Windows Analysis Report
oneDrive.exe

Overview

General Information

Sample name: oneDrive.exe
Analysis ID: 1524367
MD5: 8509691d37f05049067df88592964a4b
SHA1: 37db71172ab64c108fedca85e5be51a499b2ba12
SHA256: 451ee465675e674cebe3c42ed41356ae2c972703e1dc7800a187426a6b34efdc
Tags: CeranaKeeperexeuser-JAMESWT_MHT
Infos:

Detection

Score: 68
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Found pyInstaller with non standard icon
Sigma detected: Rar Usage with Password and Compression Level
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: oneDrive.exe Avira: detected
Multi AV Scanner detection for submitted file
Source: oneDrive.exe ReversingLabs: Detection: 31%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.9% probability
Source: oneDrive.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: D:\_w\1\b\bin\amd64\python310.pdb source: oneDrive.exe, 00000002.00000002.2048958816.00007FFB0C10D000.00000040.00000001.01000000.00000004.sdmp
Source: Binary string: d:\a01\_work\2\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: oneDrive.exe, 00000001.00000003.1516035668.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000002.00000002.2049874435.00007FFB24BE1000.00000002.00000001.01000000.00000005.sdmp, VCRUNTIME140.dll.1.dr
Source: C:\Users\user\Desktop\oneDrive.exe Code function: 1_2_00007FF6869D6714 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError, 1_2_00007FF6869D6714
Source: C:\Users\user\Desktop\oneDrive.exe Code function: 1_2_00007FF6869C7820 FindFirstFileExW,FindClose, 1_2_00007FF6869C7820
Source: C:\Users\user\Desktop\oneDrive.exe Code function: 1_2_00007FF6869D6714 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError, 1_2_00007FF6869D6714
Source: C:\Users\user\Desktop\oneDrive.exe Code function: 1_2_00007FF6869E09B4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose, 1_2_00007FF6869E09B4
Source: C:\Users\user\Desktop\oneDrive.exe Code function: 2_2_00007FF6869C7820 FindFirstFileExW,FindClose, 2_2_00007FF6869C7820
Source: C:\Users\user\Desktop\oneDrive.exe Code function: 2_2_00007FF6869D6714 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError, 2_2_00007FF6869D6714
Source: C:\Users\user\Desktop\oneDrive.exe Code function: 2_2_00007FF6869D6714 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError, 2_2_00007FF6869D6714
Source: C:\Users\user\Desktop\oneDrive.exe Code function: 2_2_00007FF6869E09B4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose, 2_2_00007FF6869E09B4
Source: oneDrive.exe, 00000001.00000003.1518068983.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516699890.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516876549.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1517195160.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1518700114.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516336331.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1518520091.000002090D190000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1517590579.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516990933.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1518520091.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516220557.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516515363.000002090D183000.00000004.00000020.00020000.00000000.sdmp, libssl-1_1.dll.1.dr, unicodedata.pyd.1.dr, _ssl.pyd.1.dr, _lzma.pyd.1.dr, _decimal.pyd.1.dr, _hashlib.pyd.1.dr, _socket.pyd.1.dr, libcrypto-1_1.dll.1.dr, python310.dll.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: oneDrive.exe, 00000001.00000003.1516876549.000002090D183000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2Assure
Source: oneDrive.exe, 00000001.00000003.1518068983.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516699890.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516876549.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1517195160.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1518700114.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516336331.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1517590579.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516990933.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1518520091.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516220557.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516515363.000002090D183000.00000004.00000020.00020000.00000000.sdmp, libssl-1_1.dll.1.dr, unicodedata.pyd.1.dr, _ssl.pyd.1.dr, _lzma.pyd.1.dr, _decimal.pyd.1.dr, _hashlib.pyd.1.dr, _socket.pyd.1.dr, libcrypto-1_1.dll.1.dr, python310.dll.1.dr, select.pyd.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: oneDrive.exe, 00000001.00000003.1518068983.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516699890.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516876549.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1517195160.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1518700114.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516336331.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1518520091.000002090D190000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1517590579.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516990933.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1518520091.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516220557.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516515363.000002090D183000.00000004.00000020.00020000.00000000.sdmp, libssl-1_1.dll.1.dr, unicodedata.pyd.1.dr, _ssl.pyd.1.dr, _lzma.pyd.1.dr, _decimal.pyd.1.dr, _hashlib.pyd.1.dr, _socket.pyd.1.dr, libcrypto-1_1.dll.1.dr, python310.dll.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: oneDrive.exe, 00000001.00000003.1516876549.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1517590579.000002090D183000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digi
Source: oneDrive.exe, 00000001.00000003.1518068983.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516699890.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516876549.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1517195160.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1518700114.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516336331.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1517590579.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516990933.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1518520091.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516220557.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516515363.000002090D183000.00000004.00000020.00020000.00000000.sdmp, libssl-1_1.dll.1.dr, unicodedata.pyd.1.dr, _ssl.pyd.1.dr, _lzma.pyd.1.dr, _decimal.pyd.1.dr, _hashlib.pyd.1.dr, _socket.pyd.1.dr, libcrypto-1_1.dll.1.dr, python310.dll.1.dr, select.pyd.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: oneDrive.exe, 00000001.00000003.1518068983.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516699890.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516876549.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1517195160.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1518700114.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516336331.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1518520091.000002090D190000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1517590579.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516990933.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1518520091.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516220557.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516515363.000002090D183000.00000004.00000020.00020000.00000000.sdmp, libssl-1_1.dll.1.dr, unicodedata.pyd.1.dr, _ssl.pyd.1.dr, _lzma.pyd.1.dr, _decimal.pyd.1.dr, _hashlib.pyd.1.dr, _socket.pyd.1.dr, libcrypto-1_1.dll.1.dr, python310.dll.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: oneDrive.exe, 00000001.00000003.1518068983.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516699890.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516876549.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1517195160.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1518700114.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516336331.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1517590579.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516990933.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1518520091.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516220557.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516515363.000002090D183000.00000004.00000020.00020000.00000000.sdmp, libssl-1_1.dll.1.dr, unicodedata.pyd.1.dr, _ssl.pyd.1.dr, _lzma.pyd.1.dr, _decimal.pyd.1.dr, _hashlib.pyd.1.dr, _socket.pyd.1.dr, libcrypto-1_1.dll.1.dr, python310.dll.1.dr, select.pyd.1.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: oneDrive.exe, 00000001.00000003.1518068983.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516699890.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516876549.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1517195160.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1518700114.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516336331.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1518520091.000002090D190000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1517590579.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516990933.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1518520091.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516220557.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516515363.000002090D183000.00000004.00000020.00020000.00000000.sdmp, libssl-1_1.dll.1.dr, unicodedata.pyd.1.dr, _ssl.pyd.1.dr, _lzma.pyd.1.dr, _decimal.pyd.1.dr, _hashlib.pyd.1.dr, _socket.pyd.1.dr, libcrypto-1_1.dll.1.dr, python310.dll.1.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: oneDrive.exe, 00000001.00000003.1518068983.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516699890.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516876549.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1517195160.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1518700114.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516336331.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1518520091.000002090D190000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1517590579.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516990933.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1518520091.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516220557.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516515363.000002090D183000.00000004.00000020.00020000.00000000.sdmp, libssl-1_1.dll.1.dr, unicodedata.pyd.1.dr, _ssl.pyd.1.dr, _lzma.pyd.1.dr, _decimal.pyd.1.dr, _hashlib.pyd.1.dr, _socket.pyd.1.dr, libcrypto-1_1.dll.1.dr, python310.dll.1.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: oneDrive.exe, 00000001.00000003.1518068983.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516699890.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516876549.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1517195160.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1518700114.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516336331.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1517590579.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516990933.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1518520091.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516220557.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516515363.000002090D183000.00000004.00000020.00020000.00000000.sdmp, libssl-1_1.dll.1.dr, unicodedata.pyd.1.dr, _ssl.pyd.1.dr, _lzma.pyd.1.dr, _decimal.pyd.1.dr, _hashlib.pyd.1.dr, _socket.pyd.1.dr, libcrypto-1_1.dll.1.dr, python310.dll.1.dr, select.pyd.1.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: oneDrive.exe, 00000001.00000003.1518068983.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516699890.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516876549.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1517195160.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1518700114.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516336331.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1518520091.000002090D190000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1517590579.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516990933.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1518520091.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516220557.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516515363.000002090D183000.00000004.00000020.00020000.00000000.sdmp, libssl-1_1.dll.1.dr, unicodedata.pyd.1.dr, _ssl.pyd.1.dr, _lzma.pyd.1.dr, _decimal.pyd.1.dr, _hashlib.pyd.1.dr, _socket.pyd.1.dr, libcrypto-1_1.dll.1.dr, python310.dll.1.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: oneDrive.exe, 00000001.00000003.1518068983.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516699890.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516876549.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1517195160.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1518700114.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516336331.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1518520091.000002090D190000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1517590579.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516990933.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1518520091.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516220557.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516515363.000002090D183000.00000004.00000020.00020000.00000000.sdmp, libssl-1_1.dll.1.dr, unicodedata.pyd.1.dr, _ssl.pyd.1.dr, _lzma.pyd.1.dr, _decimal.pyd.1.dr, _hashlib.pyd.1.dr, _socket.pyd.1.dr, libcrypto-1_1.dll.1.dr, python310.dll.1.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: oneDrive.exe, 00000001.00000003.1518068983.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516699890.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516876549.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1517195160.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1518700114.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516336331.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1517590579.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516990933.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1518520091.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516220557.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516515363.000002090D183000.00000004.00000020.00020000.00000000.sdmp, libssl-1_1.dll.1.dr, unicodedata.pyd.1.dr, _ssl.pyd.1.dr, _lzma.pyd.1.dr, _decimal.pyd.1.dr, _hashlib.pyd.1.dr, _socket.pyd.1.dr, libcrypto-1_1.dll.1.dr, python310.dll.1.dr, select.pyd.1.dr String found in binary or memory: http://ocsp.digicert.com0N
Source: oneDrive.exe, 00000001.00000003.1518068983.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516699890.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516876549.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1517195160.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1518700114.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516336331.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1518520091.000002090D190000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1517590579.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516990933.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1518520091.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516220557.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516515363.000002090D183000.00000004.00000020.00020000.00000000.sdmp, libssl-1_1.dll.1.dr, unicodedata.pyd.1.dr, _ssl.pyd.1.dr, _lzma.pyd.1.dr, _decimal.pyd.1.dr, _hashlib.pyd.1.dr, _socket.pyd.1.dr, libcrypto-1_1.dll.1.dr, python310.dll.1.dr String found in binary or memory: http://ocsp.digicert.com0O
Source: oneDrive.exe, 00000002.00000003.2042519257.000002365FB4A000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000002.00000002.2046516934.000002365F4D0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.cl.cam.ac.uk/~mgk25/iso-time.html
Source: oneDrive.exe, 00000001.00000003.1518068983.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516699890.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516876549.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1517195160.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1518700114.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516336331.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1518520091.000002090D190000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1517590579.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516990933.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1518520091.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516220557.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516515363.000002090D183000.00000004.00000020.00020000.00000000.sdmp, libssl-1_1.dll.1.dr, unicodedata.pyd.1.dr, _ssl.pyd.1.dr, _lzma.pyd.1.dr, _decimal.pyd.1.dr, _hashlib.pyd.1.dr, _socket.pyd.1.dr, libcrypto-1_1.dll.1.dr, python310.dll.1.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: oneDrive.exe, 00000002.00000003.2042519257.000002365FB3A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.iana.org/time-zones/repository/tz-link.html
Source: oneDrive.exe, 00000002.00000002.2047409308.000002365FA9C000.00000004.00001000.00020000.00000000.sdmp, oneDrive.exe, 00000002.00000003.2042519257.000002365FB4A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.phys.uu.nl/~vgent/calendar/isocalendar.htm
Source: base_library.zip.1.dr String found in binary or memory: http://www.robotstxt.org/norobots-rfc.txt
Source: oneDrive.exe, 00000002.00000003.2044048368.000002365D78E000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000002.00000003.1524346227.000002365D781000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000002.00000003.2043078495.000002365D766000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000002.00000003.1524238232.000002365D781000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000002.00000003.2044640579.000002365D791000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000002.00000003.2043151919.000002365D781000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000002.00000003.1525072404.000002365D77E000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000002.00000003.2043506842.000002365D7C9000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000002.00000002.2046222587.000002365D791000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
Source: oneDrive.exe, 00000002.00000002.2046516934.000002365F558000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
Source: oneDrive.exe, 00000002.00000002.2046222587.000002365D791000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
Source: oneDrive.exe, 00000002.00000003.2044048368.000002365D78E000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000002.00000003.1524346227.000002365D781000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000002.00000003.2043078495.000002365D766000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000002.00000003.1524238232.000002365D781000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000002.00000003.2044640579.000002365D791000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000002.00000003.2043151919.000002365D781000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000002.00000003.1525072404.000002365D77E000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000002.00000003.2043506842.000002365D7C9000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000002.00000002.2046222587.000002365D791000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
Source: oneDrive.exe, 00000002.00000003.2044048368.000002365D78E000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000002.00000003.1524346227.000002365D781000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000002.00000003.2043078495.000002365D766000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000002.00000003.1524238232.000002365D781000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000002.00000003.2044640579.000002365D791000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000002.00000003.2043151919.000002365D781000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000002.00000003.1525072404.000002365D77E000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000002.00000003.2043506842.000002365D7C9000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000002.00000002.2046222587.000002365D791000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
Source: base_library.zip.1.dr String found in binary or memory: https://mahler:8092/site-updates.py
Source: oneDrive.exe, 00000002.00000002.2046516934.000002365F4D0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://pixeldrain.com/api/file
Source: oneDrive.exe, 00000002.00000002.2048958816.00007FFB0C10D000.00000040.00000001.01000000.00000004.sdmp String found in binary or memory: https://python.org/dev/peps/pep-0263/
Source: oneDrive.exe, 00000001.00000003.1518068983.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516699890.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516876549.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1517195160.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1518700114.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516336331.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1518520091.000002090D190000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1517590579.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516990933.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1518520091.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516220557.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000001.00000003.1516515363.000002090D183000.00000004.00000020.00020000.00000000.sdmp, libssl-1_1.dll.1.dr, unicodedata.pyd.1.dr, _ssl.pyd.1.dr, _lzma.pyd.1.dr, _decimal.pyd.1.dr, _hashlib.pyd.1.dr, _socket.pyd.1.dr, libcrypto-1_1.dll.1.dr, python310.dll.1.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: oneDrive.exe, 00000001.00000003.1517590579.000002090D183000.00000004.00000020.00020000.00000000.sdmp, libssl-1_1.dll.1.dr, libcrypto-1_1.dll.1.dr String found in binary or memory: https://www.openssl.org/H
Source: base_library.zip.1.dr String found in binary or memory: https://www.python.org/
Source: oneDrive.exe, 00000001.00000003.1518995615.000002090D183000.00000004.00000020.00020000.00000000.sdmp, base_library.zip.1.dr String found in binary or memory: https://www.python.org/dev/peps/pep-0205/
Source: oneDrive.exe, 00000002.00000002.2046516934.000002365F4D0000.00000004.00001000.00020000.00000000.sdmp, base_library.zip.1.dr String found in binary or memory: https://www.python.org/download/releases/2.3/mro/.
Detected potential crypto function
Source: C:\Users\user\Desktop\oneDrive.exe Code function: 1_2_00007FF6869C6780 1_2_00007FF6869C6780
Source: C:\Users\user\Desktop\oneDrive.exe Code function: 1_2_00007FF6869E4E20 1_2_00007FF6869E4E20
Source: C:\Users\user\Desktop\oneDrive.exe Code function: 1_2_00007FF6869E5D6C 1_2_00007FF6869E5D6C
Source: C:\Users\user\Desktop\oneDrive.exe Code function: 1_2_00007FF6869D6714 1_2_00007FF6869D6714
Source: C:\Users\user\Desktop\oneDrive.exe Code function: 1_2_00007FF6869E5820 1_2_00007FF6869E5820
Source: C:\Users\user\Desktop\oneDrive.exe Code function: 1_2_00007FF6869D2800 1_2_00007FF6869D2800
Source: C:\Users\user\Desktop\oneDrive.exe Code function: 1_2_00007FF6869D4F50 1_2_00007FF6869D4F50
Source: C:\Users\user\Desktop\oneDrive.exe Code function: 1_2_00007FF6869D6F98 1_2_00007FF6869D6F98
Source: C:\Users\user\Desktop\oneDrive.exe Code function: 1_2_00007FF6869D0FB4 1_2_00007FF6869D0FB4
Source: C:\Users\user\Desktop\oneDrive.exe Code function: 1_2_00007FF6869D6714 1_2_00007FF6869D6714
Source: C:\Users\user\Desktop\oneDrive.exe Code function: 1_2_00007FF6869C80A0 1_2_00007FF6869C80A0
Source: C:\Users\user\Desktop\oneDrive.exe Code function: 1_2_00007FF6869E509C 1_2_00007FF6869E509C
Source: C:\Users\user\Desktop\oneDrive.exe Code function: 1_2_00007FF6869DD098 1_2_00007FF6869DD098
Source: C:\Users\user\Desktop\oneDrive.exe Code function: 1_2_00007FF6869D6560 1_2_00007FF6869D6560
Source: C:\Users\user\Desktop\oneDrive.exe Code function: 1_2_00007FF6869DFA08 1_2_00007FF6869DFA08
Source: C:\Users\user\Desktop\oneDrive.exe Code function: 1_2_00007FF6869D0DB0 1_2_00007FF6869D0DB0
Source: C:\Users\user\Desktop\oneDrive.exe Code function: 1_2_00007FF6869DD718 1_2_00007FF6869DD718
Source: C:\Users\user\Desktop\oneDrive.exe Code function: 1_2_00007FF6869D1E70 1_2_00007FF6869D1E70
Source: C:\Users\user\Desktop\oneDrive.exe Code function: 1_2_00007FF6869D13C4 1_2_00007FF6869D13C4
Source: C:\Users\user\Desktop\oneDrive.exe Code function: 1_2_00007FF6869D2C04 1_2_00007FF6869D2C04
Source: C:\Users\user\Desktop\oneDrive.exe Code function: 1_2_00007FF6869DCC04 1_2_00007FF6869DCC04
Source: C:\Users\user\Desktop\oneDrive.exe Code function: 1_2_00007FF6869E8B68 1_2_00007FF6869E8B68
Source: C:\Users\user\Desktop\oneDrive.exe Code function: 1_2_00007FF6869D0BA4 1_2_00007FF6869D0BA4
Source: C:\Users\user\Desktop\oneDrive.exe Code function: 1_2_00007FF6869D8BA0 1_2_00007FF6869D8BA0
Source: C:\Users\user\Desktop\oneDrive.exe Code function: 1_2_00007FF6869C1B90 1_2_00007FF6869C1B90
Source: C:\Users\user\Desktop\oneDrive.exe Code function: 1_2_00007FF6869E2D30 1_2_00007FF6869E2D30
Source: C:\Users\user\Desktop\oneDrive.exe Code function: 1_2_00007FF6869D11C0 1_2_00007FF6869D11C0
Source: C:\Users\user\Desktop\oneDrive.exe Code function: 1_2_00007FF6869E31CC 1_2_00007FF6869E31CC
Source: C:\Users\user\Desktop\oneDrive.exe Code function: 1_2_00007FF6869DFA08 1_2_00007FF6869DFA08
Source: C:\Users\user\Desktop\oneDrive.exe Code function: 1_2_00007FF6869D09A0 1_2_00007FF6869D09A0
Source: C:\Users\user\Desktop\oneDrive.exe Code function: 1_2_00007FF6869E09B4 1_2_00007FF6869E09B4
Source: C:\Users\user\Desktop\oneDrive.exe Code function: 2_2_00007FF6869E5D6C 2_2_00007FF6869E5D6C
Source: C:\Users\user\Desktop\oneDrive.exe Code function: 2_2_00007FF6869E5820 2_2_00007FF6869E5820
Source: C:\Users\user\Desktop\oneDrive.exe Code function: 2_2_00007FF6869D2800 2_2_00007FF6869D2800
Source: C:\Users\user\Desktop\oneDrive.exe Code function: 2_2_00007FF6869D4F50 2_2_00007FF6869D4F50
Source: C:\Users\user\Desktop\oneDrive.exe Code function: 2_2_00007FF6869D6F98 2_2_00007FF6869D6F98
Source: C:\Users\user\Desktop\oneDrive.exe Code function: 2_2_00007FF6869D0FB4 2_2_00007FF6869D0FB4
Source: C:\Users\user\Desktop\oneDrive.exe Code function: 2_2_00007FF6869C6780 2_2_00007FF6869C6780
Source: C:\Users\user\Desktop\oneDrive.exe Code function: 2_2_00007FF6869D6714 2_2_00007FF6869D6714
Source: C:\Users\user\Desktop\oneDrive.exe Code function: 2_2_00007FF6869C80A0 2_2_00007FF6869C80A0
Source: C:\Users\user\Desktop\oneDrive.exe Code function: 2_2_00007FF6869E509C 2_2_00007FF6869E509C
Source: C:\Users\user\Desktop\oneDrive.exe Code function: 2_2_00007FF6869DD098 2_2_00007FF6869DD098
Source: C:\Users\user\Desktop\oneDrive.exe Code function: 2_2_00007FF6869E4E20 2_2_00007FF6869E4E20
Source: C:\Users\user\Desktop\oneDrive.exe Code function: 2_2_00007FF6869D6560 2_2_00007FF6869D6560
Source: C:\Users\user\Desktop\oneDrive.exe Code function: 2_2_00007FF6869DFA08 2_2_00007FF6869DFA08
Source: C:\Users\user\Desktop\oneDrive.exe Code function: 2_2_00007FF6869D0DB0 2_2_00007FF6869D0DB0
Source: C:\Users\user\Desktop\oneDrive.exe Code function: 2_2_00007FF6869DD718 2_2_00007FF6869DD718
Source: C:\Users\user\Desktop\oneDrive.exe Code function: 2_2_00007FF6869D6714 2_2_00007FF6869D6714
Source: C:\Users\user\Desktop\oneDrive.exe Code function: 2_2_00007FF6869D1E70 2_2_00007FF6869D1E70
Source: C:\Users\user\Desktop\oneDrive.exe Code function: 2_2_00007FF6869D13C4 2_2_00007FF6869D13C4
Source: C:\Users\user\Desktop\oneDrive.exe Code function: 2_2_00007FF6869D2C04 2_2_00007FF6869D2C04
Source: C:\Users\user\Desktop\oneDrive.exe Code function: 2_2_00007FF6869DCC04 2_2_00007FF6869DCC04
Source: C:\Users\user\Desktop\oneDrive.exe Code function: 2_2_00007FF6869E8B68 2_2_00007FF6869E8B68
Source: C:\Users\user\Desktop\oneDrive.exe Code function: 2_2_00007FF6869D0BA4 2_2_00007FF6869D0BA4
Source: C:\Users\user\Desktop\oneDrive.exe Code function: 2_2_00007FF6869D8BA0 2_2_00007FF6869D8BA0
Source: C:\Users\user\Desktop\oneDrive.exe Code function: 2_2_00007FF6869C1B90 2_2_00007FF6869C1B90
Source: C:\Users\user\Desktop\oneDrive.exe Code function: 2_2_00007FF6869E2D30 2_2_00007FF6869E2D30
Source: C:\Users\user\Desktop\oneDrive.exe Code function: 2_2_00007FF6869D11C0 2_2_00007FF6869D11C0
Source: C:\Users\user\Desktop\oneDrive.exe Code function: 2_2_00007FF6869E31CC 2_2_00007FF6869E31CC
Source: C:\Users\user\Desktop\oneDrive.exe Code function: 2_2_00007FF6869DFA08 2_2_00007FF6869DFA08
Source: C:\Users\user\Desktop\oneDrive.exe Code function: 2_2_00007FF6869D09A0 2_2_00007FF6869D09A0
Source: C:\Users\user\Desktop\oneDrive.exe Code function: 2_2_00007FF6869E09B4 2_2_00007FF6869E09B4
Source: C:\Users\user\Desktop\oneDrive.exe Code function: 2_2_00007FFB24BD7508 2_2_00007FFB24BD7508
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\oneDrive.exe Code function: String function: 00007FF6869C2770 appears 82 times
PE file contains executable resources (Code or Archives)
Source: unicodedata.pyd.1.dr Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Sample file is different than original file name gathered from version info
Source: oneDrive.exe, 00000001.00000003.1516699890.000002090D183000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_lzma.pyd. vs oneDrive.exe
Source: oneDrive.exe, 00000001.00000003.1516035668.000002090D183000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamevcruntime140.dllT vs oneDrive.exe
Source: oneDrive.exe, 00000001.00000003.1516876549.000002090D183000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_socket.pyd. vs oneDrive.exe
Source: oneDrive.exe, 00000001.00000003.1518700114.000002090D183000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameunicodedata.pyd. vs oneDrive.exe
Source: oneDrive.exe, 00000001.00000003.1516336331.000002090D183000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_decimal.pyd. vs oneDrive.exe
Source: oneDrive.exe, 00000001.00000003.1517590579.000002090D183000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamelibsslH vs oneDrive.exe
Source: oneDrive.exe, 00000001.00000003.1516990933.000002090D183000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_ssl.pyd. vs oneDrive.exe
Source: oneDrive.exe, 00000001.00000003.1518520091.000002090D183000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameselect.pyd. vs oneDrive.exe
Source: oneDrive.exe, 00000001.00000003.1516220557.000002090D183000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_bz2.pyd. vs oneDrive.exe
Source: oneDrive.exe, 00000001.00000003.1516515363.000002090D183000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_hashlib.pyd. vs oneDrive.exe
Source: oneDrive.exe Binary or memory string: OriginalFilename vs oneDrive.exe
Source: oneDrive.exe, 00000002.00000002.2049775351.00007FFB0C237000.00000004.00000001.01000000.00000004.sdmp Binary or memory string: OriginalFilenamepython310.dll. vs oneDrive.exe
Source: oneDrive.exe, 00000002.00000002.2049922649.00007FFB24BE7000.00000002.00000001.01000000.00000005.sdmp Binary or memory string: OriginalFilenamevcruntime140.dllT vs oneDrive.exe
Source: libcrypto-1_1.dll.1.dr Static PE information: Section: UPX1 ZLIB complexity 0.998725
Source: libssl-1_1.dll.1.dr Static PE information: Section: UPX1 ZLIB complexity 0.9921420784883721
Source: python310.dll.1.dr Static PE information: Section: UPX1 ZLIB complexity 0.9990745427643289
Source: unicodedata.pyd.1.dr Static PE information: Section: UPX1 ZLIB complexity 0.9937514282449725
Source: classification engine Classification label: mal68.winEXE@32/13@0/0
Source: C:\Users\user\Desktop\oneDrive.exe Code function: 1_2_00007FF6869C74B0 GetLastError,FormatMessageW,WideCharToMultiByte, 1_2_00007FF6869C74B0
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8184:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8016:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7588:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8124:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7912:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1748:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7844:120:WilError_03
Source: C:\Users\user\Desktop\oneDrive.exe File created: C:\Users\user~1\AppData\Local\Temp\_MEI75162 Jump to behavior
Source: oneDrive.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Users\user\Desktop\oneDrive.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: oneDrive.exe ReversingLabs: Detection: 31%
Source: C:\Users\user\Desktop\oneDrive.exe File read: C:\Users\user\Desktop\oneDrive.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\oneDrive.exe "C:\Users\user\Desktop\oneDrive.exe"
Source: C:\Users\user\Desktop\oneDrive.exe Process created: C:\Users\user\Desktop\oneDrive.exe "C:\Users\user\Desktop\oneDrive.exe"
Source: C:\Users\user\Desktop\oneDrive.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "del C:\Windows\Help\en-us\*.rar"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\oneDrive.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "hostname"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\HOSTNAME.EXE hostname
Source: C:\Users\user\Desktop\oneDrive.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\ProgramData\Microsoft\Rar.exe a -r -v1m -n@C:\Windows\media\check.wav -ta20240929000000 -hpN@991li#S!@# C:\Windows\Help\en-us\87072c.rar C:\users\*.*"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\oneDrive.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Users\user\Desktop\oneDrive.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "hostname"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\HOSTNAME.EXE hostname
Source: C:\Users\user\Desktop\oneDrive.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\ProgramData\Microsoft\Rar.exe a -r -v1m -n@C:\Windows\media\check.wav -ta20240929000000 -hpN@991li#S!@# C:\Windows\Help\en-us\87072D.rar D:\\*.*"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\oneDrive.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Users\user\Desktop\oneDrive.exe Process created: C:\Users\user\Desktop\oneDrive.exe "C:\Users\user\Desktop\oneDrive.exe" Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "del C:\Windows\Help\en-us\*.rar" Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "hostname" Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\ProgramData\Microsoft\Rar.exe a -r -v1m -n@C:\Windows\media\check.wav -ta20240929000000 -hpN@991li#S!@# C:\Windows\Help\en-us\87072c.rar C:\users\*.*" Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist" Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "hostname" Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\ProgramData\Microsoft\Rar.exe a -r -v1m -n@C:\Windows\media\check.wav -ta20240929000000 -hpN@991li#S!@# C:\Windows\Help\en-us\87072D.rar D:\\*.*" Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\HOSTNAME.EXE hostname Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\HOSTNAME.EXE hostname
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Users\user\Desktop\oneDrive.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\HOSTNAME.EXE Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\HOSTNAME.EXE Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\System32\HOSTNAME.EXE Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\System32\HOSTNAME.EXE Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\System32\HOSTNAME.EXE Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\System32\HOSTNAME.EXE Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\HOSTNAME.EXE Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\HOSTNAME.EXE Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\HOSTNAME.EXE Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\HOSTNAME.EXE Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\System32\HOSTNAME.EXE Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\System32\HOSTNAME.EXE Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\System32\HOSTNAME.EXE Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\System32\HOSTNAME.EXE Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\HOSTNAME.EXE Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\HOSTNAME.EXE Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Users\user\Desktop\oneDrive.exe File opened: C:\Users\user\Desktop\pyvenv.cfg Jump to behavior
Source: oneDrive.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: oneDrive.exe Static file information: File size 4802649 > 1048576
Source: oneDrive.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: oneDrive.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: oneDrive.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: oneDrive.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: oneDrive.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: oneDrive.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: oneDrive.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: oneDrive.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: D:\_w\1\b\bin\amd64\python310.pdb source: oneDrive.exe, 00000002.00000002.2048958816.00007FFB0C10D000.00000040.00000001.01000000.00000004.sdmp
Source: Binary string: d:\a01\_work\2\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: oneDrive.exe, 00000001.00000003.1516035668.000002090D183000.00000004.00000020.00020000.00000000.sdmp, oneDrive.exe, 00000002.00000002.2049874435.00007FFB24BE1000.00000002.00000001.01000000.00000005.sdmp, VCRUNTIME140.dll.1.dr
Source: oneDrive.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: oneDrive.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: oneDrive.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: oneDrive.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: oneDrive.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
PE file contains sections with non-standard names
Source: oneDrive.exe Static PE information: section name: _RDATA
Source: VCRUNTIME140.dll.1.dr Static PE information: section name: _RDATA
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\oneDrive.exe Code function: 1_2_00007FF686A110E4 push rcx; retn 0000h 1_2_00007FF686A110ED
Source: C:\Users\user\Desktop\oneDrive.exe Code function: 1_2_00007FF686A110CC push rbp; retn 0000h 1_2_00007FF686A110CD
Source: C:\Users\user\Desktop\oneDrive.exe Code function: 2_2_00007FF686A110E4 push rcx; retn 0000h 2_2_00007FF686A110ED
Source: C:\Users\user\Desktop\oneDrive.exe Code function: 2_2_00007FF686A110CC push rbp; retn 0000h 2_2_00007FF686A110CD
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1

Persistence and Installation Behavior
barindex
Found pyInstaller with non standard icon
Source: C:\Users\user\Desktop\oneDrive.exe Process created: "C:\Users\user\Desktop\oneDrive.exe"
Drops PE files
Source: C:\Users\user\Desktop\oneDrive.exe File created: C:\Users\user\AppData\Local\Temp\_MEI75162\unicodedata.pyd Jump to dropped file
Source: C:\Users\user\Desktop\oneDrive.exe File created: C:\Users\user\AppData\Local\Temp\_MEI75162\VCRUNTIME140.dll Jump to dropped file
Source: C:\Users\user\Desktop\oneDrive.exe File created: C:\Users\user\AppData\Local\Temp\_MEI75162\_hashlib.pyd Jump to dropped file
Source: C:\Users\user\Desktop\oneDrive.exe File created: C:\Users\user\AppData\Local\Temp\_MEI75162\python310.dll Jump to dropped file
Source: C:\Users\user\Desktop\oneDrive.exe File created: C:\Users\user\AppData\Local\Temp\_MEI75162\_bz2.pyd Jump to dropped file
Source: C:\Users\user\Desktop\oneDrive.exe File created: C:\Users\user\AppData\Local\Temp\_MEI75162\libssl-1_1.dll Jump to dropped file
Source: C:\Users\user\Desktop\oneDrive.exe File created: C:\Users\user\AppData\Local\Temp\_MEI75162\select.pyd Jump to dropped file
Source: C:\Users\user\Desktop\oneDrive.exe File created: C:\Users\user\AppData\Local\Temp\_MEI75162\_lzma.pyd Jump to dropped file
Source: C:\Users\user\Desktop\oneDrive.exe File created: C:\Users\user\AppData\Local\Temp\_MEI75162\_socket.pyd Jump to dropped file
Source: C:\Users\user\Desktop\oneDrive.exe File created: C:\Users\user\AppData\Local\Temp\_MEI75162\_ssl.pyd Jump to dropped file
Source: C:\Users\user\Desktop\oneDrive.exe File created: C:\Users\user\AppData\Local\Temp\_MEI75162\libcrypto-1_1.dll Jump to dropped file
Source: C:\Users\user\Desktop\oneDrive.exe File created: C:\Users\user\AppData\Local\Temp\_MEI75162\_decimal.pyd Jump to dropped file
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\oneDrive.exe Code function: 1_2_00007FF6869C3DF0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 1_2_00007FF6869C3DF0
Source: C:\Windows\System32\tasklist.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\tasklist.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\oneDrive.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75162\unicodedata.pyd Jump to dropped file
Source: C:\Users\user\Desktop\oneDrive.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75162\_hashlib.pyd Jump to dropped file
Source: C:\Users\user\Desktop\oneDrive.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75162\python310.dll Jump to dropped file
Source: C:\Users\user\Desktop\oneDrive.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75162\libssl-1_1.dll Jump to dropped file
Source: C:\Users\user\Desktop\oneDrive.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75162\_bz2.pyd Jump to dropped file
Source: C:\Users\user\Desktop\oneDrive.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75162\select.pyd Jump to dropped file
Source: C:\Users\user\Desktop\oneDrive.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75162\_lzma.pyd Jump to dropped file
Source: C:\Users\user\Desktop\oneDrive.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75162\_socket.pyd Jump to dropped file
Source: C:\Users\user\Desktop\oneDrive.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75162\_ssl.pyd Jump to dropped file
Source: C:\Users\user\Desktop\oneDrive.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75162\libcrypto-1_1.dll Jump to dropped file
Source: C:\Users\user\Desktop\oneDrive.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75162\_decimal.pyd Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\oneDrive.exe API coverage: 5.5 %
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\oneDrive.exe Code function: 1_2_00007FF6869D6714 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError, 1_2_00007FF6869D6714
Source: C:\Users\user\Desktop\oneDrive.exe Code function: 1_2_00007FF6869C7820 FindFirstFileExW,FindClose, 1_2_00007FF6869C7820
Source: C:\Users\user\Desktop\oneDrive.exe Code function: 1_2_00007FF6869D6714 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError, 1_2_00007FF6869D6714
Source: C:\Users\user\Desktop\oneDrive.exe Code function: 1_2_00007FF6869E09B4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose, 1_2_00007FF6869E09B4
Source: C:\Users\user\Desktop\oneDrive.exe Code function: 2_2_00007FF6869C7820 FindFirstFileExW,FindClose, 2_2_00007FF6869C7820
Source: C:\Users\user\Desktop\oneDrive.exe Code function: 2_2_00007FF6869D6714 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError, 2_2_00007FF6869D6714
Source: C:\Users\user\Desktop\oneDrive.exe Code function: 2_2_00007FF6869D6714 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError, 2_2_00007FF6869D6714
Source: C:\Users\user\Desktop\oneDrive.exe Code function: 2_2_00007FF6869E09B4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose, 2_2_00007FF6869E09B4
Source: HOSTNAME.EXE, 00000010.00000002.1835588220.000002AE70119000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: HOSTNAME.EXE, 00000008.00000002.1627714013.00000234D0FB9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllVV
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\oneDrive.exe Code function: 1_2_00007FF6869CB69C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_00007FF6869CB69C
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\oneDrive.exe Code function: 1_2_00007FF6869E25A0 GetProcessHeap, 1_2_00007FF6869E25A0
Enables debug privileges
Source: C:\Windows\System32\tasklist.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\tasklist.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exe Code function: 1_2_00007FF6869CB880 SetUnhandledExceptionFilter, 1_2_00007FF6869CB880
Source: C:\Users\user\Desktop\oneDrive.exe Code function: 1_2_00007FF6869CAE00 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_00007FF6869CAE00
Source: C:\Users\user\Desktop\oneDrive.exe Code function: 1_2_00007FF6869CB69C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_00007FF6869CB69C
Source: C:\Users\user\Desktop\oneDrive.exe Code function: 1_2_00007FF6869D9AE4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_00007FF6869D9AE4
Source: C:\Users\user\Desktop\oneDrive.exe Code function: 2_2_00007FF6869CB880 SetUnhandledExceptionFilter, 2_2_00007FF6869CB880
Source: C:\Users\user\Desktop\oneDrive.exe Code function: 2_2_00007FF6869CAE00 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_00007FF6869CAE00
Source: C:\Users\user\Desktop\oneDrive.exe Code function: 2_2_00007FF6869CB69C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_00007FF6869CB69C
Source: C:\Users\user\Desktop\oneDrive.exe Code function: 2_2_00007FF6869D9AE4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_00007FF6869D9AE4
Source: C:\Users\user\Desktop\oneDrive.exe Code function: 2_2_00007FFB24BE004C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_00007FFB24BE004C
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\oneDrive.exe Process created: C:\Users\user\Desktop\oneDrive.exe "C:\Users\user\Desktop\oneDrive.exe" Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "del C:\Windows\Help\en-us\*.rar" Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "hostname" Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\ProgramData\Microsoft\Rar.exe a -r -v1m -n@C:\Windows\media\check.wav -ta20240929000000 -hpN@991li#S!@# C:\Windows\Help\en-us\87072c.rar C:\users\*.*" Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist" Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "hostname" Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\ProgramData\Microsoft\Rar.exe a -r -v1m -n@C:\Windows\media\check.wav -ta20240929000000 -hpN@991li#S!@# C:\Windows\Help\en-us\87072D.rar D:\\*.*" Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\HOSTNAME.EXE hostname Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\HOSTNAME.EXE hostname
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\oneDrive.exe Code function: 1_2_00007FF6869E89B0 cpuid 1_2_00007FF6869E89B0
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\oneDrive.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exe Queries volume information: C:\Users\user\Desktop\oneDrive.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exe Queries volume information: C:\Users\user\Desktop\oneDrive.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exe Queries volume information: C:\Users\user\Desktop\oneDrive.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exe Queries volume information: C:\Users\user\Desktop\oneDrive.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exe Queries volume information: C:\Users\user\Desktop\oneDrive.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exe Queries volume information: C:\Users\user\Desktop\oneDrive.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exe Queries volume information: C:\Users\user\Desktop\oneDrive.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exe Queries volume information: C:\Users\user\Desktop\oneDrive.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exe Queries volume information: C:\Users\user\Desktop\oneDrive.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exe Queries volume information: C:\Users\user\Desktop\oneDrive.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exe Queries volume information: C:\Users\user\Desktop\oneDrive.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exe Queries volume information: C:\Users\user\Desktop\oneDrive.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75162 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exe Queries volume information: \Device\CdRom0\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oneDrive.exe Code function: 1_2_00007FF6869CB580 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 1_2_00007FF6869CB580
Source: C:\Users\user\Desktop\oneDrive.exe Code function: 1_2_00007FF6869E4E20 _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation, 1_2_00007FF6869E4E20
Source: C:\Users\user\Desktop\oneDrive.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1524367 Sample: oneDrive.exe Startdate: 02/10/2024 Architecture: WINDOWS Score: 68 48 Antivirus / Scanner detection for submitted sample 2->48 50 Multi AV Scanner detection for submitted file 2->50 52 AI detected suspicious sample 2->52 54 Sigma detected: Rar Usage with Password and Compression Level 2->54 8 oneDrive.exe 14 2->8         started        process3 file4 40 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 8->40 dropped 42 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 8->42 dropped 44 C:\Users\user\AppData\Local\...\python310.dll, PE32+ 8->44 dropped 46 9 other files (none is malicious) 8->46 dropped 56 Found pyInstaller with non standard icon 8->56 12 oneDrive.exe 8->12         started        signatures5 process6 process7 14 cmd.exe 1 12->14         started        16 cmd.exe 1 12->16         started        18 cmd.exe 12->18         started        20 4 other processes 12->20 process8 22 conhost.exe 14->22         started        24 HOSTNAME.EXE 1 14->24         started        26 conhost.exe 16->26         started        28 tasklist.exe 1 16->28         started        30 conhost.exe 18->30         started        32 HOSTNAME.EXE 1 18->32         started        34 conhost.exe 20->34         started        36 conhost.exe 20->36         started        38 3 other processes 20->38
No contacted IP infos