Windows Analysis Report
onedrive.bat.exe

Overview

General Information

Sample Name: onedrive.bat.exe
Analysis ID: 829696
MD5: c32ca4acfcc635ec1ea6ed8a34df5fac
SHA1: f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919
SHA256: 73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70
Infos:

Detection

Score: 0
Range: 0 - 100
Whitelisted: true
Confidence: 100%

Signatures

Uses 32bit PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Queries the installation date of Windows
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Enables debug privileges

Classification

Uses 32bit PE files
Source: onedrive.bat.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: onedrive.bat.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: powershell.pdbUGP source: onedrive.bat.exe
Source: Binary string: powershell.pdb source: onedrive.bat.exe
Source: onedrive.bat.exe, 00000002.00000003.103961663238.0000000002954000.00000004.00000020.00020000.00000000.sdmp, onedrive.bat.exe, 00000002.00000002.105188091472.000000000295D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: onedrive.bat.exe, 00000002.00000003.103961663238.0000000002954000.00000004.00000020.00020000.00000000.sdmp, onedrive.bat.exe, 00000002.00000002.105188091472.000000000295D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: onedrive.bat.exe, 00000002.00000002.105194211165.00000000048D3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: onedrive.bat.exe, 00000002.00000002.105194211165.00000000048D3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore6LR
Source: onedrive.bat.exe, 00000002.00000002.105194211165.00000000048F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore6lB
Uses 32bit PE files
Source: onedrive.bat.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Sample file is different than original file name gathered from version info
Source: onedrive.bat.exe, 00000002.00000002.105194211165.00000000048C5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamePowerShell.EXEj% vs onedrive.bat.exe
Source: onedrive.bat.exe, 00000002.00000002.105194211165.00000000048C5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: q,\\StringFileInfo\\040904B0\\OriginalFilename vs onedrive.bat.exe
Source: onedrive.bat.exe, 00000002.00000002.105194211165.00000000048B2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSystem.Management.Automation.dllv+ vs onedrive.bat.exe
Source: onedrive.bat.exe, 00000002.00000002.105194211165.00000000048B2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: q,\\StringFileInfo\\000004B0\\OriginalFilename vs onedrive.bat.exe
Source: onedrive.bat.exe, 00000002.00000000.103939392812.0000000000564000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamePowerShell.EXEj% vs onedrive.bat.exe
Source: onedrive.bat.exe, 00000002.00000002.105194211165.00000000048A1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSystem.Management.Automation.dllv+ vs onedrive.bat.exe
Source: onedrive.bat.exe, 00000002.00000002.105194211165.00000000048A1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs onedrive.bat.exe
Source: onedrive.bat.exe, 00000002.00000002.105194211165.00000000048A1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: q,\\StringFileInfo\\000004B0\\OriginalFilename vs onedrive.bat.exe
Source: onedrive.bat.exe, 00000002.00000002.105188091472.00000000028B6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs onedrive.bat.exe
Source: onedrive.bat.exe, 00000002.00000002.105194211165.00000000049F8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFileName vs onedrive.bat.exe
Source: onedrive.bat.exe Binary or memory string: OriginalFilenamePowerShell.EXEj% vs onedrive.bat.exe
Tries to load missing DLLs
Source: C:\Users\user\Desktop\onedrive.bat.exe Section loaded: edgegdi.dll Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\onedrive.bat.exe Code function: 2_2_047DEBC8 2_2_047DEBC8
Source: C:\Users\user\Desktop\onedrive.bat.exe Code function: 2_2_047DEBB8 2_2_047DEBB8
Source: C:\Users\user\Desktop\onedrive.bat.exe Code function: 2_2_07CB81B8 2_2_07CB81B8
Source: C:\Users\user\Desktop\onedrive.bat.exe Code function: 2_2_07CB81B1 2_2_07CB81B1
Source: C:\Users\user\Desktop\onedrive.bat.exe Code function: 2_2_07CF6D18 2_2_07CF6D18
Source: C:\Users\user\Desktop\onedrive.bat.exe Code function: 2_2_07CFEAC8 2_2_07CFEAC8
Source: C:\Users\user\Desktop\onedrive.bat.exe Code function: 2_2_07CF9150 2_2_07CF9150
Source: C:\Users\user\Desktop\onedrive.bat.exe Code function: 2_2_07CFEABD 2_2_07CFEABD
Source: C:\Users\user\Desktop\onedrive.bat.exe Code function: 2_2_07EE7DA8 2_2_07EE7DA8
Source: C:\Users\user\Desktop\onedrive.bat.exe Code function: 2_2_07EE2478 2_2_07EE2478
Source: C:\Users\user\Desktop\onedrive.bat.exe Code function: 2_2_07EE8ED0 2_2_07EE8ED0
Source: C:\Users\user\Desktop\onedrive.bat.exe Code function: 2_2_07EE5E90 2_2_07EE5E90
Source: C:\Users\user\Desktop\onedrive.bat.exe Code function: 2_2_07EE4678 2_2_07EE4678
Source: C:\Users\user\Desktop\onedrive.bat.exe Code function: 2_2_07EE3C60 2_2_07EE3C60
Source: C:\Users\user\Desktop\onedrive.bat.exe Code function: 2_2_07EEB240 2_2_07EEB240
Source: C:\Users\user\Desktop\onedrive.bat.exe Code function: 2_2_07EE3218 2_2_07EE3218
Source: C:\Users\user\Desktop\onedrive.bat.exe Code function: 2_2_07F00040 2_2_07F00040
Source: C:\Users\user\Desktop\onedrive.bat.exe Code function: 2_2_07F0ED92 2_2_07F0ED92
Source: C:\Users\user\Desktop\onedrive.bat.exe Code function: 2_2_07F052C0 2_2_07F052C0
Source: C:\Users\user\Desktop\onedrive.bat.exe Code function: 2_2_07F052B8 2_2_07F052B8
Source: onedrive.bat.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\onedrive.bat.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\onedrive.bat.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\e4a1c9189d2b01f018b953e46c80d120\mscorlib.ni.dll Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\onedrive.bat.exe C:\Users\user\Desktop\onedrive.bat.exe
Source: C:\Users\user\Desktop\onedrive.bat.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\onedrive.bat.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{77F10CF0-3DB5-4966-B520-B7C54FD35ED6}\InProcServer32 Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6244:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6244:120:WilError_03
Source: onedrive.bat.exe Joe Sandbox Cloud Basic: Detection: clean Score: 6 Perma Link
Source: C:\Users\user\Desktop\onedrive.bat.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tw0strn3.bud.ps1 Jump to behavior
Source: classification engine Classification label: clean5.winEXE@2/2@0/0
Source: C:\Users\user\Desktop\onedrive.bat.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: onedrive.bat.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: onedrive.bat.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: onedrive.bat.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: onedrive.bat.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: onedrive.bat.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: onedrive.bat.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: onedrive.bat.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: onedrive.bat.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: powershell.pdbUGP source: onedrive.bat.exe
Source: Binary string: powershell.pdb source: onedrive.bat.exe
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\onedrive.bat.exe Code function: 2_2_07CB3798 push esi; retf 0007h 2_2_07CB3B0A
Source: C:\Users\user\Desktop\onedrive.bat.exe Code function: 2_2_07CB3787 push ebx; retf 0007h 2_2_07CB378A
Source: C:\Users\user\Desktop\onedrive.bat.exe Code function: 2_2_07CB57B0 push esp; retf 0007h 2_2_07CB57B1
Source: C:\Users\user\Desktop\onedrive.bat.exe Code function: 2_2_07CB3C10 push edi; retf 0007h 2_2_07CB3C12
Source: C:\Users\user\Desktop\onedrive.bat.exe Code function: 2_2_07CFDA58 push 0807CA01h; retn 076Ah 2_2_07CFDB15
Source: C:\Users\user\Desktop\onedrive.bat.exe Code function: 2_2_07CFE659 push es; retf 0007h 2_2_07CFE65A
Source: C:\Users\user\Desktop\onedrive.bat.exe Code function: 2_2_07CFE8FD push 00000007h; ret 2_2_07CFE900
Source: C:\Users\user\Desktop\onedrive.bat.exe Code function: 2_2_07CFF589 push cs; retf 0007h 2_2_07CFF58A
Source: C:\Users\user\Desktop\onedrive.bat.exe Code function: 2_2_07CF7380 push 00000007h; ret 2_2_07CF7390
Source: C:\Users\user\Desktop\onedrive.bat.exe Code function: 2_2_07CF9022 push eax; retf 2_2_07CF9029
Source: C:\Users\user\Desktop\onedrive.bat.exe Code function: 2_2_07EEAA6A push 8B059113h; iretd 2_2_07EEAA6F
Source: C:\Users\user\Desktop\onedrive.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\onedrive.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\onedrive.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\onedrive.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\onedrive.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\onedrive.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\onedrive.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\onedrive.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\onedrive.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\onedrive.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\onedrive.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\onedrive.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\onedrive.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\onedrive.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\onedrive.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\onedrive.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\onedrive.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\onedrive.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\onedrive.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\onedrive.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\onedrive.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\onedrive.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\onedrive.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\onedrive.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\onedrive.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\onedrive.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\onedrive.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\onedrive.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\onedrive.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\onedrive.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\onedrive.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\onedrive.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\onedrive.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\onedrive.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\onedrive.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\onedrive.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\onedrive.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\onedrive.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\onedrive.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\onedrive.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\onedrive.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\onedrive.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\onedrive.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\onedrive.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\onedrive.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\onedrive.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\onedrive.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\onedrive.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\onedrive.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\onedrive.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\onedrive.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\onedrive.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\onedrive.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\onedrive.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\onedrive.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\onedrive.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\onedrive.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\onedrive.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\onedrive.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\onedrive.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\onedrive.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\onedrive.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\onedrive.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\onedrive.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\onedrive.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\onedrive.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\onedrive.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\onedrive.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\onedrive.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\onedrive.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\onedrive.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\onedrive.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\onedrive.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\onedrive.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\onedrive.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\onedrive.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\onedrive.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\onedrive.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\onedrive.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\onedrive.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\onedrive.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\onedrive.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\onedrive.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\onedrive.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\onedrive.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\onedrive.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\onedrive.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\onedrive.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\onedrive.bat.exe Window / User API: threadDelayed 7690 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\onedrive.bat.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\onedrive.bat.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\onedrive.bat.exe Memory allocated: page read and write | page guard Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\onedrive.bat.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\onedrive.bat.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\onedrive.bat.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\onedrive.bat.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\onedrive.bat.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\onedrive.bat.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\onedrive.bat.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\onedrive.bat.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\onedrive.bat.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\onedrive.bat.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\onedrive.bat.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\onedrive.bat.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Queries the installation date of Windows
Source: C:\Users\user\Desktop\onedrive.bat.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion InstallDate Jump to behavior
Source: C:\Users\user\Desktop\onedrive.bat.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\Desktop\onedrive.bat.exe Code function: 2_2_07CFDE0C CreateNamedPipeW, 2_2_07CFDE0C
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 829696 Sample: onedrive.bat.exe Startdate: 19/03/2023 Architecture: WINDOWS Score: 0 5 onedrive.bat.exe 8 2->5         started        process3 7 conhost.exe 5->7         started       
No contacted IP infos