OneDriveSetup.exe

  • File Path: C:\WINDOWS\SysWOW64\OneDriveSetup.exe
  • Description: Microsoft OneDrive (32 bit) Setup

Hashes

Type Hash
MD5 FFB30948DAA909C3A2B1AD7CE8174726
SHA1 75094D8A4BED74AA61D17B73065653C0211365E6
SHA256 FD161DF816BEC886B20D13A0CBBA4469EB8E5090E050C5D03FA86E18AD15D917
SHA384 21455A1DC2293FFAD27035C4D39A5760F1EDF3E65A331146E14E0F457D9BE82732F387E46BB1DD4978F31338ED2D5004
SHA512 DE3C9804520D571C7DFFC44C77D9AB07375F3303B92A44DEA6A8EE231CB43425D126B740C3BC636B104A3D08F09153DC1B45AF0E291BDC43E3A7B45C24AC56E9
SSDEEP 786432:AUSAwS0tEeq83u4ahZRSWAAhXi4GyVv5/fPCZnYKZu:AU5aEec4EDAA5RGA9fqZnHu
IMP D55CC552CA042BE013EA2B376CD1BF56
PESHA1 0BD522B3CB803FE52558DCE5DB7409525E48A681
PE256 D347D3FDABCEC956DAF0F7A8992BDB1A5385E6D6A3F136E6793963910F99E38D

Runtime Data

Child Processes:

OneDriveSetup.exe

Open Handles:

Path Type
(—) \FileSystem\Filters\FltMgrMsg File
(R–) C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\Install_2021-11-07_224546_8680-8088.log File
(R–) C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\Install-2021-11-07.2245.8680.1.aodl File
(R–) C:\Windows\SysWOW64\OneDriveSetup.exe File
(R-D) C:\Users\user\AppData\Local\Temp\wct9930.tmp File
(R-D) C:\Windows\System32\en-US\crypt32.dll.mui File
(R-D) C:\Windows\System32\en-US\mswsock.dll.mui File
(RW-) C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\parentTelemetryCache.otc File
(RW-) C:\Users\user\AppData\Local\Temp\aria-debug-8680.log File
(RW-) C:\Windows File
(RW-) C:\Windows\SysWOW64 File
(RW-) C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.22000.120_none_e541a94fcce8ed6d File
(RW-) C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.22000.282_none_162e9dd7277998f6 File
\BaseNamedObjects__ComCatalogCache__ Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000001.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2.ro Section
\BaseNamedObjects\F932B6C7-3A20-46A0-B8A0-8894AA421973 Section
\Sessions\2\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 Section
\Sessions\2\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 Section
\Sessions\2\BaseNamedObjects\UrlZonesSM_TI-ADMIN Section
\Sessions\2\BaseNamedObjects\windows_shell_global_counters Section
\Sessions\2\BaseNamedObjects\windows_webcache_counters_{9B6AB5B3-91BC-4097-835C-EA2DEC95E9CC}_S-1-5-21-1128764013-3361508229-3049782613-1001 Section

Loaded Modules:

Path
C:\WINDOWS\SYSTEM32\ntdll.dll
C:\WINDOWS\System32\wow64.dll
C:\WINDOWS\System32\wow64base.dll
C:\WINDOWS\System32\wow64con.dll
C:\WINDOWS\System32\wow64cpu.dll
C:\WINDOWS\System32\wow64win.dll
C:\WINDOWS\SysWOW64\OneDriveSetup.exe

Signature

  • Status: Signature verified.
  • Serial: 33000002ED2C45E4C145CF48440000000002ED
  • Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: OneDriveSetup.exe
  • Product Name: Microsoft OneDrive
  • Company Name: Microsoft Corporation
  • File Version: 21.050.0310.0001
  • Product Version: 21.050.0310.0001
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/73
  • VirusTotal Link: https://www.virustotal.com/gui/file/fd161df816bec886b20d13a0cbba4469eb8e5090e050c5d03fa86e18ad15d917/detection

Possible Misuse

The following table contains possible examples of OneDriveSetup.exe being misused. While OneDriveSetup.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma registry_event_asep_reg_keys_modification_currentversion.yml - '\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe' # C:\Users\*\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe DRL 1.0
sigma registry_event_asep_reg_keys_modification_currentversion.yml - 'C:\Program Files\Microsoft OneDrive\StandaloneUpdater\OneDriveSetup.exe' DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.