File name:

thumbnail[1].png

Full analysis: https://app.any.run/tasks/89f1371a-906a-4216-9f9b-d71a20a863fa
Verdict: Malicious activity
Analysis date: January 30, 2025, 00:40:38
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: image/png
File info: PNG image data, 32 x 15, 8-bit/color RGB, non-interlaced
MD5:

20F4B30E38632B61C1131DFB5A1C4A8E

SHA1:

E37CB5634E016E6DDC9CA600CAC39181AF6DE9BE

SHA256:

BFE8D97AF8F796E169746C30E28A8F64933FEE0266F6ADFA8202058DC9419011

SSDEEP:

48:Wv4UZdXrMhYdmRlyjKjSy7E3Ekiau4qDN2E67:WvrZNMh2ejSyoEkiT4qDG7

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Creates/Modifies COM task schedule object

      • OneDrive.exe (PID: 6940)
      • OneDrive.exe (PID: 1200)

    • Checks Windows Trust Settings

      • OneDrive.exe (PID: 6940)
      • OneDrive.exe (PID: 1200)

    • Reads security settings of Internet Explorer

      • OneDrive.exe (PID: 6940)
      • OneDrive.exe (PID: 1200)

    • Application launched itself

      • OneDrive.exe (PID: 6940)

    • Reads Internet Explorer settings

      • OneDrive.exe (PID: 1200)

    • Reads Microsoft Outlook installation path

      • OneDrive.exe (PID: 1200)

  • INFO

    • Reads the time zone

      • OneDrive.exe (PID: 6940)
      • OneDrive.exe (PID: 1200)

    • Reads the computer name

      • OneDrive.exe (PID: 6940)
      • OneDrive.exe (PID: 1200)

    • Manual execution by a user

      • OneDrive.exe (PID: 6940)

    • Create files in a temporary directory

      • OneDrive.exe (PID: 6940)
      • OneDrive.exe (PID: 1200)

    • Creates files or folders in the user directory

      • OneDrive.exe (PID: 6940)
      • OneDrive.exe (PID: 1200)

    • Checks supported languages

      • OneDrive.exe (PID: 6940)
      • OneDrive.exe (PID: 1200)

    • Reads the machine GUID from the registry

      • OneDrive.exe (PID: 6940)
      • OneDrive.exe (PID: 1200)

    • Checks proxy server information

      • OneDrive.exe (PID: 6940)
      • OneDrive.exe (PID: 1200)

    • Reads the software policy settings

      • OneDrive.exe (PID: 6940)
      • OneDrive.exe (PID: 1200)

    • Reads CPU info

      • OneDrive.exe (PID: 6940)
      • OneDrive.exe (PID: 1200)

    • Process checks computer location settings

      • OneDrive.exe (PID: 6940)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.png | Portable Network Graphics (100)

EXIF

PNG

ImageWidth: 32
ImageHeight: 15
BitDepth: 8
ColorType: RGB
Compression: Deflate/Inflate
Filter: Adaptive
Interlace: Noninterlaced
WhitePointX: 0.3127
WhitePointY: 0.329
RedX: 0.64
RedY: 0.33
GreenX: 0.3
GreenY: 0.6
BlueX: 0.15
BlueY: 0.06
BackgroundColor: 255 255 255
PixelsPerUnitX: 3779
PixelsPerUnitY: 3779
PixelUnits: meters
ModifyDate: 2025:01:29 18:43:49
Datecreate: 2025-01-29T18:43:49+00:00
Datemodify: 2025-01-29T18:43:49+00:00
Datetimestamp: 2025-01-29T18:43:49+00:00

Composite

ImageSize: 32x15
Megapixels: 0.00048
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
126
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start rundll32.exe no specs onedrive.exe onedrive.exe

Process information

PID
CMD
Path
Indicators
Parent process
1200"C:\Users\admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe" /client=Business1 /hideWelcomePage /email:jackspawrrow@outlook.comC:\Users\admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
OneDrive.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft OneDrive
Version:
19.043.0304.0013
Modules
Images
c:\users\admin\appdata\local\microsoft\onedrive\onedrive.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
6352"C:\WINDOWS\System32\rundll32.exe" "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen C:\Users\admin\AppData\Roaming\thumbnail[1].pngC:\Windows\System32\rundll32.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
6940"C:\Users\admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe" C:\Users\admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft OneDrive
Exit code:
0
Version:
19.043.0304.0013
Modules
Images
c:\users\admin\appdata\local\microsoft\onedrive\onedrive.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
Total events
9 523
Read events
9 203
Write events
298
Delete events
22

Modification events

(PID) Process:(6352) rundll32.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Photo Viewer\Viewer
Operation:writeName:MainWndPos
Value:
6000000033000000A00400007502000000000000
(PID) Process:(6940) OneDrive.exeKey:HKEY_CLASSES_ROOT\AppID\OneDrive.EXE
Operation:writeName:AppID
Value:
{EEABD3A3-784D-4334-AAFC-BB13234F17CF}
(PID) Process:(6940) OneDrive.exeKey:HKEY_CLASSES_ROOT\FileSyncClient.AutoPlayHandler\shell\import\DropTarget
Operation:writeName:CLSID
Value:
{5999E1EE-711E-48D2-9884-851A709F543D}
(PID) Process:(6940) OneDrive.exeKey:HKEY_CLASSES_ROOT\BannerNotificationHandler.BannerNotificationHandler\shell\import\DropTarget
Operation:writeName:CLSID
Value:
{2e7c0a19-0438-41e9-81e3-3ad3d64f55ba}
(PID) Process:(6940) OneDrive.exeKey:HKEY_CLASSES_ROOT\Interface\{c1439245-96b4-47fc-b391-679386c5d40f}\TypeLib
Operation:writeName:Version
Value:
1.0
(PID) Process:(6940) OneDrive.exeKey:HKEY_CLASSES_ROOT\WOW6432Node\Interface\{c1439245-96b4-47fc-b391-679386c5d40f}\TypeLib
Operation:writeName:Version
Value:
1.0
(PID) Process:(6940) OneDrive.exeKey:HKEY_CLASSES_ROOT\Interface\{02C98E2C-6C9F-49F8-9B57-3A6E1AA09A67}\TypeLib
Operation:writeName:Version
Value:
1.0
(PID) Process:(6940) OneDrive.exeKey:HKEY_CLASSES_ROOT\WOW6432Node\Interface\{02C98E2C-6C9F-49F8-9B57-3A6E1AA09A67}\TypeLib
Operation:writeName:Version
Value:
1.0
(PID) Process:(6940) OneDrive.exeKey:HKEY_CLASSES_ROOT\Interface\{385ED83D-B50C-4580-B2C3-9E64DBE7F511}\TypeLib
Operation:writeName:Version
Value:
1.0
(PID) Process:(6940) OneDrive.exeKey:HKEY_CLASSES_ROOT\WOW6432Node\Interface\{385ED83D-B50C-4580-B2C3-9E64DBE7F511}\TypeLib
Operation:writeName:Version
Value:
1.0
Executable files
0
Suspicious files
23
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
6940OneDrive.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\logs\Personal\telemetryCache.otc.session-journalbinary
MD5:5A591C4C098D157A3CE64AD8AAC2D001
SHA256:310C4336857BC3085C2A52AF9936BDDAB60C52004358CBE86C871AD37FB5F282
6940OneDrive.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\logs\Personal\SyncEngine-2025-01-30.0041.6940.1.aodlbinary
MD5:28DCA2FF4B34B5A52A2E59DF202A6ED3
SHA256:33BACCB7296F1ED1F995FC77A23049F261CF391AC0388F9E8DD161F8C17B7F94
6940OneDrive.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\settings\Personal\logUploaderSettings.inibinary
MD5:86809AA90D4D8C7EFBACFE7AAC456271
SHA256:E2BE7553BDEAEF6203D3B4DE5102BF78BC487D3623B59E8D31BC2F0F348A91CC
1200OneDrive.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\logs\Business1\SyncEngine-2025-01-30.0041.1200.1.aodlbinary
MD5:28DCA2FF4B34B5A52A2E59DF202A6ED3
SHA256:33BACCB7296F1ED1F995FC77A23049F261CF391AC0388F9E8DD161F8C17B7F94
6940OneDrive.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\settings\Personal\global.inibinary
MD5:1CB41274B6D79F806659BE54BB7C5BD4
SHA256:11FCCB3B4A87FF3968B63050B63608AD473D31EE971BE8453F2B6968B08C6EE3
6940OneDrive.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\logs\Personal\telemetryCache.otc.sessionbinary
MD5:580BD824DEBBA908591408D7A5A3D01F
SHA256:B3218FF93047231A34C6962C758A36D412C2EB928C33F7EE537023EB6E489974
6940OneDrive.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\settings\Personal\global.temp.inibinary
MD5:1CB41274B6D79F806659BE54BB7C5BD4
SHA256:11FCCB3B4A87FF3968B63050B63608AD473D31EE971BE8453F2B6968B08C6EE3
6940OneDrive.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\settings\Personal\assertInformation.inibinary
MD5:280B5AFD845BD6385D91217D861A0C18
SHA256:90B4A8B1D9809E2969EB78F39A9667072C00E8534FCF987285BA6C28E2BD2432
6940OneDrive.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\logs\Personal\TraceCurrent.0304.0013.etlbinary
MD5:860C8A39C2414A14773DF20DE9EF9DF5
SHA256:74DAA896B5BA556A8FC58FECB2561ADC55000C563217B3056D55CC6C39905492
6940OneDrive.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\setup\logs\Downloader_2025-01-30_004106_1b1c-1b20.logbinary
MD5:45FD0244B5219CAB77EF9A1409F58C40
SHA256:63B88A2376FC6245C3B44570D91148B9397C03B5550557FE5875F8CE293D8BC6
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
54
DNS requests
19
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6940
OneDrive.exe
GET
404
184.30.18.9:80
http://go.microsoft.com/fwlink/?LinkId=735053
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
2624
svchost.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3976
svchost.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5064
SearchApp.exe
2.23.227.208:443
www.bing.com
Ooredoo Q.S.C.
QA
whitelisted
5064
SearchApp.exe
204.79.197.222:443
fp.msedge.net
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6940
OneDrive.exe
13.74.129.92:443
g.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6940
OneDrive.exe
184.30.18.9:80
go.microsoft.com
AKAMAI-AS
DE
whitelisted
1176
svchost.exe
20.190.160.131:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
www.bing.com
  • 2.23.227.208
  • 2.23.227.215
whitelisted
google.com
  • 142.250.185.206
whitelisted
fp.msedge.net
  • 204.79.197.222
whitelisted
g.live.com
  • 13.74.129.92
whitelisted
go.microsoft.com
  • 184.30.18.9
whitelisted
login.live.com
  • 20.190.160.131
  • 40.126.32.68
  • 20.190.160.14
  • 20.190.160.66
  • 20.190.160.128
  • 40.126.32.136
  • 20.190.160.130
  • 20.190.160.132
whitelisted
login.microsoftonline.com
  • 40.126.32.134
  • 40.126.32.136
  • 20.190.160.14
  • 40.126.32.140
  • 20.190.160.22
  • 40.126.32.133
  • 40.126.32.72
  • 20.190.160.17
whitelisted
slscr.update.microsoft.com
  • 172.202.163.200
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 40.69.42.241
  • 2603:1030:c02:2::284
whitelisted
241.42.69.40.in-addr.arpa
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
thumbnail[1].png