File name:

OneDriveStandaloneUpdater.exe

Full analysis: https://app.any.run/tasks/1e58cb9e-5704-485b-ab3e-e15cbb33c243
Verdict: Malicious activity
Analysis date: June 05, 2024, 14:03:14
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

02F55F4A50AA65A13454F67CD33A2B4B

SHA1:

F3B9B9A0699F68031E1A61FB193B240914A050E6

SHA256:

BBA85A6454D984DCEF2A5062E71C0409D14B183C432FBB085B6D93D13A6BCEF3

SSDEEP:

98304:Ji5q2ityah6P97sZ8gXeYOgf2H08BLQcORBTYxgFfEey1CBOthRiiqc5tKAcS9:fIMm

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • OneDriveStandaloneUpdater.exe (PID: 3988)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • OneDriveStandaloneUpdater.exe (PID: 3988)

    • Starts a Microsoft application from unusual location

      • OneDriveStandaloneUpdater.exe (PID: 3988)
      • OneDriveStandaloneUpdater.exe (PID: 1588)
      • OneDriveStandaloneUpdater.exe (PID: 2476)
      • OneDriveStandaloneUpdater.exe (PID: 2368)
      • OneDriveStandaloneUpdater.exe (PID: 2664)

  • INFO

    • Checks supported languages

      • OneDriveStandaloneUpdater.exe (PID: 3988)
      • wmpnscfg.exe (PID: 1120)
      • OneDriveStandaloneUpdater.exe (PID: 1588)
      • OneDriveStandaloneUpdater.exe (PID: 2368)
      • OneDriveStandaloneUpdater.exe (PID: 2476)
      • OneDriveStandaloneUpdater.exe (PID: 2664)
      • MSASCui.exe (PID: 2768)

    • Reads the computer name

      • OneDriveStandaloneUpdater.exe (PID: 3988)
      • wmpnscfg.exe (PID: 1120)
      • OneDriveStandaloneUpdater.exe (PID: 2368)
      • OneDriveStandaloneUpdater.exe (PID: 1588)
      • OneDriveStandaloneUpdater.exe (PID: 2664)
      • OneDriveStandaloneUpdater.exe (PID: 2476)

    • Create files in a temporary directory

      • OneDriveStandaloneUpdater.exe (PID: 3988)
      • OneDriveStandaloneUpdater.exe (PID: 2368)
      • OneDriveStandaloneUpdater.exe (PID: 2476)
      • OneDriveStandaloneUpdater.exe (PID: 1588)
      • OneDriveStandaloneUpdater.exe (PID: 2664)

    • Reads the machine GUID from the registry

      • OneDriveStandaloneUpdater.exe (PID: 3988)
      • OneDriveStandaloneUpdater.exe (PID: 2368)
      • OneDriveStandaloneUpdater.exe (PID: 1588)
      • OneDriveStandaloneUpdater.exe (PID: 2664)
      • OneDriveStandaloneUpdater.exe (PID: 2476)

    • Creates files or folders in the user directory

      • OneDriveStandaloneUpdater.exe (PID: 3988)
      • OneDriveStandaloneUpdater.exe (PID: 1588)
      • OneDriveStandaloneUpdater.exe (PID: 2368)
      • OneDriveStandaloneUpdater.exe (PID: 2476)
      • OneDriveStandaloneUpdater.exe (PID: 2664)

    • Reads Environment values

      • OneDriveStandaloneUpdater.exe (PID: 3988)

    • Manual execution by a user

      • explorer.exe (PID: 752)
      • wmpnscfg.exe (PID: 1120)
      • OneDriveStandaloneUpdater.exe (PID: 1588)
      • OneDriveStandaloneUpdater.exe (PID: 2368)
      • taskmgr.exe (PID: 2124)
      • OneDriveStandaloneUpdater.exe (PID: 2476)
      • OneDriveStandaloneUpdater.exe (PID: 2664)
      • MSASCui.exe (PID: 2768)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 EXE PECompact compressed (generic) (53.4)
.exe | Win64 Executable (generic) (35.5)
.exe | Win32 Executable (generic) (5.8)
.exe | Generic Win/DOS Executable (2.5)
.exe | DOS Executable Generic (2.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2019:04:23 21:30:53+00:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 14.16
CodeSize: 1789440
InitializedDataSize: 731648
UninitializedDataSize: -
EntryPoint: 0x63010
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 19.43.304.13
ProductVersionNumber: 19.43.304.13
FileFlagsMask: 0x003f
FileFlags: Special build
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Microsoft Corporation
FileDescription: Standalone Updater
InternalName: OneDriveStandaloneUpdater.exe
LegalCopyright: © Microsoft Corporation. All rights reserved.
OriginalFileName: OneDriveStandaloneUpdater.exe
ProductName: Microsoft OneDrive
FileVersion: 19.043.0304.0013
ProductVersion: 19.043.0304.0013
SpecialBuild: b/build/a60cbd91-4d4a-2239-4d0c-44996c8dd44c
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
52
Monitored processes
9
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start onedrivestandaloneupdater.exe no specs wmpnscfg.exe no specs explorer.exe no specs onedrivestandaloneupdater.exe no specs onedrivestandaloneupdater.exe taskmgr.exe no specs onedrivestandaloneupdater.exe onedrivestandaloneupdater.exe msascui.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
752"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
1120"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1588"C:\Users\admin\AppData\Local\Temp\OneDriveStandaloneUpdater.exe" C:\Users\admin\AppData\Local\Temp\OneDriveStandaloneUpdater.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Standalone Updater
Exit code:
1
Version:
19.043.0304.0013
Modules
Images
c:\users\admin\appdata\local\temp\onedrivestandaloneupdater.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
2124"C:\Windows\system32\taskmgr.exe" /4C:\Windows\System32\taskmgr.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Task Manager
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskmgr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2368"C:\Users\admin\AppData\Local\Temp\OneDriveStandaloneUpdater.exe" C:\Users\admin\AppData\Local\Temp\OneDriveStandaloneUpdater.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Standalone Updater
Exit code:
1
Version:
19.043.0304.0013
Modules
Images
c:\users\admin\appdata\local\temp\onedrivestandaloneupdater.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
2476"C:\Users\admin\AppData\Local\Temp\OneDriveStandaloneUpdater.exe" C:\Users\admin\AppData\Local\Temp\OneDriveStandaloneUpdater.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Standalone Updater
Exit code:
1
Version:
19.043.0304.0013
Modules
Images
c:\users\admin\appdata\local\temp\onedrivestandaloneupdater.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
2664"C:\Users\admin\AppData\Local\Temp\OneDriveStandaloneUpdater.exe" C:\Users\admin\AppData\Local\Temp\OneDriveStandaloneUpdater.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Standalone Updater
Version:
19.043.0304.0013
Modules
Images
c:\users\admin\appdata\local\temp\onedrivestandaloneupdater.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
2768"C:\Program Files\Windows Defender\MSASCui.exe" C:\Program Files\Windows Defender\MSASCui.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Defender User Interface
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows defender\msascui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\program files\windows defender\mpclient.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
3988"C:\Users\admin\AppData\Local\Temp\OneDriveStandaloneUpdater.exe" C:\Users\admin\AppData\Local\Temp\OneDriveStandaloneUpdater.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Standalone Updater
Exit code:
1
Version:
19.043.0304.0013
Modules
Images
c:\users\admin\appdata\local\temp\onedrivestandaloneupdater.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
Total events
1 083
Read events
1 062
Write events
13
Delete events
8

Modification events

(PID) Process:(3988) OneDriveStandaloneUpdater.exeKey:HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Installer\BITS\PreSignInSettingsConfigJSON
Operation:writeName:GUID
Value:
9F31EC6DEE97F94E8C29F0B38504ABC8
(PID) Process:(3988) OneDriveStandaloneUpdater.exeKey:HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Installer\BITS\PreSignInSettingsConfigJSON
Operation:writeName:File
Value:
wct4131.tmp
(PID) Process:(3988) OneDriveStandaloneUpdater.exeKey:HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Installer\BITS\PreSignInSettingsConfigJSON
Operation:delete valueName:GUID
Value:
㆟淬韮仹⦌돰҅좫
(PID) Process:(3988) OneDriveStandaloneUpdater.exeKey:HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Installer\BITS\PreSignInSettingsConfigJSON
Operation:delete valueName:File
Value:
wct4131.tmp
(PID) Process:(3988) OneDriveStandaloneUpdater.exeKey:HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Installer\BITS\PreSignInSettingsConfigJSON
Operation:delete keyName:(default)
Value:
(PID) Process:(3988) OneDriveStandaloneUpdater.exeKey:HKEY_CURRENT_USER\Software\Microsoft\OneDrive
Operation:writeName:OSVerODRanFirstTime
Value:
6.1.7601
(PID) Process:(3988) OneDriveStandaloneUpdater.exeKey:HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Installer\BITS\UpdateDescriptionXml
Operation:writeName:GUID
Value:
23CFF0426F8D1C46B169A293A50D576F
(PID) Process:(3988) OneDriveStandaloneUpdater.exeKey:HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Installer\BITS\UpdateDescriptionXml
Operation:writeName:File
Value:
wct7003.tmp
(PID) Process:(3988) OneDriveStandaloneUpdater.exeKey:HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Installer\BITS\UpdateDescriptionXml
Operation:delete valueName:GUID
Value:
켣䋰赯䘜榱鎢ඥ潗
(PID) Process:(3988) OneDriveStandaloneUpdater.exeKey:HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Installer\BITS\UpdateDescriptionXml
Operation:delete valueName:File
Value:
wct7003.tmp
Executable files
0
Suspicious files
5
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
3988OneDriveStandaloneUpdater.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\Update.xmlxml
MD5:53244E542DDF6D280A2B03E28F0646B7
SHA256:36A6BD38A8A6F5A75B73CAFFAE5AE66DFABCAEFD83DA65B493FA881EA8A64E7D
2368OneDriveStandaloneUpdater.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\setup\logs\StandaloneUpdate_2024-06-05_140430_940-8d4.logbinary
MD5:21F36B946800D2D734D7F1103701DBD8
SHA256:47B70364905EC9C32B7C6F9326267E12A7D956FEFF9C7A689A93BEC70EF62635
3988OneDriveStandaloneUpdater.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\PreSignInSettingsConfig.jsonbinary
MD5:16A5B167AB5ED11E70FB352A6ADD53B5
SHA256:8D33D5A7893FB6D6B0909F50D723ABE0E352E01523E67F27984745C289D9E691
1588OneDriveStandaloneUpdater.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\setup\logs\StandaloneUpdate_2024-06-05_140413_634-300.logbinary
MD5:6AAC3235F7FAE4508140A6822FBF8BD4
SHA256:18476B81B5942CE2B6A26311D2C59A65ACFCF777D37FD5940B759C97A63E290D
3988OneDriveStandaloneUpdater.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\setup\logs\StandaloneUpdate_2024-06-05_140324_f94-f98.logbinary
MD5:9DE9F3BFD87AD0A0EF07001CA8743DF0
SHA256:DDD7F9E9AA1C2FAD00D4A14C230A1103ED7B0C872BAB8C0B470F2EBD61488B43
2476OneDriveStandaloneUpdater.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\setup\logs\StandaloneUpdate_2024-06-05_140521_9ac-298.logbinary
MD5:10EDB6DB189605E065A93F2E216DE3F7
SHA256:C81A097FE99C6383BFDF10EA198AB128DFEEBDEB95CA5DDD5CAE5661E84FE033
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
8
DNS requests
2
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
224.0.0.252:5355
unknown
4032
svchost.exe
239.255.255.250:1900
unknown
884
svchost.exe
68.219.88.225:443
g.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
884
svchost.exe
23.218.209.43:443
oneclient.sfx.ms
AKAMAI-AS
DE
unknown

DNS requests

Domain
IP
Reputation
g.live.com
  • 68.219.88.225
whitelisted
oneclient.sfx.ms
  • 23.218.209.43
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
OneDriveStandaloneUpdater.exe