OneDriveSetup.exe
- File Path:
C:\Users\user\AppData\Local\Microsoft\OneDrive\21.220.1024.0001\OneDriveSetup.exe - Description: Microsoft OneDrive (64 bit) Setup
Hashes
| Type | Hash |
|---|---|
| MD5 | F804C3163FAB87FC1B104DC3F1E867AF |
| SHA1 | 68640BAB3841FCA0485F26974785AAE87440542D |
| SHA256 | 4CBB680E01757C1DBECD1CCA6B7C31CD135B2A3D56FC4BE3FF3293865C602D5E |
| SHA384 | F1E56E7D9D0C830E163242D6B2263E73E11237A8759EFAB4620E97A7B31EEF2BB3979A3DE0EA7676DB44BFE743D2FE91 |
| SHA512 | 3158375A01D769AD9FC1E69BA6A2879C3DD907846CB668B455DAFFB6F13A00F84F6B2ECF665DB84A8B485845A429236DD525EB708F10E5A5A0947C6D81585947 |
| SSDEEP | 786432:/nOIVfQ0qYXWvHKGXn3QmSjnSWHf6zcaaV6DxqTdeG4PrFtm1h7FY6:/LtxXWyQ3A3/6zcaa48dMrQ7FP |
| IMP | 9289F4778F29F14AFE5C7DD90624AB9E |
| PESHA1 | B8EC32AE767C9023395CD5B9D0DFFE7767EB2500 |
| PE256 | A99C15BC52EA8A7C4AFFE9E85BC1C4F0FA00EB1E820C2465A636A146FC28D9C0 |
Runtime Data
Child Processes:
OneDriveSetup.exe
Open Handles:
| Path | Type |
|---|---|
| (—) \FileSystem\Filters\FltMgrMsg | File |
| (R–) C:\Users\user\AppData\Local\Microsoft\OneDrive\21.220.1024.0001\OneDriveSetup.exe | File |
| (R–) C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\Install_2021-11-07_231906_5052-6384.log | File |
| (R–) C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\Install-2021-11-07.2319.5052.1.aodl | File |
| (R-D) C:\Users\user\AppData\Local\Temp\wct1C39.tmp | File |
| (R-D) C:\Windows\System32\en-US\crypt32.dll.mui | File |
| (R-D) C:\Windows\System32\en-US\mswsock.dll.mui | File |
| (RW-) C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\parentTelemetryCache.otc | File |
| (RW-) C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\parentTelemetryCache.otc-shm | File |
| (RW-) C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\parentTelemetryCache.otc-wal | File |
| (RW-) C:\Windows\System32 | File |
| (RW-) C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.22000.120_none_9d947278b86cc467 | File |
| (RW-) C:\Windows\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.22000.282_none_ce81670012fd6ff0 | File |
| \BaseNamedObjects__ComCatalogCache__ | Section |
| \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000001.db | Section |
| \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db | Section |
| \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2.ro | Section |
| \BaseNamedObjects\F932B6C7-3A20-46A0-B8A0-8894AA421973 | Section |
| \Sessions\2\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 | Section |
| \Sessions\2\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 | Section |
| \Sessions\2\BaseNamedObjects\UrlZonesSM_TI-ADMIN | Section |
| \Sessions\2\BaseNamedObjects\windows_shell_global_counters | Section |
| \Sessions\2\BaseNamedObjects\windows_webcache_counters_{9B6AB5B3-91BC-4097-835C-EA2DEC95E9CC}_S-1-5-21-1128764013-3361508229-3049782613-1001 | Section |
Loaded Modules:
| Path |
|---|
| C:\Users\user\AppData\Local\Microsoft\OneDrive\21.220.1024.0001\OneDriveSetup.exe |
| C:\WINDOWS\System32\KERNEL32.DLL |
| C:\WINDOWS\System32\KERNELBASE.dll |
| C:\WINDOWS\SYSTEM32\ntdll.dll |
| C:\WINDOWS\System32\USER32.dll |
| C:\WINDOWS\System32\win32u.dll |
Signature
- Status: Signature verified.
- Serial:
33000003F16206E3E7EFDA8ABE0000000003F1 - Thumbprint:
5362FAEB842C236D05A729B7FAC85BAA1B68BDCA - Issuer: CN=Microsoft Code Signing PCA 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: OneDriveSetup.exe
- Product Name: Microsoft OneDrive
- Company Name: Microsoft Corporation
- File Version: 21.220.1024.0001
- Product Version: 21.220.1024.0001
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
- Machine Type: 64-bit
File Scan
- VirusTotal Detections: 0/73
- VirusTotal Link: https://www.virustotal.com/gui/file/4cbb680e01757c1dbecd1cca6b7c31cd135b2a3d56fc4be3ff3293865c602d5e/detection
Possible Misuse
The following table contains possible examples of OneDriveSetup.exe being misused. While OneDriveSetup.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| sigma | registry_event_asep_reg_keys_modification_currentversion.yml | - '\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe' # C:\Users\*\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe |
DRL 1.0 |
| sigma | registry_event_asep_reg_keys_modification_currentversion.yml | - 'C:\Program Files\Microsoft OneDrive\StandaloneUpdater\OneDriveSetup.exe' |
DRL 1.0 |
MIT License. Copyright (c) 2020-2021 Strontic.