OneDriveSetup.exe

  • File Path: C:\Windows\SysWOW64\OneDriveSetup.exe
  • Description: Microsoft OneDrive (32 bit) Setup

Hashes

Type Hash
MD5 0EA845F896C821E04009C0336D7547EC
SHA1 CE8669D8826C8795115D58C62E726AE53943DCE9
SHA256 94273EC2DAED031ADB6A954E5E49B29E61042D26BFBE074AF534EA743F54460C
SHA384 2A3709AE460A9158E5379378240FA330A69BFA69E1A015B0D0585BFC78546D48183401111BFD1BF5FE95736521085ADB
SHA512 EECA5098D10506EB1D6EEE2CBC50FDCEDA7DEA6468CA753A01059F28B407C4123A78230FB312C0DCFBF87B44703A7C2C9D4E04B71D6BFD63323F865E7B977B34
SSDEEP 786432:bwDzDsBnXydqA+UHdl2ui3WOsk9BKeVVe90A2MAS:bwDzIRQqA1HHFiGo9nVeGS
IMP 8CAA74ED9190DA79525729FFC9BE511E
PESHA1 9853ED227CA8BEE8FA51C6CB2C9477B0A985F4F4
PE256 B4DEFEF556A4933B7288D146D1FA14AEC35D01C2C5404CED9B7E2BFA69BD48D4

Runtime Data

Open Handles:

Path Type
(R–) C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\Install_2020-12-13_040600_1038-16f4.log File
(R–) C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\Install-2020-12-13.0406.4152.1.aodl File
(RW-) C:\Users\user File
(RW-) C:\Users\user\AppData\Local\Temp\aria-debug-4152.log File
(RW-) C:\Windows File
(RW-) C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.488_none_11b1e5df2ffd8627 File
(RW-) C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.685_none_4299dbb28a92ae3e File
\BaseNamedObjects__ComCatalogCache__ Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000002.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2 Section
\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 Section
\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 Section
\Sessions\1\BaseNamedObjects\windows_shell_global_counters Section

Loaded Modules:

Path
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\wow64.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64win.dll
C:\Windows\SysWOW64\OneDriveSetup.exe

Signature

  • Status: Signature verified.
  • Serial: 330000023241FB59996DCC4DFF000000000232
  • Thumbprint: FF82BC38E1DA5E596DF374C53E3617F7EDA36B06
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: OneDriveSetup.exe
  • Product Name: Microsoft OneDrive
  • Company Name: Microsoft Corporation
  • File Version: 19.043.0304.0013
  • Product Version: 19.043.0304.0013
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/76
  • VirusTotal Link: https://www.virustotal.com/gui/file/94273ec2daed031adb6a954e5e49b29e61042d26bfbe074af534ea743f54460c/detection

Possible Misuse

The following table contains possible examples of OneDriveSetup.exe being misused. While OneDriveSetup.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma registry_event_asep_reg_keys_modification_currentversion.yml - '\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe' # C:\Users\*\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe DRL 1.0
sigma registry_event_asep_reg_keys_modification_currentversion.yml - 'C:\Program Files\Microsoft OneDrive\StandaloneUpdater\OneDriveSetup.exe' DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.