| Source: OneDriveUpdater.exe |
Static PE information: certificate valid |
| Source: OneDriveUpdater.exe |
Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE |
| Source: classification engine |
Classification label: clean15.winEXE@6/0@0/0 |
| Source: C:\Users\user\Desktop\OneDriveUpdater.exe |
File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\logs\Common |
| Source: C:\Users\user\Desktop\OneDriveUpdater.exe |
Mutant created: \Sessions\1\BaseNamedObjects\FileSyncClientUpdaterNamedMutex |
| Source: C:\Users\user\Desktop\OneDriveUpdater.exe |
File created: C:\Users\user\AppData\Local\Temp\wct4511.tmp |
| Source: OneDriveUpdater.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| Source: C:\Windows\System32\conhost.exe |
File read: C:\Users\desktop.ini |
| Source: C:\Users\user\Desktop\OneDriveUpdater.exe |
Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
| Source: unknown |
Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding |
| Source: unknown |
Process created: C:\Users\user\Desktop\OneDriveUpdater.exe "C:\Users\user\Desktop\OneDriveUpdater.exe" |
| Source: unknown |
Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding |
| Source: unknown |
Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" |
| Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
| Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\ipconfig.exe ipconfig |
| Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\ipconfig.exe ipconfig |
| Source: C:\Users\user\Desktop\OneDriveUpdater.exe |
Section loaded: version.dll |
| Source: C:\Users\user\Desktop\OneDriveUpdater.exe |
Section loaded: userenv.dll |
| Source: C:\Users\user\Desktop\OneDriveUpdater.exe |
Section loaded: winhttp.dll |
| Source: C:\Users\user\Desktop\OneDriveUpdater.exe |
Section loaded: rstrtmgr.dll |
| Source: C:\Users\user\Desktop\OneDriveUpdater.exe |
Section loaded: wtsapi32.dll |
| Source: C:\Users\user\Desktop\OneDriveUpdater.exe |
Section loaded: secur32.dll |
| Source: C:\Users\user\Desktop\OneDriveUpdater.exe |
Section loaded: urlmon.dll |
| Source: C:\Users\user\Desktop\OneDriveUpdater.exe |
Section loaded: wininet.dll |
| Source: C:\Users\user\Desktop\OneDriveUpdater.exe |
Section loaded: iphlpapi.dll |
| Source: C:\Users\user\Desktop\OneDriveUpdater.exe |
Section loaded: ncrypt.dll |
| Source: C:\Users\user\Desktop\OneDriveUpdater.exe |
Section loaded: iertutil.dll |
| Source: C:\Users\user\Desktop\OneDriveUpdater.exe |
Section loaded: srvcli.dll |
| Source: C:\Users\user\Desktop\OneDriveUpdater.exe |
Section loaded: netutils.dll |
| Source: C:\Users\user\Desktop\OneDriveUpdater.exe |
Section loaded: sspicli.dll |
| Source: C:\Users\user\Desktop\OneDriveUpdater.exe |
Section loaded: ntasn1.dll |
| Source: C:\Users\user\Desktop\OneDriveUpdater.exe |
Section loaded: msasn1.dll |
| Source: C:\Users\user\Desktop\OneDriveUpdater.exe |
Section loaded: cryptbase.dll |
| Source: C:\Users\user\Desktop\OneDriveUpdater.exe |
Section loaded: windows.storage.dll |
| Source: C:\Users\user\Desktop\OneDriveUpdater.exe |
Section loaded: wldp.dll |
| Source: C:\Users\user\Desktop\OneDriveUpdater.exe |
Section loaded: kernel.appcore.dll |
| Source: C:\Users\user\Desktop\OneDriveUpdater.exe |
Section loaded: profapi.dll |
| Source: C:\Users\user\Desktop\OneDriveUpdater.exe |
Section loaded: bitsproxy.dll |
| Source: C:\Users\user\Desktop\OneDriveUpdater.exe |
Section loaded: cryptsp.dll |
| Source: C:\Users\user\Desktop\OneDriveUpdater.exe |
Section loaded: rsaenh.dll |
| Source: C:\Users\user\Desktop\OneDriveUpdater.exe |
Section loaded: wofutil.dll |
| Source: C:\Users\user\Desktop\OneDriveUpdater.exe |
Section loaded: msxml6.dll |
| Source: C:\Windows\System32\cmd.exe |
Section loaded: winbrand.dll |
| Source: C:\Windows\System32\cmd.exe |
Section loaded: wldp.dll |
| Source: C:\Windows\System32\ipconfig.exe |
Section loaded: iphlpapi.dll |
| Source: C:\Windows\System32\ipconfig.exe |
Section loaded: dhcpcsvc.dll |
| Source: C:\Windows\System32\ipconfig.exe |
Section loaded: dhcpcsvc6.dll |
| Source: C:\Windows\System32\ipconfig.exe |
Section loaded: dnsapi.dll |
| Source: C:\Users\user\Desktop\OneDriveUpdater.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5CE34C0D-0DC9-4C1F-897C-DAA1B78CEE7C}\InProcServer32 |
| Source: Window Recorder |
Window detected: More than 3 window changes detected |
| Source: C:\Users\user\Desktop\OneDriveUpdater.exe |
Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Office\ClickToRun\Configuration |
| Source: OneDriveUpdater.exe |
Static PE information: certificate valid |
| Source: OneDriveUpdater.exe |
Static PE information: More than 248 > 100 exports found |
| Source: OneDriveUpdater.exe |
Static PE information: Virtual size of .text is bigger than: 0x100000 |
| Source: OneDriveUpdater.exe |
Static PE information: Image base 0x140000000 > 0x60000000 |
| Source: OneDriveUpdater.exe |
Static file information: File size 4200864 > 1048576 |
| Source: OneDriveUpdater.exe |
Static PE information: Raw size of .text is bigger than: 0x100000 < 0x2e7a00 |
| Source: OneDriveUpdater.exe |
Static PE information: More than 200 imports for KERNEL32.dll |
| Source: OneDriveUpdater.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT |
| Source: OneDriveUpdater.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE |
| Source: OneDriveUpdater.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC |
| Source: OneDriveUpdater.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
| Source: OneDriveUpdater.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG |
| Source: OneDriveUpdater.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT |
| Source: OneDriveUpdater.exe |
Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE |
| Source: OneDriveUpdater.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
| Source: OneDriveUpdater.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata |
| Source: OneDriveUpdater.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc |
| Source: OneDriveUpdater.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc |
| Source: OneDriveUpdater.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata |
| Source: OneDriveUpdater.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata |
| Source: OneDriveUpdater.exe |
Static PE information: section name: .didat |
| Source: OneDriveUpdater.exe |
Static PE information: section name: _RDATA |
| Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\ipconfig.exe ipconfig |
| Source: C:\Users\user\Desktop\OneDriveUpdater.exe |
Process information set: NOOPENFILEERRORBOX |
| Source: C:\Windows\System32\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
| Source: C:\Users\user\Desktop\OneDriveUpdater.exe |
Process information queried: ProcessInformation |
| Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\ipconfig.exe ipconfig |
| Source: C:\Users\user\Desktop\OneDriveUpdater.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid |
