Edit tour

Windows Analysis Report
OneDrive.exe

Overview

General Information

Sample name:	OneDrive.exe
Analysis ID:	1581167
MD5:	7056e050ebbfca6ae325797d51eb2d0a
SHA1:	055cd6e4bde3449d72f7061620647ecb73d6b9cd
SHA256:	c316b0b818125541a90d7110af8c0908a8d6c73d3b846a27aed647fab6b38e00
Tags:	exeQuasarRATuser-lontze7
Infos:

Detection

Quasar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected Quasar RAT

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for dropped file

Machine Learning detection for sample

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

OneDrive.exe (PID: 3184 cmdline: "C:\Users\user\Desktop\OneDrive.exe" MD5: 7056E050EBBFCA6AE325797D51EB2D0A)

schtasks.exe (PID: 5268 cmdline: "schtasks" /create /tn "Microsoft OneDrive" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

conhost.exe (PID: 6752 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Onedrive.exe (PID: 6348 cmdline: "C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe" MD5: 7056E050EBBFCA6AE325797D51EB2D0A)

schtasks.exe (PID: 5408 cmdline: "schtasks" /create /tn "Microsoft OneDrive" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

conhost.exe (PID: 1816 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Onedrive.exe (PID: 5460 cmdline: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe MD5: 7056E050EBBFCA6AE325797D51EB2D0A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Quasar RAT, QuasarRAT	Quasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult.	APT33 Dropping Elephant Stone Panda The Gorgon Group	http://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/master-of-rats-how-to-create-your-own-tracker/20848 https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf https://asec.ahnlab.com/en/31089/	https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat

Malware Configuration

Threatname: Quasar

{"Version": "1.4.1", "Host:Port": "147.185.221.22:54755;", "SubDirectory": "Onedrive", "InstallName": "Onedrive.exe", "MutexName": "9cabbafb-503b-49f1-ab22-adc756455c10", "StartupKey": "Microsoft OneDrive", "Tag": "Test", "LogDirectoryName": "Logs", "ServerSignature": "ZYAGEke5WNV/ozv7H+c3yUvNxuuThujVX2Cwg9feoVfHl9tXBcyuZyge+K8E7yHu1lkbEOg6ZHpj2op3bBxxtGVHKhhR1E2LCDKsdMfOV/qDdAxQLHtSOKW9crQ/gLdoG8h/F/eCX2WAiZq3Ox27bGoI40cCvhJYtEA9G1/rSMBxXM32XsE6HsILfm+NTl425BPS/su0lETXX9a238R8IgX0k3tohUiZJYtgx9w+dxMgqHXFf/fYIsAH5am1RzQDBG6AEPeocIuPYOtarr7Gwv33/Y/82QoEh/cjkxaYgQ3o41jkREI/UuCpPp2qwtDsraq2n9A8fheGVXEoiCUqGgPphDEgIaZaC7pX7Yb2l+pbdl8E+/Ew8Apjgua2ENW0qwPn9GSLP3ZWRohcSgiXEU91Q7odCecLkxZLVOxXz/0nvEkRSbOLfKnaG85yul0RQo3a/wBpGLIhtb+Se6ZsigT+D9nuvuWG0yLzNQrffDFuStdJYdA+/ZE9sYh+o4fy0PsNqVS78x7HG+QD4V7dn3nwuJjb+3I+lpLR1gDgGCxHpoN+XgmGOS83JX9PxZOUdPpdn5PVtsZFicVOiyQEYYE7WLU6n96/5uAo4igacHlWeB+lrkHGknZukGkzhbqb/VBicQs0WxRnJ69fqF1j9hi/bJKroQpucwcQeZKATP4=", "ServerCertificate": "MIIE9DCCAtygAwIBAgIQAKXcsZRpOZ5dzdB/Pj/4CzANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI0MDExNTE5MTg0N1oYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAmyZZ+e0seai9btb7xLz2K5jDzrUw2iHPe93xRYMF02Qj7PJu+RQF6Klk5DsRIm+PJZgK63uEqj+oWy9sC555okQ2p3I+VkKhPgkB24MyyY9UCJ9J1MvvLvzE78SxlZBdresxyD89cXZk9mF2jv5q5tuVRPKLX7SR0ZDdP4JqMB3ask/OuP6ZSVafFRgFyDszfKvS6yna1gZ9SJmYupAdwOwzJFNQf/0xMGl2RKymjdsLvGhkeUQiTgLbDUqbiH7xaEDGC0PoFirdUJRP3c40ImycrY3ChMdlvohAlZmaLXK3PNQUigQsrJk5FP8QNZlC9wdmm0704P6ujt0LlKFjb8hcK97X1YFJGMJSLT/Is00igMR098ApEVBU/kOaVyYfiYnRigqjp7AgOKBFxbEJ5ACxe9Pigo6JwNRCPOVCqlF0kqoLyHAK0d7LdtlfXMgNWUEcRtGqaerR+43m0idINwRrS8RzI7lwzksG1zpKmckLeZaqfufjpHUz8lRJRXKsyemDOGfJSnL68WuA0RZjkcN6L8h4qplpC22l7AbuGLIIdX1LbsmcW6F/ml8srM1Ci8VhB8zBmfAPsEmBMRtSNo1DLJsDd1o8B9/nfZcsAFzfbF2hJyf+Iu7uvH65+h66x8FYZ1L9Q0WWG3w/zSC9kQbFKiSTUo4UDRCKXsruiAcCAwEAAaMyMDAwHQYDVR0OBBYEFC/bqSbq3cxfhqcFFOSiCkJpnf77MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBABlofSjKUeayGjHmbAjcp9xJa0fmMixQnSaK+Yb84DqowCqHLdG5Xlg9E4JMeVRXbl7weNzg1PcjCC0WNmZf9ph+bTmLveLb8dhX12sfv6UrC02kQQvr7rXWaTtEpSiinaLIAqWF2PAlNKzyYqWVkNy8YNZ8IGsPKeoUjMV5WKShj9/wX12lGxfa1GiH40gSZP9gGpOJAs+nFHfXeM9cS+wUuvArcJjk0GIUV+4qRDFLwL1i9BxwlLEE3RBtlYq/mRWTQTE25nklCl8vwe93LGcGPIVGFIyZvU4iFpHHV3Qvq/2vgN9bUISR7qn8VIGUli2srzaOD0bsuthz8kswCVz+FbUEcW3KnWMYe4CtIG1PiWFFLUO5ksJOsiVMlq3U8mMhGMxDjtAWQFMPG7KGnazj6685YQ6GSMigCC1JdJ+6ZManj7OlegG7HrnG4Q7xpfi6isKiZW1c8Ra/UD0nxBEVObGMM2tn8viH2+DiNAd9Dc8RIjZqo5X239kDu2Mift7U9uWHJBBhwJYjnvrP9kpl4+HiaZQ3utRcxLTbGB+pWKmTBvbOdZ/QRdBHZqdrocnCEN653AZSSXyWYbbso6LkCEkMPxyX/yYPXGVMzN64cT8v1/AVagEfgFJPfgSpguRZtbjur93Na3Z3T8vehn3cf79ZAzLkIZMYGja2lanq"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
OneDrive.exe	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
OneDrive.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
OneDrive.exe	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28ef13:$x1: Quasar.Common.Messages 0x29f23c:$x1: Quasar.Common.Messages 0x2ab82e:$x4: Uninstalling... good bye :-( 0x2ad023:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
OneDrive.exe	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2aade0:$f1: FileZilla\recentservers.xml 0x2aae20:$f2: FileZilla\sitemanager.xml 0x2aae62:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2ab0ae:$b1: Chrome\User Data\ 0x2ab104:$b1: Chrome\User Data\ 0x2ab3dc:$b2: Mozilla\Firefox\Profiles 0x2ab4d8:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fd45c:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2ab630:$b4: Opera Software\Opera Stable\Login Data 0x2ab6ea:$b5: YandexBrowser\User Data\ 0x2ab758:$b5: YandexBrowser\User Data\ 0x2ab42c:$s4: logins.json 0x2ab162:$a1: username_value 0x2ab180:$a2: password_value 0x2ab46c:$a3: encryptedUsername 0x2fd3a0:$a3: encryptedUsername 0x2ab490:$a4: encryptedPassword 0x2fd3be:$a4: encryptedPassword 0x2fd33c:$a5: httpRealm
OneDrive.exe	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2ab918:$s3: Process already elevated. 0x28ec12:$s4: get_PotentiallyVulnerablePasswords 0x278cce:$s5: GetKeyloggerLogsDirectory 0x29e99b:$s5: GetKeyloggerLogsDirectory 0x28ec35:$s6: set_PotentiallyVulnerablePasswords 0x2fea8a:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28ef13:$x1: Quasar.Common.Messages 0x29f23c:$x1: Quasar.Common.Messages 0x2ab82e:$x4: Uninstalling... good bye :-( 0x2ad023:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2aade0:$f1: FileZilla\recentservers.xml 0x2aae20:$f2: FileZilla\sitemanager.xml 0x2aae62:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2ab0ae:$b1: Chrome\User Data\ 0x2ab104:$b1: Chrome\User Data\ 0x2ab3dc:$b2: Mozilla\Firefox\Profiles 0x2ab4d8:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fd45c:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2ab630:$b4: Opera Software\Opera Stable\Login Data 0x2ab6ea:$b5: YandexBrowser\User Data\ 0x2ab758:$b5: YandexBrowser\User Data\ 0x2ab42c:$s4: logins.json 0x2ab162:$a1: username_value 0x2ab180:$a2: password_value 0x2ab46c:$a3: encryptedUsername 0x2fd3a0:$a3: encryptedUsername 0x2ab490:$a4: encryptedPassword 0x2fd3be:$a4: encryptedPassword 0x2fd33c:$a5: httpRealm
C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2ab918:$s3: Process already elevated. 0x28ec12:$s4: get_PotentiallyVulnerablePasswords 0x278cce:$s5: GetKeyloggerLogsDirectory 0x29e99b:$s5: GetKeyloggerLogsDirectory 0x28ec35:$s6: set_PotentiallyVulnerablePasswords 0x2fea8a:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>

Memory Dumps

Source	Rule	Description	Author
00000000.00000000.2036075763.0000000000C22000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Process Memory Space: OneDrive.exe PID: 3184	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Process Memory Space: Onedrive.exe PID: 6348	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.OneDrive.exe.c20000.0.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0.0.OneDrive.exe.c20000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.0.OneDrive.exe.c20000.0.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28ef13:$x1: Quasar.Common.Messages 0x29f23c:$x1: Quasar.Common.Messages 0x2ab82e:$x4: Uninstalling... good bye :-( 0x2ad023:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
0.0.OneDrive.exe.c20000.0.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2aade0:$f1: FileZilla\recentservers.xml 0x2aae20:$f2: FileZilla\sitemanager.xml 0x2aae62:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2ab0ae:$b1: Chrome\User Data\ 0x2ab104:$b1: Chrome\User Data\ 0x2ab3dc:$b2: Mozilla\Firefox\Profiles 0x2ab4d8:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fd45c:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2ab630:$b4: Opera Software\Opera Stable\Login Data 0x2ab6ea:$b5: YandexBrowser\User Data\ 0x2ab758:$b5: YandexBrowser\User Data\ 0x2ab42c:$s4: logins.json 0x2ab162:$a1: username_value 0x2ab180:$a2: password_value 0x2ab46c:$a3: encryptedUsername 0x2fd3a0:$a3: encryptedUsername 0x2ab490:$a4: encryptedPassword 0x2fd3be:$a4: encryptedPassword 0x2fd33c:$a5: httpRealm
0.0.OneDrive.exe.c20000.0.unpack	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2ab918:$s3: Process already elevated. 0x28ec12:$s4: get_PotentiallyVulnerablePasswords 0x278cce:$s5: GetKeyloggerLogsDirectory 0x29e99b:$s5: GetKeyloggerLogsDirectory 0x28ec35:$s6: set_PotentiallyVulnerablePasswords 0x2fea8a:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>

Sigma Signatures

System Summary

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "schtasks" /create /tn "Microsoft OneDrive" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe" /rl HIGHEST /f, CommandLine: "schtasks" /create /tn "Microsoft OneDrive" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe" /rl HIGHEST /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe", ParentImage: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe, ParentProcessId: 6348, ParentProcessName: Onedrive.exe, ProcessCommandLine: "schtasks" /create /tn "Microsoft OneDrive" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe" /rl HIGHEST /f, ProcessId: 5408, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "schtasks" /create /tn "Microsoft OneDrive" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe" /rl HIGHEST /f, CommandLine: "schtasks" /create /tn "Microsoft OneDrive" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe" /rl HIGHEST /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\OneDrive.exe", ParentImage: C:\Users\user\Desktop\OneDrive.exe, ParentProcessId: 3184, ParentProcessName: OneDrive.exe, ProcessCommandLine: "schtasks" /create /tn "Microsoft OneDrive" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe" /rl HIGHEST /f, ProcessId: 5268, ProcessName: schtasks.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: OneDrive.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe

Avira: detection malicious, Label: HEUR/AGEN.1305769

Found malware configuration

Source: OneDrive.exe

Malware Configuration Extractor: Quasar {"Version": "1.4.1", "Host:Port": "147.185.221.22:54755;", "SubDirectory": "Onedrive", "InstallName": "Onedrive.exe", "MutexName": "9cabbafb-503b-49f1-ab22-adc756455c10", "StartupKey": "Microsoft OneDrive", "Tag": "Test", "LogDirectoryName": "Logs", "ServerSignature": "ZYAGEke5WNV/ozv7H+c3yUvNxuuThujVX2Cwg9feoVfHl9tXBcyuZyge+K8E7yHu1lkbEOg6ZHpj2op3bBxxtGVHKhhR1E2LCDKsdMfOV/qDdAxQLHtSOKW9crQ/gLdoG8h/F/eCX2WAiZq3Ox27bGoI40cCvhJYtEA9G1/rSMBxXM32XsE6HsILfm+NTl425BPS/su0lETXX9a238R8IgX0k3tohUiZJYtgx9w+dxMgqHXFf/fYIsAH5am1RzQDBG6AEPeocIuPYOtarr7Gwv33/Y/82QoEh/cjkxaYgQ3o41jkREI/UuCpPp2qwtDsraq2n9A8fheGVXEoiCUqGgPphDEgIaZaC7pX7Yb2l+pbdl8E+/Ew8Apjgua2ENW0qwPn9GSLP3ZWRohcSgiXEU91Q7odCecLkxZLVOxXz/0nvEkRSbOLfKnaG85yul0RQo3a/wBpGLIhtb+Se6ZsigT+D9nuvuWG0yLzNQrffDFuStdJYdA+/ZE9sYh+o4fy0PsNqVS78x7HG+QD4V7dn3nwuJjb+3I+lpLR1gDgGCxHpoN+XgmGOS83JX9PxZOUdPpdn5PVtsZFicVOiyQEYYE7WLU6n96/5uAo4igacHlWeB+lrkHGknZukGkzhbqb/VBicQs0WxRnJ69fqF1j9hi/bJKroQpucwcQeZKATP4=", "ServerCertificate": "MIIE9DCCAtygAwIBAgIQAKXcsZRpOZ5dzdB/Pj/4CzANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI0MDExNTE5MTg0N1oYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAmyZZ+e0seai9btb7xLz2K5jDzrUw2iHPe93xRYMF02Qj7PJu+RQF6Klk5DsRIm+PJZgK63uEqj+oWy9sC555okQ2p3I+VkKhPgkB24MyyY9UCJ9J1MvvLvzE78SxlZBdresxyD89cXZk9mF2jv5q5tuVRPKLX7SR0ZDdP4JqMB3ask/OuP6ZSVafFRgFyDszfKvS6yna1gZ9SJmYupAdwOwzJFNQf/0xMGl2RKymjdsLvGhkeUQiTgLbDUqbiH7xaEDGC0PoFirdUJRP3c40ImycrY3ChMdlvohAlZmaLXK3PNQUigQsrJk5FP8QNZlC9wdmm0704P6ujt0LlKFjb8hcK97X1YFJGMJSLT/Is00igMR098ApEVBU/kOaVyYfiYnRigqjp7AgOKBFxbEJ5ACxe9Pigo6JwNRCPOVCqlF0kqoLyHAK0d7LdtlfXMgNWUEcRtGqaerR+43m0idINwRrS8RzI7lwzksG1zpKmckLeZaqfufjpHUz8lRJRXKsyemDOGfJSnL68WuA0RZjkcN6L8h4qplpC22l7AbuGLIIdX1LbsmcW6F/ml8srM1Ci8VhB8zBmfAPsEmBMRtSNo1DLJsDd1o8B9/nfZcsAFzfbF2hJyf+Iu7uvH65+h66x8FYZ1L9Q0WWG3w/zSC9kQbFKiSTUo4UDRCKXsruiAcCAwEAAaMyMDAwHQYDVR0OBBYEFC/bqSbq3cxfhqcFFOSiCkJpnf77MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBABlofSjKUeayGjHmbAjcp9xJa0fmMixQnSaK+Yb84DqowCqHLdG5Xlg9E4JMeVRXbl7weNzg1PcjCC0WNmZf9ph+bTmLveLb8dhX12sfv6UrC02kQQvr7rXWaTtEpSiinaLIAqWF2PAlNKzyYqWVkNy8YNZ8IGsPKeoUjMV5WKShj9/wX12lGxfa1GiH40gSZP9gGpOJAs+nFHfXeM9cS+wUuvArcJjk0GIUV+4qRDFLwL1i9BxwlLEE3RBtlYq/mRWTQTE25nklCl8vwe93LGcGPIVGFIyZvU4iFpHHV3Qvq/2vgN9bUISR7qn8VIGUli2srzaOD0bsuthz8kswCVz+FbUEcW3KnWMYe4CtIG1PiWFFLUO5ksJOsiVMlq3U8mMhGMxDjtAWQFMPG7KGnazj6685YQ6GSMigCC1JdJ+6ZManj7OlegG7HrnG4Q7xpfi6isKiZW1c8Ra/UD0nxBEVObGMM2tn8viH2+DiNAd9Dc8RIjZqo5X239kDu2Mift7U9uWHJBBhwJYjnvrP9kpl4+HiaZQ3utRcxLTbGB+pWKmTBvbOdZ/QRdBHZqdrocnCEN653AZSSXyWYbbso6LkCEkMPxyX/yYPXGVMzN64cT8v1/AVagEfgFJPfgSpguRZtbjur93Na3Z3T8vehn3cf79ZAzLkIZMYGja2lanq"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe

ReversingLabs: Detection: 73%

Multi AV Scanner detection for submitted file

Source: OneDrive.exe	Virustotal: Detection: 66%			Perma Link
Source: OneDrive.exe	ReversingLabs: Detection: 73%

Yara detected Quasar RAT

Source: Yara match	File source: OneDrive.exe, type: SAMPLE
Source: Yara match	File source: 0.0.OneDrive.exe.c20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2036075763.0000000000C22000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: OneDrive.exe PID: 3184, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Onedrive.exe PID: 6348, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe, type: DROPPED

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: OneDrive.exe

Joe Sandbox ML: detected

Source: OneDrive.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: OneDrive.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 147.185.221.22

Yara detected Generic Downloader

Source: Yara match	File source: OneDrive.exe, type: SAMPLE
Source: Yara match	File source: 0.0.OneDrive.exe.c20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe, type: DROPPED

Source: global traffic

TCP traffic: 192.168.2.5:49704 -> 147.185.221.22:54755

Source: Joe Sandbox View

IP Address: 147.185.221.22 147.185.221.22

Source: Joe Sandbox View

ASN Name: SALSGIVERUS SALSGIVERUS

Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.22
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.22
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.22
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.22
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.22
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.22
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.22
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.22
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.22
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.22
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.22
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.22
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.22
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.22
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.22
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.22
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.22
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.22
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.22
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.22
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.22
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.22
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.22
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.22
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.22
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.22
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.22
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.22

Source: OneDrive.exe, 00000000.00000002.2060484287.0000000003211000.00000004.00000800.00020000.00000000.sdmp, Onedrive.exe, 00000004.00000002.3291009274.000000000336E000.00000004.00000800.00020000.00000000.sdmp, Onedrive.exe, 00000004.00000002.3291009274.0000000003089000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: OneDrive.exe, Onedrive.exe.0.dr	String found in binary or memory: https://api.ipify.org/
Source: OneDrive.exe, Onedrive.exe.0.dr	String found in binary or memory: https://ipwho.is/
Source: OneDrive.exe, Onedrive.exe.0.dr	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: OneDrive.exe, Onedrive.exe.0.dr	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: OneDrive.exe, Onedrive.exe.0.dr	String found in binary or memory: https://stackoverflow.com/q/2152978/23354sCannot

E-Banking Fraud

Yara detected Quasar RAT

Source: Yara match	File source: OneDrive.exe, type: SAMPLE
Source: Yara match	File source: 0.0.OneDrive.exe.c20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2036075763.0000000000C22000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: OneDrive.exe PID: 3184, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Onedrive.exe PID: 6348, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe, type: DROPPED

System Summary

Malicious sample detected (through community Yara rule)

Source: OneDrive.exe, type: SAMPLE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: OneDrive.exe, type: SAMPLE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: OneDrive.exe, type: SAMPLE	Matched rule: Detects Quasar infostealer Author: ditekshen
Source: 0.0.OneDrive.exe.c20000.0.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 0.0.OneDrive.exe.c20000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.0.OneDrive.exe.c20000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar infostealer Author: ditekshen
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe, type: DROPPED	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe, type: DROPPED	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe, type: DROPPED	Matched rule: Detects Quasar infostealer Author: ditekshen

Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Code function: 4_2_00007FF848FE8A61	4_2_00007FF848FE8A61
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Code function: 4_2_00007FF848FE4DC6	4_2_00007FF848FE4DC6
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Code function: 4_2_00007FF848FE93C1	4_2_00007FF848FE93C1
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Code function: 4_2_00007FF848FEA7CD	4_2_00007FF848FEA7CD
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Code function: 4_2_00007FF848FE5BE1	4_2_00007FF848FE5BE1

Source: OneDrive.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: OneDrive.exe, type: SAMPLE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: OneDrive.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: OneDrive.exe, type: SAMPLE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: 0.0.OneDrive.exe.c20000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 0.0.OneDrive.exe.c20000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.0.OneDrive.exe.c20000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe, type: DROPPED	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe, type: DROPPED	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer

Source: classification engine

Classification label: mal100.troj.evad.winEXE@10/2@0/1

Source: C:\Users\user\Desktop\OneDrive.exe

File created: C:\Users\user\AppData\Roaming\Onedrive

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6752:120:WilError_03
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\9cabbafb-503b-49f1-ab22-adc756455c10
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1816:120:WilError_03

Source: OneDrive.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: OneDrive.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\OneDrive.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: OneDrive.exe	Virustotal: Detection: 66%
Source: OneDrive.exe	ReversingLabs: Detection: 73%

Source: OneDrive.exe

String found in binary or memory: HasSubValue3Conflicting item/add type

Source: C:\Users\user\Desktop\OneDrive.exe

File read: C:\Users\user\Desktop\OneDrive.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\OneDrive.exe "C:\Users\user\Desktop\OneDrive.exe"
Source: C:\Users\user\Desktop\OneDrive.exe	Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "Microsoft OneDrive" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe" /rl HIGHEST /f
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\OneDrive.exe	Process created: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe "C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "Microsoft OneDrive" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe" /rl HIGHEST /f
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\OneDrive.exe	Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "Microsoft OneDrive" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe" /rl HIGHEST /f	Jump to behavior
Source: C:\Users\user\Desktop\OneDrive.exe	Process created: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe "C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "Microsoft OneDrive" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe" /rl HIGHEST /f	Jump to behavior

Source: C:\Users\user\Desktop\OneDrive.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\OneDrive.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\OneDrive.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\OneDrive.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\OneDrive.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\OneDrive.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\OneDrive.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\OneDrive.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\OneDrive.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\OneDrive.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\OneDrive.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\OneDrive.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\OneDrive.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\OneDrive.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\OneDrive.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\OneDrive.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\OneDrive.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior

Source: OneDrive.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: OneDrive.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: OneDrive.exe

Static file information: File size 3368960 > 1048576

Source: OneDrive.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x31c600

Source: OneDrive.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\OneDrive.exe	Code function: 0_2_00007FF848D900BD pushad ; iretd	0_2_00007FF848D900C1
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Code function: 4_2_00007FF848D700BD pushad ; iretd	4_2_00007FF848D700C1
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Code function: 4_2_00007FF848FE2A42 push eax; ret	4_2_00007FF848FE2BFC
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Code function: 5_2_00007FF848D900BD pushad ; iretd	5_2_00007FF848D900C1

Source: C:\Users\user\Desktop\OneDrive.exe

File created: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\OneDrive.exe

Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "Microsoft OneDrive" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe" /rl HIGHEST /f

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\OneDrive.exe	File opened: C:\Users\user\Desktop\OneDrive.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Users\user\Desktop\OneDrive.exe	File opened: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	File opened: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe:Zone.Identifier read attributes \| delete	Jump to behavior

Source: C:\Users\user\Desktop\OneDrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OneDrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OneDrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OneDrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OneDrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OneDrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OneDrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OneDrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OneDrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OneDrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OneDrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OneDrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OneDrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OneDrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OneDrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OneDrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OneDrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OneDrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OneDrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OneDrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OneDrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OneDrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OneDrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OneDrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OneDrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OneDrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OneDrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OneDrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OneDrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OneDrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OneDrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OneDrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OneDrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OneDrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OneDrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OneDrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OneDrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OneDrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\OneDrive.exe	Memory allocated: 1790000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\OneDrive.exe	Memory allocated: 1B210000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Memory allocated: 2F60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Memory allocated: 1B050000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Memory allocated: 1110000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Memory allocated: 1ACD0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\OneDrive.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\OneDrive.exe TID: 3408	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe TID: 5828	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\OneDrive.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: Onedrive.exe, 00000004.00000002.3295065789.000000001B962000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\OneDrive.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\OneDrive.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\OneDrive.exe	Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "Microsoft OneDrive" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe" /rl HIGHEST /f	Jump to behavior
Source: C:\Users\user\Desktop\OneDrive.exe	Process created: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe "C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "Microsoft OneDrive" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe" /rl HIGHEST /f	Jump to behavior

Source: C:\Users\user\Desktop\OneDrive.exe	Queries volume information: C:\Users\user\Desktop\OneDrive.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Queries volume information: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	Queries volume information: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\OneDrive.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Quasar RAT

Source: Yara match	File source: OneDrive.exe, type: SAMPLE
Source: Yara match	File source: 0.0.OneDrive.exe.c20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2036075763.0000000000C22000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: OneDrive.exe PID: 3184, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Onedrive.exe PID: 6348, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe, type: DROPPED

Remote Access Functionality

Yara detected Quasar RAT

Source: Yara match	File source: OneDrive.exe, type: SAMPLE
Source: Yara match	File source: 0.0.OneDrive.exe.c20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2036075763.0000000000C22000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: OneDrive.exe PID: 3184, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Onedrive.exe PID: 6348, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 Scheduled Task/Job	11 Process Injection	1 Masquerading	OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	1 Disable or Modify Tools	LSASS Memory	31 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	Security Account Manager	12 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Hidden Files and Directories	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
OneDrive.exe	67%	Virustotal		Browse
OneDrive.exe	74%	ReversingLabs	ByteCode-MSIL.Backdoor.Quasar
OneDrive.exe	100%	Avira	HEUR/AGEN.1305769
OneDrive.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	100%	Avira	HEUR/AGEN.1305769
C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe	74%	ReversingLabs	ByteCode-MSIL.Backdoor.Quasar

Source	Detection	Scanner	Label	Link
147.185.221.22	0%	Avira URL Cloud	safe

Name	Malicious	Antivirus Detection	Reputation
147.185.221.22	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://api.ipify.org/	OneDrive.exe, Onedrive.exe.0.dr	false	high
https://stackoverflow.com/q/14436606/23354	OneDrive.exe, Onedrive.exe.0.dr	false	high
https://stackoverflow.com/q/2152978/23354sCannot	OneDrive.exe, Onedrive.exe.0.dr	false	high
https://ipwho.is/	OneDrive.exe, Onedrive.exe.0.dr	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	OneDrive.exe, 00000000.00000002.2060484287.0000000003211000.00000004.00000800.00020000.00000000.sdmp, Onedrive.exe, 00000004.00000002.3291009274.000000000336E000.00000004.00000800.00020000.00000000.sdmp, Onedrive.exe, 00000004.00000002.3291009274.0000000003089000.00000004.00000800.00020000.00000000.sdmp	false	high
https://stackoverflow.com/q/11564914/23354;	OneDrive.exe, Onedrive.exe.0.dr	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
147.185.221.22	unknown	United States		12087	SALSGIVERUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1581167
Start date and time:	2024-12-27 06:39:11 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 27s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	OneDrive.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@10/2@0/1
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 99% Number of executed functions: 79 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 13.107.246.63, 20.12.23.50
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target Onedrive.exe, PID 5460 because it is empty
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

Time	Type	Description
06:40:03	Task Scheduler	Run new task: Microsoft OneDrive path: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
147.185.221.22	msedge.exe	Get hash	malicious	XWorm	Browse
	com surrogate.exe	Get hash	malicious	XWorm	Browse
	Minet.exe	Get hash	malicious	Njrat	Browse
	CVmkXJ7e0a.exe	Get hash	malicious	SheetRat	Browse
	ozgpPwVAu1.exe	Get hash	malicious	XWorm	Browse
	exe003.exe	Get hash	malicious	XWorm	Browse
	OXhiMvksgM.exe	Get hash	malicious	XWorm	Browse
	7bZWBYVNPU.exe	Get hash	malicious	XWorm	Browse
	BWoiYc9WwI.exe	Get hash	malicious	XWorm	Browse
	fjijTlM2tu.exe	Get hash	malicious	XWorm	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SALSGIVERUS	gReXLT7XjR.exe	Get hash	malicious	Njrat	Browse	147.185.221.18
	_____.exe	Get hash	malicious	DarkComet	Browse	147.185.221.23
	test.exe	Get hash	malicious	DarkComet	Browse	147.185.221.24
	L363rVr7oL.exe	Get hash	malicious	Njrat	Browse	147.185.221.24
	WO.exe	Get hash	malicious	Metasploit	Browse	147.185.221.23
	reddit.exe	Get hash	malicious	Metasploit	Browse	147.185.221.23
	loligang.mpsl.elf	Get hash	malicious	Mirai	Browse	147.176.119.110
	horrify's Modx Menu v1.exe	Get hash	malicious	XWorm	Browse	147.185.221.24
	fvbhdyuJYi.exe	Get hash	malicious	XWorm	Browse	147.185.221.24
	8DiSW8IPEF.exe	Get hash	malicious	XWorm	Browse	147.185.221.24

Process:	C:\Users\user\Desktop\OneDrive.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1281
Entropy (8bit):	5.370111951859942
Encrypted:	false
SSDEEP:	24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
MD5:	12C61586CD59AA6F2A21DF30501F71BD
SHA1:	E6B279DC134544867C868E3FF3C267A06CE340C7
SHA-256:	EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
SHA-512:	B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe

Download File

Process:	C:\Users\user\Desktop\OneDrive.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3368960
Entropy (8bit):	6.0457642087720345
Encrypted:	false
SSDEEP:	49152:ivlI22SsaNYfdPBldt698dBcjH09L/RBxwcoGdb9THHB72eh2NT:ivu22SsaNYfdPBldt6+dBcjHq/lL
MD5:	7056E050EBBFCA6AE325797D51EB2D0A
SHA1:	055CD6E4BDE3449D72F7061620647ECB73D6B9CD
SHA-256:	C316B0B818125541A90D7110AF8C0908A8D6C73D3B846A27AED647FAB6B38E00
SHA-512:	0C54802AD35F5A00C5DB1195DF2D566BC18A384F486CC3CA00DC63BB86E3FC5D105192CFE5EFE9ED62BDEDB441877486EC7AEDBD7A6BF59FCDA2F772308B150E
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe, Author: Joe Security Rule: MAL_QuasarRAT_May19_1, Description: Detects QuasarRAT malware, Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe, Author: ditekSHen Rule: MALWARE_Win_QuasarStealer, Description: Detects Quasar infostealer, Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe, Author: ditekshen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 74%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d..................1...........1.. ........@.. ........................3...........@...................................1.W.....2.0.....................3...................................................... ............... ..H............text...$.1.. ....1................. ..`.rsrc...0.....2.......1.............@..@.reloc........3......f3.............@..B..................1.....H........................k..p............................................0..M....... ....(.....(...........s....(....(...........s....o....(.....(....s....(........0..8.......(....(0....s....%.o....%.o....%.o....(....&..&...(.............--..........00.......0..@........o....,7(....(0....s....%.o....%.o....%.o....(....&..&...(.............-5..........08......f~w...,.~....(....(.....v.(.....s....}.....s....}....r..(......(.....(......(....*....0..L........{....r...po....

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.0457642087720345
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	OneDrive.exe
File size:	3'368'960 bytes
MD5:	7056e050ebbfca6ae325797d51eb2d0a
SHA1:	055cd6e4bde3449d72f7061620647ecb73d6b9cd
SHA256:	c316b0b818125541a90d7110af8c0908a8d6c73d3b846a27aed647fab6b38e00
SHA512:	0c54802ad35f5a00c5db1195df2d566bc18a384f486cc3ca00dc63bb86e3fc5d105192cfe5efe9ed62bdedb441877486ec7aedbd7a6bf59fcda2f772308b150e
SSDEEP:	49152:ivlI22SsaNYfdPBldt698dBcjH09L/RBxwcoGdb9THHB72eh2NT:ivu22SsaNYfdPBldt6+dBcjHq/lL
TLSH:	EDF56B043BF80E73E16FD273D5B16036A3F1E82EB7A3EB0B51416A7A1D63B5448416A7
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d..................1...........1.. ........@.. ........................3...........@................................

File Icon


Icon Hash:	8e172d4461e84423

Static PE Info

General

Entrypoint:	0x71e41e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x640DFAE7 [Sun Mar 12 16:16:39 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x31e3c4	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x320000	0x19d30	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x33a000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x31c424	0x31c600	6da4a047f0269eb9c0e6753776204c9d	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x320000	0x19d30	0x19e00	fdbfc00871feefa6695e6a2bcd3f9e47	False	0.0822482638888889	data	3.1971301797937324	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x33a000	0xc	0x200	fa735c7d99f8b46f526d66db4681db3b	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x320220	0xb5b	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9205366357069144
RT_ICON	0x320d7c	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536	0.02651425529397847
RT_ICON	0x3315a4	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384	0.06004959848842702
RT_ICON	0x3357cc	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	0.1004149377593361
RT_ICON	0x337d74	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	0.13062851782363977
RT_ICON	0x338e1c	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	0.27925531914893614
RT_GROUP_ICON	0x339284	0x5a	data	0.7666666666666667
RT_VERSION	0x3392e0	0x378	data	0.40427927927927926
RT_MANIFEST	0x339658	0x6d7	XML 1.0 document, Unicode text, UTF-8 (with BOM) text	0.40319817247287265

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 27, 2024 06:40:05.655015945 CET	49704	54755	192.168.2.5	147.185.221.22
Dec 27, 2024 06:40:05.774756908 CET	54755	49704	147.185.221.22	192.168.2.5
Dec 27, 2024 06:40:05.774907112 CET	49704	54755	192.168.2.5	147.185.221.22
Dec 27, 2024 06:40:05.792105913 CET	49704	54755	192.168.2.5	147.185.221.22
Dec 27, 2024 06:40:05.911715984 CET	54755	49704	147.185.221.22	192.168.2.5
Dec 27, 2024 06:40:27.719929934 CET	54755	49704	147.185.221.22	192.168.2.5
Dec 27, 2024 06:40:27.720056057 CET	49704	54755	192.168.2.5	147.185.221.22
Dec 27, 2024 06:40:27.861183882 CET	49704	54755	192.168.2.5	147.185.221.22
Dec 27, 2024 06:40:27.980865955 CET	54755	49704	147.185.221.22	192.168.2.5
Dec 27, 2024 06:40:28.368781090 CET	49726	54755	192.168.2.5	147.185.221.22
Dec 27, 2024 06:40:28.488436937 CET	54755	49726	147.185.221.22	192.168.2.5
Dec 27, 2024 06:40:28.488528013 CET	49726	54755	192.168.2.5	147.185.221.22
Dec 27, 2024 06:40:28.489382029 CET	49726	54755	192.168.2.5	147.185.221.22
Dec 27, 2024 06:40:28.609819889 CET	54755	49726	147.185.221.22	192.168.2.5
Dec 27, 2024 06:40:50.479526997 CET	54755	49726	147.185.221.22	192.168.2.5
Dec 27, 2024 06:40:50.482258081 CET	49726	54755	192.168.2.5	147.185.221.22
Dec 27, 2024 06:40:50.482547998 CET	49726	54755	192.168.2.5	147.185.221.22
Dec 27, 2024 06:40:50.601989985 CET	54755	49726	147.185.221.22	192.168.2.5
Dec 27, 2024 06:40:51.321994066 CET	49772	54755	192.168.2.5	147.185.221.22
Dec 27, 2024 06:40:51.475272894 CET	54755	49772	147.185.221.22	192.168.2.5
Dec 27, 2024 06:40:51.475347996 CET	49772	54755	192.168.2.5	147.185.221.22
Dec 27, 2024 06:40:51.475610971 CET	49772	54755	192.168.2.5	147.185.221.22
Dec 27, 2024 06:40:51.595108032 CET	54755	49772	147.185.221.22	192.168.2.5
Dec 27, 2024 06:41:13.361119986 CET	54755	49772	147.185.221.22	192.168.2.5
Dec 27, 2024 06:41:13.361206055 CET	49772	54755	192.168.2.5	147.185.221.22
Dec 27, 2024 06:41:13.361552954 CET	49772	54755	192.168.2.5	147.185.221.22
Dec 27, 2024 06:41:13.481096983 CET	54755	49772	147.185.221.22	192.168.2.5
Dec 27, 2024 06:41:13.821345091 CET	49820	54755	192.168.2.5	147.185.221.22
Dec 27, 2024 06:41:13.941447020 CET	54755	49820	147.185.221.22	192.168.2.5
Dec 27, 2024 06:41:13.941543102 CET	49820	54755	192.168.2.5	147.185.221.22
Dec 27, 2024 06:41:13.941832066 CET	49820	54755	192.168.2.5	147.185.221.22
Dec 27, 2024 06:41:14.061306000 CET	54755	49820	147.185.221.22	192.168.2.5
Dec 27, 2024 06:41:35.901774883 CET	54755	49820	147.185.221.22	192.168.2.5
Dec 27, 2024 06:41:35.901853085 CET	49820	54755	192.168.2.5	147.185.221.22
Dec 27, 2024 06:41:35.902292967 CET	49820	54755	192.168.2.5	147.185.221.22
Dec 27, 2024 06:41:36.021708965 CET	54755	49820	147.185.221.22	192.168.2.5
Dec 27, 2024 06:41:36.696224928 CET	49870	54755	192.168.2.5	147.185.221.22
Dec 27, 2024 06:41:36.815834999 CET	54755	49870	147.185.221.22	192.168.2.5
Dec 27, 2024 06:41:36.816014051 CET	49870	54755	192.168.2.5	147.185.221.22
Dec 27, 2024 06:41:36.816241026 CET	49870	54755	192.168.2.5	147.185.221.22
Dec 27, 2024 06:41:36.935734987 CET	54755	49870	147.185.221.22	192.168.2.5
Dec 27, 2024 06:41:58.730242014 CET	54755	49870	147.185.221.22	192.168.2.5
Dec 27, 2024 06:41:58.730374098 CET	49870	54755	192.168.2.5	147.185.221.22
Dec 27, 2024 06:41:58.730735064 CET	49870	54755	192.168.2.5	147.185.221.22
Dec 27, 2024 06:41:58.850203991 CET	54755	49870	147.185.221.22	192.168.2.5
Dec 27, 2024 06:41:59.274230003 CET	49920	54755	192.168.2.5	147.185.221.22
Dec 27, 2024 06:41:59.394088030 CET	54755	49920	147.185.221.22	192.168.2.5
Dec 27, 2024 06:41:59.394216061 CET	49920	54755	192.168.2.5	147.185.221.22
Dec 27, 2024 06:41:59.394526005 CET	49920	54755	192.168.2.5	147.185.221.22
Dec 27, 2024 06:41:59.514003992 CET	54755	49920	147.185.221.22	192.168.2.5

Target ID:	0
Start time:	00:40:00
Start date:	27/12/2024
Path:	C:\Users\user\Desktop\OneDrive.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\OneDrive.exe"
Imagebase:	0xc20000
File size:	3'368'960 bytes
MD5 hash:	7056E050EBBFCA6AE325797D51EB2D0A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000000.2036075763.0000000000C22000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	00:40:02
Start date:	27/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	"schtasks" /create /tn "Microsoft OneDrive" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe" /rl HIGHEST /f
Imagebase:	0x7ff61a4d0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	00:40:02
Start date:	27/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	00:40:02
Start date:	27/12/2024
Path:	C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe"
Imagebase:	0xb40000
File size:	3'368'960 bytes
MD5 hash:	7056E050EBBFCA6AE325797D51EB2D0A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe, Author: Joe Security Rule: MAL_QuasarRAT_May19_1, Description: Detects QuasarRAT malware, Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe, Author: ditekSHen Rule: MALWARE_Win_QuasarStealer, Description: Detects Quasar infostealer, Source: C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe, Author: ditekshen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 74%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	00:40:03
Start date:	27/12/2024
Path:	C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe
Imagebase:	0x6a0000
File size:	3'368'960 bytes
MD5 hash:	7056E050EBBFCA6AE325797D51EB2D0A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	00:40:03
Start date:	27/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	"schtasks" /create /tn "Microsoft OneDrive" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe" /rl HIGHEST /f
Imagebase:	0x7ff61a4d0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	00:40:03
Start date:	27/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	14.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	6
Total number of Limit Nodes:	0

Executed Functions

Function 00007FF848D93525 Relevance: 1.6, APIs: 1, Instructions: 117
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE ref: 00007FF848D93607

Memory Dump Source

Source File: 00000000.00000002.2065352971.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848d90000_OneDrive.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 8fdcc2298fe669970997fe50d78eeffa21e78d7b60a96ed92d0283a1db2cd1a2
Instruction ID: 275524ac29623fd3a53459007793792a6e62eb3ae39985d955aa3fb06afb2003
Opcode Fuzzy Hash: 8fdcc2298fe669970997fe50d78eeffa21e78d7b60a96ed92d0283a1db2cd1a2
Instruction Fuzzy Hash: E731F23180DB5C9FDB59DB6888496F9BBF0FF56310F04426BD049D76A2CB24A805CB91

Function 00007FF848D93569 Relevance: 1.6, APIs: 1, Instructions: 109
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE ref: 00007FF848D93607

Memory Dump Source

Source File: 00000000.00000002.2065352971.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848d90000_OneDrive.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 923beec518475022644c1dc2fd0e71cb1f3bfa3e1115ade8da4f3ba8feae3e1b
Instruction ID: ebdad70372b61fdf7bd828c8132b27c92a5a3ae1a6fed8c98268f655329fd947
Opcode Fuzzy Hash: 923beec518475022644c1dc2fd0e71cb1f3bfa3e1115ade8da4f3ba8feae3e1b
Instruction Fuzzy Hash: A431D03190DB5C9FDB59DB5888496F9BBF0FF66320F04426BD049D32A2DB74A806CB91

Analysis Process: Onedrive.exePID: 6348, Parent PID: 3184COMMON

Execution Graph

Execution Coverage:	10.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Executed Functions

Function 00007FF848FE8A61 Relevance: 2.0, Strings: 1, Instructions: 709
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0_H, xrefs: 00007FF848FE8E61

Memory Dump Source

Source File: 00000004.00000002.3299916596.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848fe0000_Onedrive.jbxd

Similarity

API ID:
String ID: 0_H
API String ID: 0-1720258304
Opcode ID: 031a7c3b5325b53f89533825219fef8a98ab49ad81a8008a2dbb40fcfb323f7d
Instruction ID: 509a9e36040b36970d484aac8c3ee59aa4c0145651c9773cca5973903d739f3f
Opcode Fuzzy Hash: 031a7c3b5325b53f89533825219fef8a98ab49ad81a8008a2dbb40fcfb323f7d
Instruction Fuzzy Hash: 43227C30A1CA094FEB98EB2884957B9B7E2FF98340F5441BDD44EC36D6DF28A8468745

Function 00007FF848FE5BE1 Relevance: 1.9, Strings: 1, Instructions: 689
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

*I, xrefs: 00007FF848FE6070

Memory Dump Source

Source File: 00000004.00000002.3299916596.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848fe0000_Onedrive.jbxd

Similarity

API ID:
String ID: *I
API String ID: 0-3221878220
Opcode ID: 08c1fc3bdecc3c6f20bfc6de00b2a50b13d6111f2404af208969435791cf1ccd
Instruction ID: 3140ef0b8e51439c1ca92aab388679c35567cc3a5e9cd5fdb2e73cb0cb643471
Opcode Fuzzy Hash: 08c1fc3bdecc3c6f20bfc6de00b2a50b13d6111f2404af208969435791cf1ccd
Instruction Fuzzy Hash: 46323A70A18A198FEB98EF18C8857B9B7E1FF98341F1041B9D44ED3295DB38E981CB44

Function 00007FF848FE93C1 Relevance: 1.4, Instructions: 1421COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3299916596.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848fe0000_Onedrive.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e31f914e741ca3ed0f7d09aa4c2656b34e85a574686fa83f2eadbc5354d86e6
Instruction ID: dcf3773e0f95731aa6fd3c8340785ba2077b12fffe99035d59efa38c0a00eafd
Opcode Fuzzy Hash: 0e31f914e741ca3ed0f7d09aa4c2656b34e85a574686fa83f2eadbc5354d86e6
Instruction Fuzzy Hash: 9A92E030B1C9494FEB99EB2C9459BB937D1EF99390F0400BAD44EC72E6DF28AC428755

Function 00007FF848FE4DC6 Relevance: 1.3, Instructions: 1276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3299916596.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848fe0000_Onedrive.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: caf5cbb52f68ac4210c5609b923fbfcb8cc23be1b30e34bb64d05decfcec96ce
Instruction ID: ac29bcd5d86d3ebb53f2e6f82f1aa9ad9dafd48131371c93c23b6bd8e614d184
Opcode Fuzzy Hash: caf5cbb52f68ac4210c5609b923fbfcb8cc23be1b30e34bb64d05decfcec96ce
Instruction Fuzzy Hash: FB929E70A18A098FDF98EF18C494BB977E2FF58740F1441A8D04ED7296DB39E886CB45

Function 00007FF848FEA7CD Relevance: .9, Instructions: 932COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3299916596.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848fe0000_Onedrive.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c661d586872d0a1ae6cdc3ef053f03623a12e4802f1cb80adc4086e62b43dc39
Instruction ID: b3042cea864b773ccde10f23002f6f3c3edecaee6edde9b74863f6eef3d832c9
Opcode Fuzzy Hash: c661d586872d0a1ae6cdc3ef053f03623a12e4802f1cb80adc4086e62b43dc39
Instruction Fuzzy Hash: 06622D30618A498FDB98EB2CC459B7977E2FFA9340F1445B9E04DC72A6DF38E8418B45

Function 00007FF848FED6D4 Relevance: 3.9, Strings: 3, Instructions: 102
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

xUH, xrefs: 00007FF848FED72B
N(_H, xrefs: 00007FF848FED764
xUH, xrefs: 00007FF848FED6FA

Memory Dump Source

Source File: 00000004.00000002.3299916596.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848fe0000_Onedrive.jbxd

Similarity

API ID:
String ID: N(_H$xUH$xUH
API String ID: 0-307226521
Opcode ID: 526528212760ee513c98dfc3cd19f722ef36009dc024b7916a1e282c63236bea
Instruction ID: 6e46f42ea9d4102a6bb081e11229f71811e44a0c03dbcaaaf92ddeff56ffa6a8
Opcode Fuzzy Hash: 526528212760ee513c98dfc3cd19f722ef36009dc024b7916a1e282c63236bea
Instruction Fuzzy Hash: 20214B31E0C6450FE3186F2CA85A0B5BBD2EF95760B1841BFE44EC7287DD69AC438384

Function 00007FF848FE3125 Relevance: 2.8, Strings: 2, Instructions: 339
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

'H, xrefs: 00007FF848FE331C
'H, xrefs: 00007FF848FE31B8

Memory Dump Source

Source File: 00000004.00000002.3299916596.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848fe0000_Onedrive.jbxd

Similarity

API ID:
String ID: 'H$ 'H
API String ID: 0-2114804990
Opcode ID: 4d7c16099c6641a245747a564289794b1954666289b9ffe30b144652818e08f8
Instruction ID: 0c2945b7f3d1487608425f633976ac42a99adbfc8635fff1e89f87c52c77a04d
Opcode Fuzzy Hash: 4d7c16099c6641a245747a564289794b1954666289b9ffe30b144652818e08f8
Instruction Fuzzy Hash: EAA15931A0CA498FDB98EB2CD4556B977E2EF98354F10417DE45ED32C2DF39A8028B49

Function 00007FF848FECACE Relevance: 2.6, Strings: 2, Instructions: 150
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

`5I, xrefs: 00007FF848FECBB9
`5I, xrefs: 00007FF848FECBF4

Memory Dump Source

Source File: 00000004.00000002.3299916596.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848fe0000_Onedrive.jbxd

Similarity

API ID:
String ID: `5I$`5I
API String ID: 0-2846764210
Opcode ID: 79c751f4c92dff1d66f1c9d89c72d504176968021f3a65a6045436d5aa579fcb
Instruction ID: 3e2bb1a27ad549038a2e49da81d9e154ea298a3f317b295e8ddffa1d5de0c1df
Opcode Fuzzy Hash: 79c751f4c92dff1d66f1c9d89c72d504176968021f3a65a6045436d5aa579fcb
Instruction Fuzzy Hash: 73413572D1DA8A4FD369DB2C94551B17BD0EF55792F0806BED048C71D3EE2C688A8385

Function 00007FF848FE2C10 Relevance: 1.7, Strings: 1, Instructions: 490
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

'H, xrefs: 00007FF848FE3058

Memory Dump Source

Source File: 00000004.00000002.3299916596.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848fe0000_Onedrive.jbxd

Similarity

API ID:
String ID: 'H
API String ID: 0-2902304405
Opcode ID: 2cafecd261f2877cc8ee7a9912bb847f9548afe15fa4254a5145993e77110782
Instruction ID: 08256063a4aa4c463d4228e4781d98c4a8b057fb3347c29193964299a9c6cfd9
Opcode Fuzzy Hash: 2cafecd261f2877cc8ee7a9912bb847f9548afe15fa4254a5145993e77110782
Instruction Fuzzy Hash: C0E11431A0DA9A4FE7A5EB6C88592B57BD1FF94350F0401BAE04DC72D6EF2CAC468345

Function 00007FF848FE3F38 Relevance: 1.7, Strings: 1, Instructions: 438
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@, xrefs: 00007FF848FE4457

Memory Dump Source

Source File: 00000004.00000002.3299916596.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848fe0000_Onedrive.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 04bdf931d1323e3a986bf61b7105d7917bbc68be5004a979fed60f422bb8d3f5
Instruction ID: a314a9a0030176b5addaf1dd8c46f11ba2585d8cf04a897fac433c2e005077d1
Opcode Fuzzy Hash: 04bdf931d1323e3a986bf61b7105d7917bbc68be5004a979fed60f422bb8d3f5
Instruction Fuzzy Hash: D8D10531A0DB4A4FE795AB2894553787BD1EFA6350F1402BED48AC72D2DF1CAC468385

Function 00007FF848D73525 Relevance: 1.6, APIs: 1, Instructions: 134
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE ref: 00007FF848D73607

Memory Dump Source

Source File: 00000004.00000002.3297554913.00007FF848D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848d70000_Onedrive.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: dbeda589a618152ec63a32b2aa7adbd07d95b6149929012e7c3a36488f5aefd4
Instruction ID: 25619070de3ede1ebf0cc36af3a04d6b0edf5cca4cd450c7b39935c52b175012
Opcode Fuzzy Hash: dbeda589a618152ec63a32b2aa7adbd07d95b6149929012e7c3a36488f5aefd4
Instruction Fuzzy Hash: 7B41D33180EB9C9FDB59EB6C88496E97FF0EF66310F0441AFD049C7292DB246809C791

Function 00007FF848D73569 Relevance: 1.6, APIs: 1, Instructions: 109
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE ref: 00007FF848D73607

Memory Dump Source

Source File: 00000004.00000002.3297554913.00007FF848D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848d70000_Onedrive.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 547acb44b53f53f9405488e1a38f91c4eac63a4df76b4a394efc913c24568dae
Instruction ID: 346fd0e2c5cb924036894a1fe668d9a423d2e864cfa99bb274746ec7351413e3
Opcode Fuzzy Hash: 547acb44b53f53f9405488e1a38f91c4eac63a4df76b4a394efc913c24568dae
Instruction Fuzzy Hash: E431CD3190DA5C9FDB59DB5888496F9BBF0FF66320F04426FD049D3292CB74A80ACB91

Function 00007FF848FE3451 Relevance: 1.6, Strings: 1, Instructions: 302
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(_L, xrefs: 00007FF848FE3673

Memory Dump Source

Source File: 00000004.00000002.3299916596.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848fe0000_Onedrive.jbxd

Similarity

API ID:
String ID: (_L
API String ID: 0-1598577166
Opcode ID: 17382d9dd61b726a57088e2913d096d232da48daae6ff323729067b730369f5b
Instruction ID: c1f1129c8c2d751294ef9655d31995e3fe3bebf328a6de07f7a0d0a4675d8465
Opcode Fuzzy Hash: 17382d9dd61b726a57088e2913d096d232da48daae6ff323729067b730369f5b
Instruction Fuzzy Hash: DB91F131A0DB4A8FD7A5EB2C9848AB5B7E1FF59350F0401BAD04EC32D6DF29A845C785

Function 00007FF848FEC349 Relevance: 1.4, Strings: 1, Instructions: 199
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

a(_H, xrefs: 00007FF848FEC373

Memory Dump Source

Source File: 00000004.00000002.3299916596.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848fe0000_Onedrive.jbxd

Similarity

API ID:
String ID: a(_H
API String ID: 0-3517239323
Opcode ID: 8258a0eb3ee001e734a0bb49080a8fb75fb878f4bd09029cb84dc42a88cd33c6
Instruction ID: 942e7175002ed517a50e1b13abebff9547cb8cd583004cf751d3cecfd5f58656
Opcode Fuzzy Hash: 8258a0eb3ee001e734a0bb49080a8fb75fb878f4bd09029cb84dc42a88cd33c6
Instruction Fuzzy Hash: 9E51F172E2CA4A5FE398EB3840552B577D2FFA8790F54017AD04EC36C6EE29A8468345

Function 00007FF848FE20E2 Relevance: 1.4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

#)_^, xrefs: 00007FF848FE2101

Memory Dump Source

Source File: 00000004.00000002.3299916596.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848fe0000_Onedrive.jbxd

Similarity

API ID:
String ID: #)_^
API String ID: 0-363831243
Opcode ID: a934f597f5c1f49a6f102f444c676a9d9164936c6033ce00f6993a6386acc23f
Instruction ID: 6ae0df75d19793d3787d0097b1584818b8a7d38969b03f17d47e2963bfe58562
Opcode Fuzzy Hash: a934f597f5c1f49a6f102f444c676a9d9164936c6033ce00f6993a6386acc23f
Instruction Fuzzy Hash: 6B41D63390E756AFD301BFB9E8991E47350FF01329F28457AD0888A497DB39668087E9

Function 00007FF848FE20D7 Relevance: 1.4, Strings: 1, Instructions: 123COMMON

Download Yara Rule

Strings

#)_^, xrefs: 00007FF848FE2101

Memory Dump Source

Source File: 00000004.00000002.3299916596.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848fe0000_Onedrive.jbxd

Similarity

API ID:
String ID: #)_^
API String ID: 0-363831243
Opcode ID: a42541300c4d3e38e6d43c5abfffa2c05e56703cac34fae835c7db8d2a20a785
Instruction ID: 0df3836dda831ba178d9a5aec37544b39d17ab6202698a44e8b26336529baf95
Opcode Fuzzy Hash: a42541300c4d3e38e6d43c5abfffa2c05e56703cac34fae835c7db8d2a20a785
Instruction Fuzzy Hash: 4B41B93390E756AFD301BFB9E8991F47350FF01369F28457AD0888A487DB39668487E9

Function 00007FF848FE20CF Relevance: 1.4, Strings: 1, Instructions: 122COMMON

Download Yara Rule

Strings

#)_^, xrefs: 00007FF848FE2101

Memory Dump Source

Source File: 00000004.00000002.3299916596.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848fe0000_Onedrive.jbxd

Similarity

API ID:
String ID: #)_^
API String ID: 0-363831243
Opcode ID: a36e053628e31ca56d5f4c437dac99f32438ca0f758a37709788500b4c7ba955
Instruction ID: 860b8af08aec0667a7838b4cac23dbfac8bfb0932ff0b1fe10207817f12944f8
Opcode Fuzzy Hash: a36e053628e31ca56d5f4c437dac99f32438ca0f758a37709788500b4c7ba955
Instruction Fuzzy Hash: 1441C83390E756AFD301BEB9E8891F47350FF01318F28457AC088CA487DB39668087E9

Function 00007FF848FED155 Relevance: 1.4, Strings: 1, Instructions: 100COMMON

Download Yara Rule

Strings

0wH, xrefs: 00007FF848FED1B3

Memory Dump Source

Source File: 00000004.00000002.3299916596.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848fe0000_Onedrive.jbxd

Similarity

API ID:
String ID: 0wH
API String ID: 0-2537057221
Opcode ID: 94344b365420fe467737c542febce39f4ffe521125fa57f886aebe09dfd68edf
Instruction ID: b0042bc5ee9b5b03989adb789c16e97f5149faacbc9b09e099bb690ac40a74d3
Opcode Fuzzy Hash: 94344b365420fe467737c542febce39f4ffe521125fa57f886aebe09dfd68edf
Instruction Fuzzy Hash: 7C31FC3090DA8A8FE3A9B32C985527076D0EF85291F1840BAC44EC69D2DE1CE8818751

Function 00007FF848FE3140 Relevance: 1.3, Strings: 1, Instructions: 90COMMON

Download Yara Rule

Strings

'H, xrefs: 00007FF848FE31B8

Memory Dump Source

Source File: 00000004.00000002.3299916596.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848fe0000_Onedrive.jbxd

Similarity

API ID:
String ID: 'H
API String ID: 0-2902304405
Opcode ID: ddea2c9151a5f085a06eb03f4c08de23eecdec430ceaa428d38b9132e7ec88b2
Instruction ID: 863ba9fde61138bfba7c96d44cb81220de32508341ba305526db5c7deddff3d7
Opcode Fuzzy Hash: ddea2c9151a5f085a06eb03f4c08de23eecdec430ceaa428d38b9132e7ec88b2
Instruction Fuzzy Hash: 25216831A08A499FDB88EF2CC4496AA77E1FF99315F10007DE40DD3282CB35A852CB44

Function 00007FF848FE223A Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

p:H, xrefs: 00007FF848FE2271

Memory Dump Source

Source File: 00000004.00000002.3299916596.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848fe0000_Onedrive.jbxd

Similarity

API ID:
String ID: p:H
API String ID: 0-939785553
Opcode ID: 1e714f1ee51c45c698ad8aa653826817d94136e3a17db211b23d054c5c4a0aba
Instruction ID: cf0cd912bb0299e44040ec510159d9d8d0e78f67f707615d3835db5e0bc20a99
Opcode Fuzzy Hash: 1e714f1ee51c45c698ad8aa653826817d94136e3a17db211b23d054c5c4a0aba
Instruction Fuzzy Hash: CCF0C23180DAC96FEB11EB7894492BABFF0EF56300F5540E7E448C7193DA3865448752

Function 00007FF848FE3020 Relevance: 1.3, Strings: 1, Instructions: 38COMMON

Download Yara Rule

Strings

'H, xrefs: 00007FF848FE3058

Memory Dump Source

Source File: 00000004.00000002.3299916596.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848fe0000_Onedrive.jbxd

Similarity

API ID:
String ID: 'H
API String ID: 0-2902304405
Opcode ID: 8c6b9e6ea56d94fe1e023407722ffa86768717ef2b6676c13c14c832d886c5fb
Instruction ID: 1c9be17e7041924f14ee67a7be93103f3012fc94d9fad652b74fa57a90d823f1
Opcode Fuzzy Hash: 8c6b9e6ea56d94fe1e023407722ffa86768717ef2b6676c13c14c832d886c5fb
Instruction Fuzzy Hash: 1FF0BE31E1CA4A4FE355BA3C940927673D1EF18209F0409BED88EC76A2DF28D8428289

Function 00007FF848FE9764 Relevance: .4, Instructions: 440COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3299916596.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848fe0000_Onedrive.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a80b9ea25ec92dea7f063f80e7376e30861b0df2751dfa5d368d523d9526bcad
Instruction ID: 6dab649325196b6d800fcf861aed7de07e64870dd74c27e69068681f8dd7bb94
Opcode Fuzzy Hash: a80b9ea25ec92dea7f063f80e7376e30861b0df2751dfa5d368d523d9526bcad
Instruction Fuzzy Hash: 89D14A3071C9098FEB99EB2CC499A7973E1FF99340F1141B9E44EC72A6DE28EC428755

Function 00007FF848FE8BD9 Relevance: .4, Instructions: 406COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3299916596.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848fe0000_Onedrive.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29bf58a3aae0df8a2d207205d1194a4f0bd22de478adc7cc7ee56bfb9d0997c1
Instruction ID: ff6156da441a72c84bfcb657f63c2346f802f4463cf510dc705c455098fef8e7
Opcode Fuzzy Hash: 29bf58a3aae0df8a2d207205d1194a4f0bd22de478adc7cc7ee56bfb9d0997c1
Instruction Fuzzy Hash: 33D1DC30A1DA4A4FEB59FB2884947B8B7D1EF55384F5401B9D48EC76D3DF2CA8468318

Function 00007FF848FEA3D9 Relevance: .4, Instructions: 397COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3299916596.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848fe0000_Onedrive.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36f5a6d997cae2992e9c8b59f02dc5efb432b68dbf8d4d1d2af9d02ad12ec988
Instruction ID: 572e1dc0fbc3c527aac8872804d9a21ab37fe7ffe00845c3352001080b1b90e0
Opcode Fuzzy Hash: 36f5a6d997cae2992e9c8b59f02dc5efb432b68dbf8d4d1d2af9d02ad12ec988
Instruction Fuzzy Hash: 85D19231A1CA098FDBA8EB28C4457B9B7E1FFA8340F104179D04ED72D6DF38A8858B45

Function 00007FF848FE8C28 Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3299916596.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848fe0000_Onedrive.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 470d96879035b5bdf329128e3ff1c1fa0c6aafeb7957dd40b8485a9c3779a13d
Instruction ID: 9b3f35de0069c07800b30a482527a73ca3e431cc592061398969eeae5c6354ee
Opcode Fuzzy Hash: 470d96879035b5bdf329128e3ff1c1fa0c6aafeb7957dd40b8485a9c3779a13d
Instruction Fuzzy Hash: 3EB18E30A1DA494FEB99BB2D84557B877D2EF58384F5041BCD48EC36D6DE2CA8468318

Function 00007FF848FE8D58 Relevance: .3, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3299916596.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848fe0000_Onedrive.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2536e4d338bbd4b8ac1c15795f460586bc49f23c6c9a9bfd7b8d71a0a241d83a
Instruction ID: 2648a41b6b0d331270147c118e0f5774ced64240f3b7f5bf2bc60486bb95e2dc
Opcode Fuzzy Hash: 2536e4d338bbd4b8ac1c15795f460586bc49f23c6c9a9bfd7b8d71a0a241d83a
Instruction Fuzzy Hash: E1A16D30A1C9094FEB99FB2884957B8B7D2FF98384F5041BCD48EC36D6DE2DA8468754

Function 00007FF848FE8D1D Relevance: .3, Instructions: 306COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3299916596.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848fe0000_Onedrive.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cff33f33bd7beba742d29af0b21e5281293a16a9bfb71c6704946ba4c945e14c
Instruction ID: c8e2237388dd1c493dff54f7051f6395203455ac27a5974c841a2d0cb253d068
Opcode Fuzzy Hash: cff33f33bd7beba742d29af0b21e5281293a16a9bfb71c6704946ba4c945e14c
Instruction Fuzzy Hash: ABA16D30A1CA094FEB59FB2884957B877D2EF98384F5041BDD48EC36D7DE2CA8468758

Function 00007FF848FE7430 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3299916596.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848fe0000_Onedrive.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28355b390cc478467c66110292e31c4947e3e82e4f6dd1df66601b4950cba797
Instruction ID: a401ef4158b23e0266e34b8616a405e2a351c2eef646fc05ab721b152a953806
Opcode Fuzzy Hash: 28355b390cc478467c66110292e31c4947e3e82e4f6dd1df66601b4950cba797
Instruction Fuzzy Hash: 66810432A0DE8A4FE396A77C98551B07FE1EF66250B1901FAC089C71D7EF1CAC068355

Function 00007FF848FE8CE3 Relevance: .3, Instructions: 299COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3299916596.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848fe0000_Onedrive.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cce970d5fb99c83bcd131f507d13ca3889ac341a2518c727a6296115ab43a008
Instruction ID: 1587d29be42b287422b8b4a22a7e1cd8d0226e759a740a4e61dfc73816e51a86
Opcode Fuzzy Hash: cce970d5fb99c83bcd131f507d13ca3889ac341a2518c727a6296115ab43a008
Instruction Fuzzy Hash: E2916D30A1CA094FEB98FB1C84957B8B3D2FF98384F5041B8D48EC36D6DE2DA8458758

Function 00007FF848FE8BBD Relevance: .3, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3299916596.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848fe0000_Onedrive.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 512468e52753c4a2ea97d3079ec767131b2719e2dc337bcc6100100ec723813e
Instruction ID: 5c118c79b34df1f0ffb7ba8537200935bdbbd4704db6755098a9ffd63aaa2988
Opcode Fuzzy Hash: 512468e52753c4a2ea97d3079ec767131b2719e2dc337bcc6100100ec723813e
Instruction Fuzzy Hash: 0A915E30A1CA094FEB99FB2D84957B977D2FF98384F5041B8D48EC36C7DE2CA8458658

Function 00007FF848FE8D01 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3299916596.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848fe0000_Onedrive.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f9f55245277be908cc20748509b465bf364c690f7bc5dde274dc0cc81963fd0
Instruction ID: dd0babeb25378aaef6dbd023ea8d90df2a3a38b1ed08aa8f39042073b93b94be
Opcode Fuzzy Hash: 1f9f55245277be908cc20748509b465bf364c690f7bc5dde274dc0cc81963fd0
Instruction Fuzzy Hash: C3915D30A1CA094FEB99FB1C84957B977D2FF98384F5041B8D48EC36D6DE2CA8468758

Function 00007FF848FE6FC5 Relevance: .3, Instructions: 288COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3299916596.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848fe0000_Onedrive.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c15ea5a67e66750ea3a4a840304fe60528170d203f3ae93a51fefb799a263f60
Instruction ID: d8e60c0e0427c0d4401f8f67318f39e2ca24ca91a88a6cc9d03f07275b69ca6d
Opcode Fuzzy Hash: c15ea5a67e66750ea3a4a840304fe60528170d203f3ae93a51fefb799a263f60
Instruction Fuzzy Hash: 6D712131B1DD494FE798F72CE8496B577D1EF99360F0400BAD04EC72A6EE29AC428385

Function 00007FF848FED231 Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3299916596.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848fe0000_Onedrive.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5c08a829e18da4d2fc0dbade45e12c185ac38be777f092d7f0cd3e6fe1854f7
Instruction ID: d1fbcd5de026f4d2490303a9284f52d1aafbb2a9e17d886191fcc052bda1bb45
Opcode Fuzzy Hash: d5c08a829e18da4d2fc0dbade45e12c185ac38be777f092d7f0cd3e6fe1854f7
Instruction Fuzzy Hash: 9371AE71A1D9894FDB98EF2CC454AB977E2FF98350F0401BAE04EC72D6CA28EC418745

Function 00007FF848FE6C31 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3299916596.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848fe0000_Onedrive.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fbff202e9464edf7c53214bd315b5a1bff7d18dd6a8c4b4e2cb2c0e89c0dda3
Instruction ID: eb4aaadd5e01f1611eb273fb5b39bb98880f7d3173fd0c078b806fcb70c1b828
Opcode Fuzzy Hash: 7fbff202e9464edf7c53214bd315b5a1bff7d18dd6a8c4b4e2cb2c0e89c0dda3
Instruction Fuzzy Hash: FC61B171A1D94A8FE7A9F72C945627667D2FF98790F8400B9D04EC32C6CF2DAC028348

Function 00007FF848FE3997 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3299916596.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848fe0000_Onedrive.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37c9d7e43528a0719756c661b84b7be20176ffb6434f8b992708c0a275ce86aa
Instruction ID: 99ea9262432e7e2f8b9ca9188054a27f38effd0bb7bd419c6653ed98f24b9a5d
Opcode Fuzzy Hash: 37c9d7e43528a0719756c661b84b7be20176ffb6434f8b992708c0a275ce86aa
Instruction Fuzzy Hash: 2E71AE31A1CA068FE768EF2CD44967573E2EF84740F1540B9D44EC72D6DF38E8868A46

Function 00007FF848FEC160 Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3299916596.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848fe0000_Onedrive.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29ff3347dfbfe802fa10800b9c4278888e95cef06b3caf23a023d1f58d119241
Instruction ID: 94652ea3a1bb45c39d08a946367a4b9bcd7774dcf4b423349becf70d07181a3f
Opcode Fuzzy Hash: 29ff3347dfbfe802fa10800b9c4278888e95cef06b3caf23a023d1f58d119241
Instruction Fuzzy Hash: D3519831F1DA4A8FE399AB3C90553B573D2EF98791F5001BAD40EC72CAEE696842C700

Function 00007FF848FE36F5 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3299916596.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848fe0000_Onedrive.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb9ec69813e690e1b683b730be0f5762e849cab22e96c64fc39a9cfa96a252fb
Instruction ID: 3725c4b87d0644314313fa91638be2d300fbc4d10126dd890d804768bfe9706a
Opcode Fuzzy Hash: eb9ec69813e690e1b683b730be0f5762e849cab22e96c64fc39a9cfa96a252fb
Instruction Fuzzy Hash: 33512671A0CA495FFB54F72C98446767BD1EF963A8F1402BED48DC31D2EE1CA8028385

Function 00007FF848FE4705 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3299916596.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848fe0000_Onedrive.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53ceed11b4c2160b1b52fed69c727b48c29e67482f382cb6ec3d03e82cc5a2c8
Instruction ID: 72fecd65ed019f26a5d3edcf173aa9171eabfeaf7b22e45bd98684e717dfe0af
Opcode Fuzzy Hash: 53ceed11b4c2160b1b52fed69c727b48c29e67482f382cb6ec3d03e82cc5a2c8
Instruction Fuzzy Hash: 00418B3160CC1E8FEBA4FB1CE495AB573D1FF69390F1500BAD449C7292EA19EC428785

Function 00007FF848FED495 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3299916596.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848fe0000_Onedrive.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 822f777a495442dea19d179392b216bd878d0baeffd7900de4edecac99b4aebe
Instruction ID: 12f57da9ecf409745fc77d22ba6308d8054c8015f12ea6a52c1a9ef66a537ce9
Opcode Fuzzy Hash: 822f777a495442dea19d179392b216bd878d0baeffd7900de4edecac99b4aebe
Instruction Fuzzy Hash: 9B518E70909A8D8FDB85EF2CC844ABA7BE1FF59354F0445BAE449C7692DB38A805CB40

Function 00007FF848FE6E69 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3299916596.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848fe0000_Onedrive.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5c73f1ee0214a55ccc71851683d0a64419b60015571f5b2cac36967876c4979
Instruction ID: 5a21ea6295677ca8aee6adea90279aa1fba5fc61c29d7a84a809f9ebd6e57b39
Opcode Fuzzy Hash: f5c73f1ee0214a55ccc71851683d0a64419b60015571f5b2cac36967876c4979
Instruction Fuzzy Hash: C841F721A1D6C90FE796A73C98646757FE1DF96240F0804FBD089C71E7EA1D9885C305

Function 00007FF848FE3A11 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3299916596.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848fe0000_Onedrive.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5dd86853b0cea6659738ce4745af713113f812b4635d51aee4bd2b97b06a804
Instruction ID: cb01edc0cdc9d24a450294caff1e7a326be03bf852d5b34efb38907dd52cc0f0
Opcode Fuzzy Hash: e5dd86853b0cea6659738ce4745af713113f812b4635d51aee4bd2b97b06a804
Instruction Fuzzy Hash: 2441AB30A2CA0A8FD768EF2C944963573E2FB88744F11817DE44EC32D6DF38E8468685

Function 00007FF848FECD79 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3299916596.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848fe0000_Onedrive.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccd65b67e11f49d3cfda103215c05453fdd03d31781cf35ffe80c31efd9dc175
Instruction ID: 8ffd3251fbc3d7bf6b2196a171e99702f27c85cad8e47c67d039812e56fa4912
Opcode Fuzzy Hash: ccd65b67e11f49d3cfda103215c05453fdd03d31781cf35ffe80c31efd9dc175
Instruction Fuzzy Hash: D941A17190CA488FDB49DB68D4046A9BBE1FF95311F04426FE04DD3292DB38A845CB81

Function 00007FF848FECED0 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3299916596.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848fe0000_Onedrive.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb3a0b2675364777f9dd46dbed6939796eb3203be0fd68c9dd1616e798c8c2ac
Instruction ID: c189d4ab41a62c15d68d6c11be26458923d3340d526852db39fe8f14f39cbf6a
Opcode Fuzzy Hash: cb3a0b2675364777f9dd46dbed6939796eb3203be0fd68c9dd1616e798c8c2ac
Instruction Fuzzy Hash: 71414B30A18A8A8FEB98EF18C455BB937A1FF49345F5400B9E40EC72D6DB39E855C705

Function 00007FF848FE28F2 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3299916596.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848fe0000_Onedrive.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edf410e7b3d5578478a96da39516b7e0a5af9057f231d4766f5adde165ea2f66
Instruction ID: 7fb80b9069bce7f761b65e3762348a624a74f434a049073ac8a12c3682eff45b
Opcode Fuzzy Hash: edf410e7b3d5578478a96da39516b7e0a5af9057f231d4766f5adde165ea2f66
Instruction Fuzzy Hash: A941F432A1EA8A4FE755B76998552F537A1EF55380F1400B7E04EC71C7DE2CAC0A836A

Function 00007FF848FE2EC6 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3299916596.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848fe0000_Onedrive.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b36d68a0e4184abd65d98403a4fffa6bf56c9676d4f72ed03f2f6c69f4c595c9
Instruction ID: a7cf191eba6871c916f454ad478a386aec145f72b80adc037fbc366403af0324
Opcode Fuzzy Hash: b36d68a0e4184abd65d98403a4fffa6bf56c9676d4f72ed03f2f6c69f4c595c9
Instruction Fuzzy Hash: 59310531A0DACA4FD39AA77844556B1BBD1EF9A350F0440FAD009C72DBEE6D984AC345

Function 00007FF848FE3730 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3299916596.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848fe0000_Onedrive.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b73adc1bb7d9eb70dfbd095445cdc8bba0a6f8d13b6e5566cb9ba369a586310f
Instruction ID: 2fffac3182c26e70bce99064121dc5e9f940c217413d29912e3c11cac5a221be
Opcode Fuzzy Hash: b73adc1bb7d9eb70dfbd095445cdc8bba0a6f8d13b6e5566cb9ba369a586310f
Instruction Fuzzy Hash: ED31C375A1C90D5FFF98FB2C9449A7637D2EB99395F10017DE84EC32D2EE29A8024784

Function 00007FF848FE75F0 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3299916596.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848fe0000_Onedrive.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2af61a5819e7a446d43cc984aca08f2194de1840c0c55c9e535df4c6254176e
Instruction ID: 448848857ce2b33ca5241961c393f97ef2f6dd07e654525e87f41435f6f4aad9
Opcode Fuzzy Hash: b2af61a5819e7a446d43cc984aca08f2194de1840c0c55c9e535df4c6254176e
Instruction Fuzzy Hash: 8E115032F1DD0D1FE3A8AA5D98495B177C1EBA83A4F5501BAD00DC32C6EF18BC424385

Function 00007FF848FEC466 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3299916596.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848fe0000_Onedrive.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 007affd61149fe057e3988d012ee5ae446f871ee81bb06b6e9aeddc0a9d1a4bd
Instruction ID: 14c97c142f1300f3993238480714b40f01381e77509f085691700013153110e9
Opcode Fuzzy Hash: 007affd61149fe057e3988d012ee5ae446f871ee81bb06b6e9aeddc0a9d1a4bd
Instruction Fuzzy Hash: E4212562A2DE8A2FE759E739445A6B567E1FF64380F4400BAD04EC35C7EE1CB8058346

Function 00007FF848FE798D Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3299916596.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848fe0000_Onedrive.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: addf0c89458e0d52a93f1131771ae7de10115f675388be1192e47de13e3cddd6
Instruction ID: 767d20d80b5a1953e3a1359ece226237a78d43a05d6bebc16a5ef437b6aaa6a3
Opcode Fuzzy Hash: addf0c89458e0d52a93f1131771ae7de10115f675388be1192e47de13e3cddd6
Instruction Fuzzy Hash: BB215B3061CA098FDB98EF1DD4456B9B7E1FF98711F10117EE48AD32A1CB35E8428B45

Function 00007FF848FE2944 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3299916596.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848fe0000_Onedrive.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a784f823965e96cdaebb19e7fbe30b87f7de3e1b1f50711a992f5914595d217f
Instruction ID: 423141db05eff76ae1fb3d6f311808b4e6a91f862ca00b7bc1ec8abda19a9e8a
Opcode Fuzzy Hash: a784f823965e96cdaebb19e7fbe30b87f7de3e1b1f50711a992f5914595d217f
Instruction Fuzzy Hash: 7E218E21B29A4A4FE754B76984953BA73D2EF58380F50447A904FC35CBDE2CA80A8796

Function 00007FF848FECCA5 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3299916596.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848fe0000_Onedrive.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aab8748dfd4e6d820df642a6bff38de5c227ca7a7aa10968f9b92ce9ca5a8235
Instruction ID: 5fe352977a05cc17bc8ce827079da259115cac80818cefac04e4cbb9dc78330e
Opcode Fuzzy Hash: aab8748dfd4e6d820df642a6bff38de5c227ca7a7aa10968f9b92ce9ca5a8235
Instruction Fuzzy Hash: 2411E31148EAC61FE34667B44C296E13FE5DF9B650B1D42EBE081CB4E3D85C488B8362

Function 00007FF848FED0CD Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3299916596.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848fe0000_Onedrive.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1f2a670f04530d099324350b76423dd1d995ed83dbe7f0df40f824152c0edc5
Instruction ID: 5926f2e3080c5969d7c39de105682bcc0a1c90700ec920d5df9f02cb04c7ff25
Opcode Fuzzy Hash: b1f2a670f04530d099324350b76423dd1d995ed83dbe7f0df40f824152c0edc5
Instruction Fuzzy Hash: F411E53158E6C64FC346AB748810AD17BE1EF8B16030941FAD089CB593C95C9887C721

Function 00007FF848FEC881 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3299916596.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848fe0000_Onedrive.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 048e783001f40a21a3777577c0eed848a54d01c56629875cfa001589988c3d7c
Instruction ID: 82fabe851df90603149710ad3a62dbd4b0b73e1b9410307a5c687f727f8b7eac
Opcode Fuzzy Hash: 048e783001f40a21a3777577c0eed848a54d01c56629875cfa001589988c3d7c
Instruction Fuzzy Hash: F5119A30D18A598FDB81FBA884416F97BE1FF5A341F01057AD008D7182EB79A900C780

Function 00007FF848FE4C61 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3299916596.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848fe0000_Onedrive.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d332ecb388911d1df09c5604cd85327da7f68a2aab20fbc531b8175f8bf1327
Instruction ID: 468a9edd9fc609087186f121fca6a924c475cd86c89915a6afe4c690619dde42
Opcode Fuzzy Hash: 4d332ecb388911d1df09c5604cd85327da7f68a2aab20fbc531b8175f8bf1327
Instruction Fuzzy Hash: A601F52180DA954FE742E72894593B97FD1DF95260F080ABED088C70E2CA584ACA839B

Function 00007FF848FEC766 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3299916596.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848fe0000_Onedrive.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 556c04cc0f28e922e67be0436cc0c3310bda18b3962c4bd750c903de02fb114b
Instruction ID: b422bbc40c750d38a95459369ab182651b89d85a11e66291c36a628c9bccbdaa
Opcode Fuzzy Hash: 556c04cc0f28e922e67be0436cc0c3310bda18b3962c4bd750c903de02fb114b
Instruction Fuzzy Hash: 8EF08671E2DD8A4FE759FB3840915BA62A2FF98680F544479D05EC71CADF1CA8064306

Function 00007FF848FE22A9 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3299916596.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848fe0000_Onedrive.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d1fcb52d52bde768dad0db2ad695a3ecf92cd6278ce03e26bc2280afb3d1fb9
Instruction ID: 5ff010df895daa80ebc87c83ed5cae2c4086728c89a332e66d20675dd8b69224
Opcode Fuzzy Hash: 7d1fcb52d52bde768dad0db2ad695a3ecf92cd6278ce03e26bc2280afb3d1fb9
Instruction Fuzzy Hash: 77F0FF31D1D6C84FE705EBB8882A1ED7FF0EF5A210F4901E7E408CB096EB3848458311

Function 00007FF848FE21D4 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3299916596.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848fe0000_Onedrive.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16ae66f45455ab96318ba5ed56543fcddef87596ec476fb169e51386d3550fef
Instruction ID: c54a8cc61f6d79466e66e61b61512662420ff576e75d943f3e8c8c80e7193ca9
Opcode Fuzzy Hash: 16ae66f45455ab96318ba5ed56543fcddef87596ec476fb169e51386d3550fef
Instruction Fuzzy Hash: A7F0E23268DA4E2FE344BA9D98811B17384FB80365F98013AD919C3585EBAEAA564294

Function 00007FF848FED44A Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3299916596.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848fe0000_Onedrive.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d55ed6157946def32a191a7875da3e467043b373fc521cc54f0736d7c0fdc11
Instruction ID: f88aa32c7ae028347b8d6366cea804c0c052816fb7cfd45187c70ed79a016733
Opcode Fuzzy Hash: 3d55ed6157946def32a191a7875da3e467043b373fc521cc54f0736d7c0fdc11
Instruction Fuzzy Hash: 6FF0273191C94C4FDB80FB488804AFAB7A8FB44370F000226E01EC3181D624A856C380

Function 00007FF848FE340D Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3299916596.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848fe0000_Onedrive.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fed3af9b73ce0a2b9583bcdd6eaaed64aee09103cf8106209930d35530b7d709
Instruction ID: de0283092cb97e3943182102789463737a2443332859b59c6f9fc86982971bde
Opcode Fuzzy Hash: fed3af9b73ce0a2b9583bcdd6eaaed64aee09103cf8106209930d35530b7d709
Instruction Fuzzy Hash: 47F08C7190D60D5FDB18EA49EC4AAEA37A8FB85220F00013AF44D82192DB256866C758

Function 00007FF848FECD35 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3299916596.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848fe0000_Onedrive.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4b95c76d298e8de0a07660ac8d0d579c5339972c186c709c4cb5cccf57acf55
Instruction ID: 441d02ebdd2b29736189cec04fe257867dc536e3f88eb15800d3d6c67b324c5f
Opcode Fuzzy Hash: c4b95c76d298e8de0a07660ac8d0d579c5339972c186c709c4cb5cccf57acf55
Instruction Fuzzy Hash: BDE012B2D1E3C59FC767AA3849295A53F90AF2769171A48EED185CF1F3F14A4C098312

Analysis Process: Onedrive.exePID: 5460, Parent PID: 1068COMMON

Executed Functions

Function 00007FF848D920FA Relevance: 5.4, Strings: 4, Instructions: 359COMMON

Download Yara Rule

Strings

XAH, xrefs: 00007FF848D9220F
@WH, xrefs: 00007FF848D9232C
X]H, xrefs: 00007FF848D922B5
8BH, xrefs: 00007FF848D922FF

Memory Dump Source

Source File: 00000005.00000002.2091571549.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848d90000_Onedrive.jbxd

Similarity

API ID:
String ID: 8BH$@WH$XAH$X]H
API String ID: 0-1232580898
Opcode ID: 1ac43676a3b36626779a4ef43e35674aa03d42c8a82bda99fff2c068618e3c6e
Instruction ID: f60c101fc1bef86603a172abf2296130ac730c4761b3b71acf7eb49f1e6a51ec
Opcode Fuzzy Hash: 1ac43676a3b36626779a4ef43e35674aa03d42c8a82bda99fff2c068618e3c6e
Instruction Fuzzy Hash: BCA1D522A0E98A4FEB95FB2894557B967E2FF98784F0401B9D41DC71C7CF2CAC068385

Function 00007FF848D92DC8 Relevance: 1.5, Strings: 1, Instructions: 250COMMON

Download Yara Rule

Strings

H, xrefs: 00007FF848D92FCD

Memory Dump Source

Source File: 00000005.00000002.2091571549.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848d90000_Onedrive.jbxd

Similarity

API ID:
String ID: H
API String ID: 0-2852464175
Opcode ID: f8aceb79cd0d0b9de6afeaa9547970121db558a30bc9c459d1b235671db096e9
Instruction ID: 1b3af45a5574b4a7ad1a3691aa44c6c944c45aae831a0524bb5e0c8cf8fbe9e3
Opcode Fuzzy Hash: f8aceb79cd0d0b9de6afeaa9547970121db558a30bc9c459d1b235671db096e9
Instruction Fuzzy Hash: F6717A31E1990E8FEB98FB6894557BDB3E2EF88794F444178D00ED3286DF28AC468745

Function 00007FF848D90BD1 Relevance: 1.5, Strings: 1, Instructions: 241COMMON

Download Yara Rule

Strings

;N_I, xrefs: 00007FF848D90C04

Memory Dump Source

Source File: 00000005.00000002.2091571549.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848d90000_Onedrive.jbxd

Similarity

API ID:
String ID: ;N_I
API String ID: 0-1313454297
Opcode ID: 22571091d0aa2a92c099e76f707b74e0de86bfef174225bb0fdc81943ce9a5c8
Instruction ID: fa4497fa2bbdc64209108538a9d54a144af91b56a48609ff7a7c7762c0ed8178
Opcode Fuzzy Hash: 22571091d0aa2a92c099e76f707b74e0de86bfef174225bb0fdc81943ce9a5c8
Instruction Fuzzy Hash: 6F814A25A0EA869FE325B72C64543B57FA2FF45344F9441B9D588872CFCB389C05C396

Function 00007FF848D92110 Relevance: 1.4, Strings: 1, Instructions: 166COMMON

Download Yara Rule

Strings

XAH, xrefs: 00007FF848D9220F

Memory Dump Source

Source File: 00000005.00000002.2091571549.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848d90000_Onedrive.jbxd

Similarity

API ID:
String ID: XAH
API String ID: 0-1576971220
Opcode ID: 2d9ca4a4ba0af61eb3a74f1151e5648164f072141d508f5f1af541e206fed9c2
Instruction ID: 085b059c080d98acd9b1972806e7454b2bd50dd2d50f16d1e1f7f8f4fc00288a
Opcode Fuzzy Hash: 2d9ca4a4ba0af61eb3a74f1151e5648164f072141d508f5f1af541e206fed9c2
Instruction Fuzzy Hash: 1F410332A0E98A4FEB95FB289451BF97BA1EF95384F0401B6D01DC71C7DF29A8098752

Function 00007FF848D90872 Relevance: 1.3, Strings: 1, Instructions: 83COMMON

Download Yara Rule

Strings

0wH, xrefs: 00007FF848D908A6

Memory Dump Source

Source File: 00000005.00000002.2091571549.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848d90000_Onedrive.jbxd

Similarity

API ID:
String ID: 0wH
API String ID: 0-2537057221
Opcode ID: a54c6a8aefe9f9e85ba1bdbb627a39f5d4e7919947968b9f657e35cda32c01fc
Instruction ID: e9cffc47e3cd9c34e24693bb918b418b55418f44618755a5aaa0d1a33b72c47d
Opcode Fuzzy Hash: a54c6a8aefe9f9e85ba1bdbb627a39f5d4e7919947968b9f657e35cda32c01fc
Instruction Fuzzy Hash: 56210192D1EAC69FE356B73458253B56BA0FF527D0F4905FAC089CB1C7DE0C28488392

Function 00007FF848D92729 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2091571549.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848d90000_Onedrive.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 397f68fd3401e934cbd685a19780157d78f2a088f3649cc24d73f66913a011d6
Instruction ID: 53b662f0f042be087a15ea4d8178bc0514a7a6b4abd9cb3aa1fe1fce97aa323a
Opcode Fuzzy Hash: 397f68fd3401e934cbd685a19780157d78f2a088f3649cc24d73f66913a011d6
Instruction Fuzzy Hash: 4B411722E1EA495FE758EB2C940A3B977D1EF957A4F00017EE05ED32C2CF2858468396

Function 00007FF848D924F0 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2091571549.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848d90000_Onedrive.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e57af3ae90e2d513aab159ab4d930c19a1557ca5b7ebac6ad0ef5a6546e075db
Instruction ID: ccdde2fd4a654e4344e4df5de310b3abcfc9b40bbf57a5831c0e205590778660
Opcode Fuzzy Hash: e57af3ae90e2d513aab159ab4d930c19a1557ca5b7ebac6ad0ef5a6546e075db
Instruction Fuzzy Hash: B8416D15B1DD1E2FEEA4B62C40A57F926D3EB986C0F9046B5D10DC32CACF2C9C068385

Function 00007FF848D91BF5 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2091571549.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848d90000_Onedrive.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f1f38a1fc80a12d45f8535bdda7715c33d89691079f5990166185f1ef1b63bf
Instruction ID: 2df3253f92ac329348e9012f60c0b455b9974d943797001b89d2a655594eb6fa
Opcode Fuzzy Hash: 4f1f38a1fc80a12d45f8535bdda7715c33d89691079f5990166185f1ef1b63bf
Instruction Fuzzy Hash: 8C31A32854A64D6BE324E72C80993F93F63FB94344FD041A4DA08833CACB395501CBE3

Function 00007FF848D932DD Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2091571549.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848d90000_Onedrive.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74e8d859160ad7dd5659e96366be23d616b27d40b0fd0963aed6d8ae4dfc59ca
Instruction ID: 9429e3aaaedbd04620703b1db4a55cdd8fa0ecb228b40ee23b05461c56cd1974
Opcode Fuzzy Hash: 74e8d859160ad7dd5659e96366be23d616b27d40b0fd0963aed6d8ae4dfc59ca
Instruction Fuzzy Hash: 2D21D331E1A95D9FDB94FB3C84596B977E2FF58341B4504BAE40DC72A2DE28E805C780

Function 00007FF848D93491 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2091571549.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848d90000_Onedrive.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b65739464d9943b6a1e3f2342fcd2bac9704383c3a8bf242e829c273582a6337
Instruction ID: c8aa910250198b24956bf5f4fc8c426a9e44942a3ff2f8a6e65d10815a64c6b3
Opcode Fuzzy Hash: b65739464d9943b6a1e3f2342fcd2bac9704383c3a8bf242e829c273582a6337
Instruction Fuzzy Hash: 3F119C3190EA850FE345F63C6C495F27BD1EF90264B0842BBE44CC31A3CF08958A8351

Function 00007FF848D9161A Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2091571549.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848d90000_Onedrive.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 169b02cfbcc1d10d1f752236c11a00b20ed06f11965d8f70417ab9f1778d2b5c
Instruction ID: a2fa332b7f4a345dcd7cb2988c15182bdb1d6ba7e5238bc20482114c1b8569a0
Opcode Fuzzy Hash: 169b02cfbcc1d10d1f752236c11a00b20ed06f11965d8f70417ab9f1778d2b5c
Instruction Fuzzy Hash: 7F11C612B0EA990FD756F76D98653E43BE1EF9A265F0C01F7C04CCB193DA189C0983A5

Function 00007FF848D9196D Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2091571549.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848d90000_Onedrive.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dcf4189b95f4857935cde54c2dfe7a8e3a971a62d24299e23ac57b9c822f54a
Instruction ID: 9c1ce93df452e737e2cbd010ada513146ef5cee4da8623eedabec37c7e5ff538
Opcode Fuzzy Hash: 9dcf4189b95f4857935cde54c2dfe7a8e3a971a62d24299e23ac57b9c822f54a
Instruction Fuzzy Hash: 7A11C23051D6465FDB49DF24C0D19A5B7A1FFA9310B1442E6C4488F19FD728EC9AC7C0

Function 00007FF848D928D5 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2091571549.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848d90000_Onedrive.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bbfea1f358db7184669a9722546cc8a0294f668f7325bd4757e11cf89428669
Instruction ID: 1a36080762f7fb7eb5a8059c8a9e681a2322607777637ab47645469cd8f5cc1e
Opcode Fuzzy Hash: 3bbfea1f358db7184669a9722546cc8a0294f668f7325bd4757e11cf89428669
Instruction Fuzzy Hash: FE11C620A4FAC81FE747E3385899BA43FE1AF87265B0941F7D088CB0A3CA584845C352

Function 00007FF848D90DA9 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2091571549.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848d90000_Onedrive.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcca91822166577d732fd0c21514e98e93823bba1738888690a7db26163c4068
Instruction ID: bed29c527e61654eb335798c475212795900b8f73bf0692f67418c22e7e520f4
Opcode Fuzzy Hash: bcca91822166577d732fd0c21514e98e93823bba1738888690a7db26163c4068
Instruction Fuzzy Hash: 96016D23E6DC8A4FD699B22C64497F527D2EB953A0F840577D40DD31CADF186C4A4386

Function 00007FF848D91E58 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2091571549.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848d90000_Onedrive.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2034a85c5c35ea7ef908a0c8c82e1a9874eef63cc01e7d5bb6540f8f1ab38172
Instruction ID: c25312f3e02f0ed2dfc8430adde8ce41ded4a62b0913b3d2fd63c04a180751ca
Opcode Fuzzy Hash: 2034a85c5c35ea7ef908a0c8c82e1a9874eef63cc01e7d5bb6540f8f1ab38172
Instruction Fuzzy Hash: A4F02422B0EC1C1FE680F2AD54D9BF967C1DBAC266B0401B3E00CC72A7DD0898828390

Function 00007FF848D91E70 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2091571549.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848d90000_Onedrive.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7176f78f037cd3e2b73eacbf16c7120551ad09ea4da0640f0f0b67a87c62ba2e
Instruction ID: d20c79c17370f094b01599ce1e9508013a0a369200d823f47449981c5d67e198
Opcode Fuzzy Hash: 7176f78f037cd3e2b73eacbf16c7120551ad09ea4da0640f0f0b67a87c62ba2e
Instruction Fuzzy Hash: 11E09221B1AC1D2FAB94F66D44C9B7966C1EBAC251B1405B6E40CC72A6DE189C818380

Function 00007FF848D9094D Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2091571549.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848d90000_Onedrive.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f615e47d89585cfe1e0914ca0410fbf3fc1b6cd28a5559c644d1a27405f2dd2
Instruction ID: f54da1f687d8a943c94b204f407e0081f07b524b79a6b83c43a3328cf2844e48
Opcode Fuzzy Hash: 6f615e47d89585cfe1e0914ca0410fbf3fc1b6cd28a5559c644d1a27405f2dd2
Instruction Fuzzy Hash: 9AE08622F4E8166BE999727C34421BC1181DF496E1F84047AD50DDB297DE1D6C430285

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report OneDrive.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Quasar

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\OneDrive.exe.log

C:\Users\user\AppData\Roaming\Onedrive\Onedrive.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Windows Analysis Report
OneDrive.exe

Function 00007FF848D93525 Relevance: 1.6, APIs: 1, Instructions: 117
fileCOMMON

Function 00007FF848D93569 Relevance: 1.6, APIs: 1, Instructions: 109
fileCOMMON

Function 00007FF848FE8A61 Relevance: 2.0, Strings: 1, Instructions: 709
COMMON

Function 00007FF848FE5BE1 Relevance: 1.9, Strings: 1, Instructions: 689
COMMON

Function 00007FF848FED6D4 Relevance: 3.9, Strings: 3, Instructions: 102
COMMON

Function 00007FF848FE3125 Relevance: 2.8, Strings: 2, Instructions: 339
COMMON

Function 00007FF848FECACE Relevance: 2.6, Strings: 2, Instructions: 150
COMMON

Function 00007FF848FE2C10 Relevance: 1.7, Strings: 1, Instructions: 490
COMMON

Function 00007FF848FE3F38 Relevance: 1.7, Strings: 1, Instructions: 438
COMMON

Function 00007FF848D73525 Relevance: 1.6, APIs: 1, Instructions: 134
fileCOMMON

Function 00007FF848D73569 Relevance: 1.6, APIs: 1, Instructions: 109
fileCOMMON

Function 00007FF848FE3451 Relevance: 1.6, Strings: 1, Instructions: 302
COMMON

Function 00007FF848FEC349 Relevance: 1.4, Strings: 1, Instructions: 199
COMMON