        • Opcode ID: 412921116a21d042ea7cc01f3b6226aa372ad23cfa1aaecee88db1efd33321aa
                                                        • Instruction ID: 45c2a9012fb860fe0a031c6023aaf8091d2df02b2d8e99ebcbd8de653a3bd08c
                                                        • Opcode Fuzzy Hash: 412921116a21d042ea7cc01f3b6226aa372ad23cfa1aaecee88db1efd33321aa
                                                        • Instruction Fuzzy Hash: 93214172628AC2D1EF209711E4517EA6254FF84784F805139EA8E876DADE3DD605C750
                                                        Function 00007FFB24BD604F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2049831443.00007FFB24BD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFB24BD0000, based on PE: true
                                                        • Associated: 00000002.00000002.2049804152.00007FFB24BD0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000002.00000002.2049874435.00007FFB24BE1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000002.00000002.2049899857.00007FFB24BE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000002.00000002.2049922649.00007FFB24BE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ffb24bd0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: FileHeader$ExceptionRaise
                                                        • String ID: Access violation - no RTTI data!$Bad dynamic_cast!
                                                        • API String ID: 3685223789-3176238549
                                                        • Opcode ID: d06b4d24d7aa4607bffac334420f89fbd77c373aef9fdd9199db5b082a62258c
                                                        • Instruction ID: 8d19743bfca50247e00d6d9d58f5a82fe8f43bf60ea3e1be6d1be8033ea45229
                                                        • Opcode Fuzzy Hash: d06b4d24d7aa4607bffac334420f89fbd77c373aef9fdd9199db5b082a62258c
                                                        • Instruction Fuzzy Hash: 9B018CE9A29A86D2EF029B34ECD817C7320FF84B94F805431D50E06AA7EF6CD506C700
                                                        Function 00007FFB24BD63F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2049831443.00007FFB24BD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFB24BD0000, based on PE: true
                                                        • Associated: 00000002.00000002.2049804152.00007FFB24BD0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000002.00000002.2049874435.00007FFB24BE1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000002.00000002.2049899857.00007FFB24BE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000002.00000002.2049922649.00007FFB24BE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ffb24bd0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: ExceptionFileHeaderRaise
                                                        • String ID: csm
                                                        • API String ID: 2573137834-1018135373
                                                        • Opcode ID: 04e89f2c23f7d49b97199698fdfbf86ccf7878464e1c577e170b006b6ea557c8
                                                        • Instruction ID: 79b0b674fea73621cbbd532d7dce70476293d4a022542ecfcf05185a3c522ea7
                                                        • Opcode Fuzzy Hash: 04e89f2c23f7d49b97199698fdfbf86ccf7878464e1c577e170b006b6ea557c8
                                                        • Instruction Fuzzy Hash: A7115B76608B81C2EB128F35E98426D7BA4FB88B84F684230DE8C07B5ADF3CD5518B00
                                                        Function 00007FF6869CEFB0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2048652558.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000002.00000002.2048633689.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048683425.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A00000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048831964.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: ExceptionFileHeaderRaise
                                                        • String ID: csm
                                                        • API String ID: 2573137834-1018135373
                                                        • Opcode ID: a9ac3328ea6075577af066dd04772514ea360050604432a87b0551bd96b2ca6b
                                                        • Instruction ID: c932d60b43b6486c7770940b4731d8fe1141add09da7770d80acbafb843adf74
                                                        • Opcode Fuzzy Hash: a9ac3328ea6075577af066dd04772514ea360050604432a87b0551bd96b2ca6b
                                                        • Instruction Fuzzy Hash: 06112832608B82C2EB218F15F44026977A4FF88B94F184239EE8D477A9DF7ED951CB00
                                                        Function 00007FF6869DF00C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2048652558.00007FF6869C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6869C0000, based on PE: true
                                                        • Associated: 00000002.00000002.2048633689.00007FF6869C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048683425.00007FF6869EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF6869FD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A00000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048739904.00007FF686A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000002.00000002.2048831964.00007FF686A0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ff6869c0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: DriveType_invalid_parameter_noinfo
                                                        • String ID: :
                                                        • API String ID: 2595371189-336475711
                                                        • Opcode ID: f8eec6a66f3a594e824ddea09938586a7cad5545a492e04bdbecb8d953b03adc
                                                        • Instruction ID: 24bbeeba6ab2ca88f3a380b4ba93c0b649b4d8f41ba0eb4744cb159672555066
                                                        • Opcode Fuzzy Hash: f8eec6a66f3a594e824ddea09938586a7cad5545a492e04bdbecb8d953b03adc
                                                        • Instruction Fuzzy Hash: 48017C21918683C6EF61AF60D46227A23A0FF44758F44103AE54DC76D3DE2EE984DA14
                                                        Function 00007FFB24BD672C Relevance: 5.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLastError.KERNEL32(?,?,?,00007FFB24BD65B9,?,?,?,?,00007FFB24BDFB22,?,?,?,?,?), ref: 00007FFB24BD674B
                                                        • SetLastError.KERNEL32(?,?,?,00007FFB24BD65B9,?,?,?,?,00007FFB24BDFB22,?,?,?,?,?), ref: 00007FFB24BD67D4
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2049831443.00007FFB24BD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFB24BD0000, based on PE: true
                                                        • Associated: 00000002.00000002.2049804152.00007FFB24BD0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000002.00000002.2049874435.00007FFB24BE1000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000002.00000002.2049899857.00007FFB24BE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000002.00000002.2049922649.00007FFB24BE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ffb24bd0000_oneDrive.jbxd
                                                        Similarity
                                                        • API ID: ErrorLast
                                                        • String ID:
                                                        • API String ID: 1452528299-0
                                                        • Opcode ID: c7aaac8a80d8b30c274ca3e3b7c59e83a4e0092024cc1b5b0b7c72c8c7be0031
                                                        • Instruction ID: cb81ad0e218f630c40684aec242305c734f5a2e7ae03492863230251206f7b97
                                                        • Opcode Fuzzy Hash: c7aaac8a80d8b30c274ca3e3b7c59e83a4e0092024cc1b5b0b7c72c8c7be0031
                                                        • Instruction Fuzzy Hash: F0111FACF09696C1EA569731DDDC23C3291AF84FA0F544A74DD6E06FD7DE2CA8528A00