OneDrive.exe CPU Miner

The OneDrive.exe process that has the MD5: 73F5B81F6E8B6CBE23D4BF28AC341D8D code is not to be mistaken with the genuine OneDrive.exe associated with the cloud storage service by Microsoft. The OneDrive.exe CPU Miner is a program dropped on computers via fake software updates for Java and Adobe Flash, as well as Trojan-Droppers. Malware researchers alert that the OneDrive.exe CPU Miner is one of the hundreds of variants based on the XMRig code — Github.com/xmrig/xmrig. The XMRig project is preferred by many threat creators who are looking to deploy a customized CPU miner to already compromised machines and earn money using the processing power of unsuspecting users.

The genuine OneDrive.exe by Microsoft can be found under C:\Users\username\AppData\Local\Microsoft\OneDrive and features MD5: 73F5B81F6E8B6CBE23D4BF28AC341D8D. Also, the issuer is listed as Microsoft Code Signing PCA 2010, the serial number is 3300000152ed894e5852ddbc2f000000000152. The OneDrive product version at the time of writing is 17.3.7131.1115 and updates to the program are pushed via the Windows Update Center. In contrast, the OneDrive.exe CPU Miner is usually dropped to a folder with a random name under C:\Users\username\AppData\Roaming\. The OneDrive.exe CPU Miner may edit the Registry and run on Windows boost like the genuine instance. However, the OneDrive.exe CPU Miner handles complex computation tasks and hijacks processing power from the CPU. The OneDrive.exe CPU Miner is used to verify Bitcoin transactions, and it may decrease the lifespan of your computer components. Tools like the OneDrive.exe CPU Miner require increased electricity consumption and may prevent third-party tools (your Web browser, office suite, games and media creation kits) to crash and fail to start. AV companies may flag the OneDrive.exe CPU Miner as:

• Artemis!73F5B81F6E8B
• Troj.Msil.Bitcoin!c
• Trojan.Agent.Mnr
• Trojan.MSIL.BitCoin.jzz
• Trojan.MSIL.gen.a.13
• Win32/BitCoinMiner
• a variant of MSIL/Kryptik.CHR

The OneDrive.exe CPU Miner has many variants that feature names you might associate with legitimate software. Some of the XMRig clones are using the following names:

Appmallosayov.exe, Aticonto.exe, CPUutility.exe, Cheat.exe, CltMngSvc.exe, Csrss.exe, DahiService.exe, Desktopcleanerservice.exe, HostStore.exe - , Img001.exe, LMS.exe, LoaderBot.exe, MLFOB4NCY.exe, MaskitService.exe, NVDisplayContainer.exe, Open.exe, Pluslax.exe, Proxycheck.exe, Runboosterservice64.exe, Seaidmwsvc.exe, Server.exe, ServicesHost.exe, SetupQQ.exe, Snsdgchsvc.exe, Sppsvc.exe, SystemTaskinfo.exe, TablacusApp.exe, TrustedInstaller.exe, VideoCardUpdater.exe, Wibgotv.exe, Xmnvidia.exe, auto-upgrade.exe, carbon.exe, ccminer-x64.exe, cn3.exe, conhost.exe, ddfsf.exe, debug.exe, deftesrg.exe, dether.exe, ethDcrMiner64.exe, footer.png.exe, guard.exe, hostsys.exe, ingloca.exe, je.exe, mel5s.exe, msiexec.exe, msiexec64.exe, npsvc.exe, pexplorer.exe, qctrl.exe, resellertrona.exe, rthdcpl.exe, schtasks.exe, scinfo.exe, searchgo.exe, setcpuaff.exe, skypeUpdateEx.exe, spoolsv.exe, srvany.exe, svowxkb.exe, systemNT.exe, systemhoster.exe, systems.exe, taskxmr.exe, tc.exe, tiser.exe, tunecontrol.exe, videodrv.exe, viva.exe, vivatmp.exe, watchdog.exe, win1ogins.exe, windir.exe, winlg.exe, winlg.exe, wmiprvse.exe, wvermgr.exe, xme64-24.exe, yam.exe.

The folders associated with XMRig clones are the following:

C:\Program Data\WindowsVideoErrorReporting\
C:\Program Data\tiser\
C:\Program Files\Desktop Cleaner\
C:\Program Files\MLFOB4NCYB\
C:\Program Files\RunBooster\
C:\Program Files\SearchProtect\bin\
C:\Program Files\SkypeUpdateEx\
C:\Program Files\System Native\Main Services
C:\Program Files\Vivia\
C:\Users\username\AppData\Local\scinfo\
C:\Users\username\AppData\Pluslax\
C:\Users\username\AppData\System\CPU1\
C:\Users\username\AppData\Temp\WindowsTask\MicrosoftShellHost\
C:\Users\username\AppData\VideoCardUpdater\
C:\Users\username\AppData\Windows\System Idle\
C:\Users\username\AppData\videodrv\
C:\Windows\Fonts\wininit\
C:\Windows\SysWOW64\
C:\Windows\System\hssad\
C:\Windows\min\
C:\Windows\sghgdasf\
C:\Windows\system\NVDisplayContainer