File name:

OneDriveStandaloneUpdater.exe.zip

Full analysis: https://app.any.run/tasks/43b75c1f-55da-4227-a145-27bd361f5aed
Verdict: Malicious activity
Analysis date: July 16, 2024, 09:58:03
OS: Windows 11 Professional (build: 22000, 64 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

CCC1A331FE9F70325FF3ED7C45669B38

SHA1:

0F66841DF9DEAD30D19C7EEF26004E6DAC9A675F

SHA256:

FD91F9B0648CBF44EC61FAFEC5C98742AEEB41AB89A9E7AD0C852941C023B38A

SSDEEP:

49152:4lVqU8VSiZzorqUxIjAI40vdSE+9rCvlON/3ew8muGvUyQxB30t/aNHoXxBu9h8W:W4UQSWzoJIj5Xlr+pN//lxp6301aCPuB

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 252)
      • OneDriveSetup.exe (PID: 6088)

    • Changes the autorun value in the registry

      • OneDriveSetup.exe (PID: 6088)

    • Scans artifacts that could help determine the target

      • OneDrive.exe (PID: 4248)
      • Microsoft.SharePoint.exe (PID: 1524)
      • msedgewebview2.exe (PID: 4228)
      • OneDrive.exe (PID: 1584)

    • The DLL Hijacking

      • msedgewebview2.exe (PID: 1048)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • WinRAR.exe (PID: 252)
      • OneDriveSetup.exe (PID: 6088)

    • Starts a Microsoft application from unusual location

      • OneDriveStandaloneUpdater.exe (PID: 4356)

    • Reads the Internet Settings

      • OneDriveStandaloneUpdater.exe (PID: 4356)
      • OneDriveSetup.exe (PID: 3344)
      • OneDriveSetup.exe (PID: 6088)
      • OneDrive.exe (PID: 4248)
      • Microsoft.SharePoint.exe (PID: 1524)
      • msedgewebview2.exe (PID: 4228)
      • OneDrive.exe (PID: 1584)

    • Checks Windows Trust Settings

      • OneDriveStandaloneUpdater.exe (PID: 4356)
      • OneDriveSetup.exe (PID: 3344)
      • OneDriveSetup.exe (PID: 6088)
      • OneDrive.exe (PID: 4248)
      • Microsoft.SharePoint.exe (PID: 1524)
      • OneDrive.exe (PID: 1584)

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 252)
      • OneDriveStandaloneUpdater.exe (PID: 4356)
      • OneDriveSetup.exe (PID: 3344)
      • OneDriveSetup.exe (PID: 6088)
      • OneDrive.exe (PID: 4248)
      • Microsoft.SharePoint.exe (PID: 1524)
      • msedgewebview2.exe (PID: 4228)
      • OneDrive.exe (PID: 1584)

    • Reads the date of Windows installation

      • OneDriveStandaloneUpdater.exe (PID: 4356)
      • OneDriveSetup.exe (PID: 3344)
      • OneDriveSetup.exe (PID: 6088)
      • OneDrive.exe (PID: 4248)

    • Reads settings of System Certificates

      • OneDriveStandaloneUpdater.exe (PID: 4356)
      • OneDriveSetup.exe (PID: 3344)
      • OneDriveSetup.exe (PID: 6088)
      • OneDrive.exe (PID: 4248)
      • Microsoft.SharePoint.exe (PID: 1524)
      • msedgewebview2.exe (PID: 4228)
      • OneDrive.exe (PID: 1584)

    • Application launched itself

      • OneDriveSetup.exe (PID: 3344)
      • msedgewebview2.exe (PID: 4228)
      • OneDrive.exe (PID: 4248)

    • Executable content was dropped or overwritten

      • OneDriveSetup.exe (PID: 6088)

    • The process drops C-runtime libraries

      • OneDriveSetup.exe (PID: 6088)

    • Changes Internet Explorer settings (feature browser emulation)

      • OneDriveSetup.exe (PID: 6088)

    • Creates/Modifies COM task schedule object

      • OneDriveSetup.exe (PID: 6088)

    • The process creates files with name similar to system file names

      • OneDriveSetup.exe (PID: 6088)

    • Creates a software uninstall entry

      • OneDriveSetup.exe (PID: 6088)

    • Write to the desktop.ini file (may be used to cloak folders)

      • FileSyncConfig.exe (PID: 2788)

  • INFO

    • Manual execution by a user

      • OneDriveStandaloneUpdater.exe (PID: 4356)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 252)

    • Reads the computer name

      • OneDriveStandaloneUpdater.exe (PID: 4356)
      • OneDriveSetup.exe (PID: 3344)
      • OneDriveSetup.exe (PID: 6088)
      • OneDrive.exe (PID: 4248)
      • FileSyncConfig.exe (PID: 2788)
      • Microsoft.SharePoint.exe (PID: 1524)
      • msedgewebview2.exe (PID: 4228)
      • msedgewebview2.exe (PID: 5560)
      • msedgewebview2.exe (PID: 1048)
      • OneDrive.exe (PID: 1584)

    • Checks proxy server information

      • OneDriveStandaloneUpdater.exe (PID: 4356)
      • OneDriveSetup.exe (PID: 6088)
      • OneDrive.exe (PID: 4248)
      • Microsoft.SharePoint.exe (PID: 1524)
      • msedgewebview2.exe (PID: 4228)
      • OneDrive.exe (PID: 1584)

    • Reads the machine GUID from the registry

      • OneDriveStandaloneUpdater.exe (PID: 4356)
      • OneDriveSetup.exe (PID: 3344)
      • OneDriveSetup.exe (PID: 6088)
      • FileSyncConfig.exe (PID: 2788)
      • OneDrive.exe (PID: 4248)
      • Microsoft.SharePoint.exe (PID: 1524)
      • msedgewebview2.exe (PID: 4228)
      • OneDrive.exe (PID: 1584)

    • Reads the software policy settings

      • OneDriveStandaloneUpdater.exe (PID: 4356)
      • OneDriveSetup.exe (PID: 3344)
      • OneDriveSetup.exe (PID: 6088)
      • OneDrive.exe (PID: 4248)
      • Microsoft.SharePoint.exe (PID: 1524)
      • msedgewebview2.exe (PID: 4228)
      • OneDrive.exe (PID: 1584)

    • Checks supported languages

      • OneDriveSetup.exe (PID: 3344)
      • OneDriveSetup.exe (PID: 6088)
      • FileSyncConfig.exe (PID: 2788)
      • OneDriveStandaloneUpdater.exe (PID: 4356)
      • Microsoft.SharePoint.exe (PID: 1524)
      • msedgewebview2.exe (PID: 4228)
      • msedgewebview2.exe (PID: 1328)
      • msedgewebview2.exe (PID: 432)
      • msedgewebview2.exe (PID: 5560)
      • OneDrive.exe (PID: 1584)
      • msedgewebview2.exe (PID: 1048)
      • msedgewebview2.exe (PID: 5668)
      • OneDrive.exe (PID: 4248)

    • Reads Microsoft Office registry keys

      • OneDriveStandaloneUpdater.exe (PID: 4356)
      • OneDriveSetup.exe (PID: 3344)
      • OneDriveSetup.exe (PID: 6088)
      • FileSyncConfig.exe (PID: 2788)
      • OneDrive.exe (PID: 4248)
      • Microsoft.SharePoint.exe (PID: 1524)
      • OneDrive.exe (PID: 1584)

    • Creates files or folders in the user directory

      • OneDriveSetup.exe (PID: 3344)
      • FileSyncConfig.exe (PID: 2788)
      • OneDrive.exe (PID: 4248)
      • OneDriveStandaloneUpdater.exe (PID: 4356)
      • msedgewebview2.exe (PID: 4228)
      • msedgewebview2.exe (PID: 1328)
      • msedgewebview2.exe (PID: 5560)
      • OneDrive.exe (PID: 1584)
      • Microsoft.SharePoint.exe (PID: 1524)

    • Reads Environment values

      • OneDriveSetup.exe (PID: 3344)
      • OneDrive.exe (PID: 4248)
      • Microsoft.SharePoint.exe (PID: 1524)
      • msedgewebview2.exe (PID: 4228)
      • OneDriveSetup.exe (PID: 6088)
      • OneDrive.exe (PID: 1584)

    • Creates files in the program directory

      • OneDriveSetup.exe (PID: 6088)

    • Create files in a temporary directory

      • Microsoft.SharePoint.exe (PID: 1524)
      • msedgewebview2.exe (PID: 4228)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2024:07:16 09:38:36
ZipCRC: 0xe6b2b3d6
ZipCompressedSize: 1709334
ZipUncompressedSize: 4209056
ZipFileName: OneDriveStandaloneUpdater.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
116
Monitored processes
14
Malicious processes
6
Suspicious processes
2

Behavior graph

Click at the process to see the details
start winrar.exe onedrivestandaloneupdater.exe onedrivesetup.exe no specs onedrivesetup.exe filesyncconfig.exe no specs onedrive.exe microsoft.sharepoint.exe msedgewebview2.exe msedgewebview2.exe no specs msedgewebview2.exe no specs msedgewebview2.exe msedgewebview2.exe no specs msedgewebview2.exe no specs onedrive.exe

Process information

PID
CMD
Path
Indicators
Parent process
252"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\OneDriveStandaloneUpdater.exe.zipC:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
432"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\103.0.1264.77\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --noerrdialogs --user-data-dir="C:\Users\admin\AppData\Local\Microsoft\OneDrive\EBWebView" --webview-exe-name=OneDrive.exe --webview-exe-version=24.128.0625.0001 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --mojo-platform-channel-handle=2372 --field-trial-handle=1892,i,1582774147777350670,5190960477022882854,131072 --disable-features=msEnhancedTrackingPreventionEnabled /prefetch:8C:\Program Files (x86)\Microsoft\EdgeWebView\Application\103.0.1264.77\msedgewebview2.exemsedgewebview2.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge WebView2
Exit code:
0
Version:
103.0.1264.77
Modules
Images
c:\program files (x86)\microsoft\edgewebview\application\103.0.1264.77\msedgewebview2.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edgewebview\application\103.0.1264.77\msedge_elf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1048"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\103.0.1264.77\msedgewebview2.exe" --type=gpu-process --noerrdialogs --user-data-dir="C:\Users\admin\AppData\Local\Microsoft\OneDrive\EBWebView" --webview-exe-name=OneDrive.exe --webview-exe-version=24.128.0625.0001 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1972 --field-trial-handle=1892,i,1582774147777350670,5190960477022882854,131072 --disable-features=msEnhancedTrackingPreventionEnabled /prefetch:2C:\Program Files (x86)\Microsoft\EdgeWebView\Application\103.0.1264.77\msedgewebview2.exemsedgewebview2.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge WebView2
Exit code:
0
Version:
103.0.1264.77
Modules
Images
c:\program files (x86)\microsoft\edgewebview\application\103.0.1264.77\msedgewebview2.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edgewebview\application\103.0.1264.77\msedge_elf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1328"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\103.0.1264.77\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=C:\Users\admin\AppData\Local\Microsoft\OneDrive\EBWebView /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\admin\AppData\Local\Microsoft\OneDrive\EBWebView\Crashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=103.0.5060.134 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\103.0.1264.77\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=103.0.1264.77 --initial-client-data=0x128,0x12c,0x130,0x104,0x138,0x7ff9c0f1a0b8,0x7ff9c0f1a0c8,0x7ff9c0f1a0d8C:\Program Files (x86)\Microsoft\EdgeWebView\Application\103.0.1264.77\msedgewebview2.exemsedgewebview2.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge WebView2
Exit code:
0
Version:
103.0.1264.77
Modules
Images
c:\program files (x86)\microsoft\edgewebview\application\103.0.1264.77\msedgewebview2.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edgewebview\application\103.0.1264.77\msedge_elf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1524/silentConfigC:\Program Files\Microsoft OneDrive\24.128.0625.0001\Microsoft.SharePoint.exe
OneDriveSetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft SharePoint
Exit code:
0
Version:
24.128.0625.0001
Modules
Images
c:\program files\microsoft onedrive\24.128.0625.0001\microsoft.sharepoint.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
1584"C:\Program Files\Microsoft OneDrive\OneDrive.exe" /client=Personal /backgroundC:\Program Files\Microsoft OneDrive\OneDrive.exe
OneDrive.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft OneDrive
Version:
24.128.0625.0001
Modules
Images
c:\program files\microsoft onedrive\onedrive.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
2788"C:\Program Files\Microsoft OneDrive\24.128.0625.0001\FileSyncConfig.exe" /allusers C:\Program Files\Microsoft OneDrive\24.128.0625.0001\FileSyncConfig.exeOneDriveSetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft OneDrive Configuration Application
Exit code:
0
Version:
24.128.0625.0001
Modules
Images
c:\program files\microsoft onedrive\24.128.0625.0001\filesyncconfig.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
3344"C:\Users\admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe" /update /restart /updateSource:ODSUC:\Users\admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exeOneDriveStandaloneUpdater.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft OneDrive (64 bit) Setup
Exit code:
0
Version:
24.128.0625.0001
Modules
Images
c:\users\admin\appdata\local\microsoft\onedrive\standaloneupdater\onedrivesetup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\gdi32full.dll
4228"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\103.0.1264.77\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=OneDrive.exe --webview-exe-version=24.128.0625.0001 --user-data-dir="C:\Users\admin\AppData\Local\Microsoft\OneDrive\EBWebView" --noerrdialogs --embedded-browser-webview-dpi-awareness=1 --disable-features=msEnhancedTrackingPreventionEnabled --mojo-named-platform-channel-pipe=4248.3064.15023526274655039146C:\Program Files (x86)\Microsoft\EdgeWebView\Application\103.0.1264.77\msedgewebview2.exe
OneDrive.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge WebView2
Exit code:
0
Version:
103.0.1264.77
Modules
Images
c:\program files (x86)\microsoft\edgewebview\application\103.0.1264.77\msedgewebview2.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edgewebview\application\103.0.1264.77\msedge_elf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
4248 /updateInstalled /backgroundC:\Program Files\Microsoft OneDrive\OneDrive.exe
OneDriveSetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft OneDrive
Exit code:
3011
Version:
24.128.0625.0001
Modules
Images
c:\program files\microsoft onedrive\onedrive.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
Total events
60 918
Read events
59 653
Write events
577
Delete events
688

Modification events

(PID) Process:(252) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\General
Operation:writeName:VerInfo
Value:
005B0500AF8954AA66D7DA01
(PID) Process:(252) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(252) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(252) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\OneDriveStandaloneUpdater.exe.zip
(PID) Process:(252) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(252) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(252) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(252) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(252) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\DialogEditHistory\ExtrPath
Operation:writeName:0
Value:
C:\Users\admin\Desktop
(PID) Process:(4356) OneDriveStandaloneUpdater.exeKey:HKEY_CURRENT_USER\Software\Microsoft\OneDrive
Operation:writeName:StandaloneUpdaterSafeMode
Value:
2
Executable files
250
Suspicious files
274
Text files
696
Unknown types
2

Dropped files

PID
Process
Filename
Type
4356OneDriveStandaloneUpdater.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe
MD5:
SHA256:
3344OneDriveSetup.exe
MD5:
SHA256:
6088OneDriveSetup.exeC:\Windows\TEMP\tmp3A43.tmp
MD5:
SHA256:
252WinRAR.exeC:\USERS\ADMIN\APPDATA\ROAMING\WINRAR\VERSION.DATbinary
MD5:5297F9F4493539C30862448C18AF7E7E
SHA256:48740A77B1E37B54F3E6BC5FB34B126F2C4131AD97BBA54E881A47F95C6AFCFA
4356OneDriveStandaloneUpdater.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\Update.xmlxml
MD5:95DBBD688A7A2948A5BE4744F616B710
SHA256:D60DFD51E7EC89C0007ECA1A9C887AE271D3089CD8179A828A7853951DF514A5
252WinRAR.exeC:\Users\admin\Desktop\OneDriveStandaloneUpdater.exeexecutable
MD5:AF274FDDAD0022CB4C01212614D2951C
SHA256:DFFB728A6A95A20E98B509805419C171C1C4FFF6E7F161CBDE32AE6F042FE629
6088OneDriveSetup.exeC:\Program Files\Microsoft OneDrive\24.128.0625.0001\alertIcon.pngimage
MD5:6F15F15BF8CC8059DA207F3939757D0C
SHA256:DFCE82B767F09F42808AC37128DD8AD1BD20E7B552392BAB17ECFF1D0BEF08F6
6088OneDriveSetup.exeC:\Program Files\Microsoft OneDrive\24.128.0625.0001\alertIconWhite.pngimage
MD5:C8F78504985B826A6C64DC14C2C194AB
SHA256:521408A1EC238AEF821DDA2AA7086C5814408EAE073D60E152FE219464DB1B9E
4356OneDriveStandaloneUpdater.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\logs\Common\StandaloneUpdater-2024-07-16.0958.4356.1.odlbinary
MD5:F7E69279CE939F03BA488D43A7DB46C1
SHA256:E7115C712B9A2DE5EEA6BA844C12ABA4C67C989431DD49C578653459998557A6
4356OneDriveStandaloneUpdater.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\ECSConfig.jsonbinary
MD5:63672C40304E4EFAC6F079964748FD8B
SHA256:824EDDBD43047CA616FE82D3F187DCDAF36F111994B7A7FE6FA369167E778FE4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
17
TCP/UDP connections
64
DNS requests
37
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1332
svchost.exe
GET
200
88.221.110.216:80
http://www.msftconnecttest.com/connecttest.txt
unknown
whitelisted
3984
svchost.exe
GET
304
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?7bc59fe8a71b279c
unknown
whitelisted
1088
svchost.exe
POST
403
23.35.238.131:80
http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409
unknown
unknown
1088
svchost.exe
POST
403
23.35.238.131:80
http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409
unknown
unknown
3984
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
1088
svchost.exe
POST
403
23.35.238.131:80
http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409
unknown
unknown
1088
svchost.exe
POST
403
23.35.238.131:80
http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409
unknown
unknown
1088
svchost.exe
POST
403
23.35.238.131:80
http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409
unknown
unknown
1088
svchost.exe
POST
403
23.35.238.131:80
http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409
unknown
unknown
1088
svchost.exe
POST
403
23.35.238.131:80
http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4552
svchost.exe
239.255.255.250:1900
whitelisted
1332
svchost.exe
88.221.110.147:80
Akamai International B.V.
DE
unknown
4
System
192.168.100.255:137
whitelisted
4332
svchost.exe
23.35.236.109:443
fs.microsoft.com
AKAMAI-AS
DE
unknown
4332
svchost.exe
13.74.129.92:443
g.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4332
svchost.exe
23.35.237.43:443
oneclient.sfx.ms
AKAMAI-AS
DE
unknown
1332
svchost.exe
88.221.110.216:80
Akamai International B.V.
DE
unknown
3984
svchost.exe
40.126.32.72:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
unknown
3984
svchost.exe
93.184.221.240:80
ctldl.windowsupdate.com
EDGECAST
GB
whitelisted
4356
OneDriveStandaloneUpdater.exe
52.113.194.132:443
ecs.office.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.174
whitelisted
fs.microsoft.com
  • 23.35.236.109
whitelisted
g.live.com
  • 13.74.129.92
whitelisted
oneclient.sfx.ms
  • 23.35.237.43
unknown
login.live.com
  • 40.126.32.72
  • 20.190.160.14
  • 20.190.160.17
  • 20.190.160.20
  • 40.126.32.133
  • 40.126.32.76
  • 20.190.160.22
  • 40.126.32.68
  • 40.126.32.134
  • 40.126.32.138
  • 40.126.32.136
whitelisted
ctldl.windowsupdate.com
  • 93.184.221.240
whitelisted
ecs.office.com
  • 52.113.194.132
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
v10.events.data.microsoft.com
  • 20.189.173.10
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted

Threats

PID
Process
Class
Message
1332
svchost.exe
Misc activity
ET INFO Microsoft Connection Test
Process
Message
msedgewebview2.exe
RecursiveDirectoryCreate( C:\Users\admin\AppData\Local\Microsoft\OneDrive directory exists )
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
OneDriveStandaloneUpdater.exe.zip