File name:

OneDriveStandaloneUpdater.exe.zip

Full analysis: https://app.any.run/tasks/43b75c1f-55da-4227-a145-27bd361f5aed
Verdict: Malicious activity
Analysis date: July 16, 2024, 09:58:03
OS: Windows 11 Professional (build: 22000, 64 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

CCC1A331FE9F70325FF3ED7C45669B38

SHA1:

0F66841DF9DEAD30D19C7EEF26004E6DAC9A675F

SHA256:

FD91F9B0648CBF44EC61FAFEC5C98742AEEB41AB89A9E7AD0C852941C023B38A

SSDEEP:

49152:4lVqU8VSiZzorqUxIjAI40vdSE+9rCvlON/3ew8muGvUyQxB30t/aNHoXxBu9h8W:W4UQSWzoJIj5Xlr+pN//lxp6301aCPuB

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • OneDriveSetup.exe (PID: 6088)

    • Drops the executable file immediately after the start

      • OneDriveSetup.exe (PID: 6088)
      • WinRAR.exe (PID: 252)

    • Scans artifacts that could help determine the target

      • OneDrive.exe (PID: 4248)
      • Microsoft.SharePoint.exe (PID: 1524)
      • OneDrive.exe (PID: 1584)
      • msedgewebview2.exe (PID: 4228)

    • The DLL Hijacking

      • msedgewebview2.exe (PID: 1048)

  • SUSPICIOUS

    • Starts a Microsoft application from unusual location

      • OneDriveStandaloneUpdater.exe (PID: 4356)

    • Checks Windows Trust Settings

      • OneDriveStandaloneUpdater.exe (PID: 4356)
      • OneDriveSetup.exe (PID: 3344)
      • OneDriveSetup.exe (PID: 6088)
      • OneDrive.exe (PID: 4248)
      • Microsoft.SharePoint.exe (PID: 1524)
      • OneDrive.exe (PID: 1584)

    • Reads the Internet Settings

      • OneDriveStandaloneUpdater.exe (PID: 4356)
      • OneDriveSetup.exe (PID: 3344)
      • OneDriveSetup.exe (PID: 6088)
      • OneDrive.exe (PID: 4248)
      • Microsoft.SharePoint.exe (PID: 1524)
      • msedgewebview2.exe (PID: 4228)
      • OneDrive.exe (PID: 1584)

    • Reads security settings of Internet Explorer

      • OneDriveStandaloneUpdater.exe (PID: 4356)
      • WinRAR.exe (PID: 252)
      • OneDriveSetup.exe (PID: 3344)
      • OneDriveSetup.exe (PID: 6088)
      • OneDrive.exe (PID: 4248)
      • Microsoft.SharePoint.exe (PID: 1524)
      • msedgewebview2.exe (PID: 4228)
      • OneDrive.exe (PID: 1584)

    • Reads the date of Windows installation

      • OneDriveStandaloneUpdater.exe (PID: 4356)
      • OneDriveSetup.exe (PID: 3344)
      • OneDriveSetup.exe (PID: 6088)
      • OneDrive.exe (PID: 4248)

    • Reads settings of System Certificates

      • OneDriveStandaloneUpdater.exe (PID: 4356)
      • OneDriveSetup.exe (PID: 3344)
      • OneDriveSetup.exe (PID: 6088)
      • OneDrive.exe (PID: 4248)
      • Microsoft.SharePoint.exe (PID: 1524)
      • msedgewebview2.exe (PID: 4228)
      • OneDrive.exe (PID: 1584)

    • Application launched itself

      • OneDriveSetup.exe (PID: 3344)
      • msedgewebview2.exe (PID: 4228)
      • OneDrive.exe (PID: 4248)

    • Executable content was dropped or overwritten

      • OneDriveSetup.exe (PID: 6088)

    • Process drops legitimate windows executable

      • OneDriveSetup.exe (PID: 6088)
      • WinRAR.exe (PID: 252)

    • The process drops C-runtime libraries

      • OneDriveSetup.exe (PID: 6088)

    • The process creates files with name similar to system file names

      • OneDriveSetup.exe (PID: 6088)

    • Creates/Modifies COM task schedule object

      • OneDriveSetup.exe (PID: 6088)

    • Changes Internet Explorer settings (feature browser emulation)

      • OneDriveSetup.exe (PID: 6088)

    • Write to the desktop.ini file (may be used to cloak folders)

      • FileSyncConfig.exe (PID: 2788)

    • Creates a software uninstall entry

      • OneDriveSetup.exe (PID: 6088)

  • INFO

    • Checks supported languages

      • OneDriveStandaloneUpdater.exe (PID: 4356)
      • OneDriveSetup.exe (PID: 3344)
      • OneDriveSetup.exe (PID: 6088)
      • FileSyncConfig.exe (PID: 2788)
      • OneDrive.exe (PID: 4248)
      • Microsoft.SharePoint.exe (PID: 1524)
      • msedgewebview2.exe (PID: 4228)
      • msedgewebview2.exe (PID: 1328)
      • msedgewebview2.exe (PID: 1048)
      • msedgewebview2.exe (PID: 5668)
      • OneDrive.exe (PID: 1584)
      • msedgewebview2.exe (PID: 5560)
      • msedgewebview2.exe (PID: 432)

    • Checks proxy server information

      • OneDriveStandaloneUpdater.exe (PID: 4356)
      • OneDriveSetup.exe (PID: 6088)
      • OneDrive.exe (PID: 4248)
      • Microsoft.SharePoint.exe (PID: 1524)
      • msedgewebview2.exe (PID: 4228)
      • OneDrive.exe (PID: 1584)

    • Manual execution by a user

      • OneDriveStandaloneUpdater.exe (PID: 4356)

    • Creates files or folders in the user directory

      • OneDriveStandaloneUpdater.exe (PID: 4356)
      • OneDriveSetup.exe (PID: 3344)
      • FileSyncConfig.exe (PID: 2788)
      • OneDrive.exe (PID: 4248)
      • Microsoft.SharePoint.exe (PID: 1524)
      • msedgewebview2.exe (PID: 4228)
      • msedgewebview2.exe (PID: 1328)
      • msedgewebview2.exe (PID: 5560)
      • OneDrive.exe (PID: 1584)

    • Reads the machine GUID from the registry

      • OneDriveStandaloneUpdater.exe (PID: 4356)
      • OneDriveSetup.exe (PID: 3344)
      • OneDriveSetup.exe (PID: 6088)
      • FileSyncConfig.exe (PID: 2788)
      • OneDrive.exe (PID: 4248)
      • Microsoft.SharePoint.exe (PID: 1524)
      • msedgewebview2.exe (PID: 4228)
      • OneDrive.exe (PID: 1584)

    • Reads the computer name

      • OneDriveStandaloneUpdater.exe (PID: 4356)
      • OneDriveSetup.exe (PID: 3344)
      • OneDriveSetup.exe (PID: 6088)
      • OneDrive.exe (PID: 4248)
      • FileSyncConfig.exe (PID: 2788)
      • Microsoft.SharePoint.exe (PID: 1524)
      • msedgewebview2.exe (PID: 4228)
      • msedgewebview2.exe (PID: 5560)
      • msedgewebview2.exe (PID: 1048)
      • OneDrive.exe (PID: 1584)

    • Reads Microsoft Office registry keys

      • OneDriveStandaloneUpdater.exe (PID: 4356)
      • OneDriveSetup.exe (PID: 3344)
      • OneDriveSetup.exe (PID: 6088)
      • FileSyncConfig.exe (PID: 2788)
      • OneDrive.exe (PID: 4248)
      • Microsoft.SharePoint.exe (PID: 1524)
      • OneDrive.exe (PID: 1584)

    • Reads the software policy settings

      • OneDriveStandaloneUpdater.exe (PID: 4356)
      • OneDriveSetup.exe (PID: 3344)
      • OneDriveSetup.exe (PID: 6088)
      • OneDrive.exe (PID: 4248)
      • Microsoft.SharePoint.exe (PID: 1524)
      • msedgewebview2.exe (PID: 4228)
      • OneDrive.exe (PID: 1584)

    • Reads Environment values

      • OneDriveSetup.exe (PID: 3344)
      • OneDriveSetup.exe (PID: 6088)
      • OneDrive.exe (PID: 4248)
      • Microsoft.SharePoint.exe (PID: 1524)
      • OneDrive.exe (PID: 1584)
      • msedgewebview2.exe (PID: 4228)

    • Creates files in the program directory

      • OneDriveSetup.exe (PID: 6088)

    • Create files in a temporary directory

      • Microsoft.SharePoint.exe (PID: 1524)
      • msedgewebview2.exe (PID: 4228)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 252)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2024:07:16 09:38:36
ZipCRC: 0xe6b2b3d6
ZipCompressedSize: 1709334
ZipUncompressedSize: 4209056
ZipFileName: OneDriveStandaloneUpdater.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
116
Monitored processes
14
Malicious processes
6
Suspicious processes
2

Behavior graph

Click at the process to see the details
start winrar.exe onedrivestandaloneupdater.exe onedrivesetup.exe no specs onedrivesetup.exe filesyncconfig.exe no specs onedrive.exe microsoft.sharepoint.exe msedgewebview2.exe msedgewebview2.exe no specs msedgewebview2.exe no specs msedgewebview2.exe msedgewebview2.exe no specs msedgewebview2.exe no specs onedrive.exe

Process information

PID
CMD
Path
Indicators
Parent process
252"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\OneDriveStandaloneUpdater.exe.zipC:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
432"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\103.0.1264.77\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --noerrdialogs --user-data-dir="C:\Users\admin\AppData\Local\Microsoft\OneDrive\EBWebView" --webview-exe-name=OneDrive.exe --webview-exe-version=24.128.0625.0001 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --mojo-platform-channel-handle=2372 --field-trial-handle=1892,i,1582774147777350670,5190960477022882854,131072 --disable-features=msEnhancedTrackingPreventionEnabled /prefetch:8C:\Program Files (x86)\Microsoft\EdgeWebView\Application\103.0.1264.77\msedgewebview2.exemsedgewebview2.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge WebView2
Exit code:
0
Version:
103.0.1264.77
Modules
Images
c:\program files (x86)\microsoft\edgewebview\application\103.0.1264.77\msedgewebview2.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edgewebview\application\103.0.1264.77\msedge_elf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1048"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\103.0.1264.77\msedgewebview2.exe" --type=gpu-process --noerrdialogs --user-data-dir="C:\Users\admin\AppData\Local\Microsoft\OneDrive\EBWebView" --webview-exe-name=OneDrive.exe --webview-exe-version=24.128.0625.0001 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1972 --field-trial-handle=1892,i,1582774147777350670,5190960477022882854,131072 --disable-features=msEnhancedTrackingPreventionEnabled /prefetch:2C:\Program Files (x86)\Microsoft\EdgeWebView\Application\103.0.1264.77\msedgewebview2.exemsedgewebview2.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge WebView2
Exit code:
0
Version:
103.0.1264.77
Modules
Images
c:\program files (x86)\microsoft\edgewebview\application\103.0.1264.77\msedgewebview2.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edgewebview\application\103.0.1264.77\msedge_elf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1328"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\103.0.1264.77\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=C:\Users\admin\AppData\Local\Microsoft\OneDrive\EBWebView /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\admin\AppData\Local\Microsoft\OneDrive\EBWebView\Crashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=103.0.5060.134 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\103.0.1264.77\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=103.0.1264.77 --initial-client-data=0x128,0x12c,0x130,0x104,0x138,0x7ff9c0f1a0b8,0x7ff9c0f1a0c8,0x7ff9c0f1a0d8C:\Program Files (x86)\Microsoft\EdgeWebView\Application\103.0.1264.77\msedgewebview2.exemsedgewebview2.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge WebView2
Exit code:
0
Version:
103.0.1264.77
Modules
Images
c:\program files (x86)\microsoft\edgewebview\application\103.0.1264.77\msedgewebview2.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edgewebview\application\103.0.1264.77\msedge_elf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1524/silentConfigC:\Program Files\Microsoft OneDrive\24.128.0625.0001\Microsoft.SharePoint.exe
OneDriveSetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft SharePoint
Exit code:
0
Version:
24.128.0625.0001
Modules
Images
c:\program files\microsoft onedrive\24.128.0625.0001\microsoft.sharepoint.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
1584"C:\Program Files\Microsoft OneDrive\OneDrive.exe" /client=Personal /backgroundC:\Program Files\Microsoft OneDrive\OneDrive.exe
OneDrive.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft OneDrive
Version:
24.128.0625.0001
Modules
Images
c:\program files\microsoft onedrive\onedrive.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
2788"C:\Program Files\Microsoft OneDrive\24.128.0625.0001\FileSyncConfig.exe" /allusers C:\Program Files\Microsoft OneDrive\24.128.0625.0001\FileSyncConfig.exeOneDriveSetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft OneDrive Configuration Application
Exit code:
0
Version:
24.128.0625.0001
Modules
Images
c:\program files\microsoft onedrive\24.128.0625.0001\filesyncconfig.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
3344"C:\Users\admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe" /update /restart /updateSource:ODSUC:\Users\admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exeOneDriveStandaloneUpdater.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft OneDrive (64 bit) Setup
Exit code:
0
Version:
24.128.0625.0001
Modules
Images
c:\users\admin\appdata\local\microsoft\onedrive\standaloneupdater\onedrivesetup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\gdi32full.dll
4228"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\103.0.1264.77\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=OneDrive.exe --webview-exe-version=24.128.0625.0001 --user-data-dir="C:\Users\admin\AppData\Local\Microsoft\OneDrive\EBWebView" --noerrdialogs --embedded-browser-webview-dpi-awareness=1 --disable-features=msEnhancedTrackingPreventionEnabled --mojo-named-platform-channel-pipe=4248.3064.15023526274655039146C:\Program Files (x86)\Microsoft\EdgeWebView\Application\103.0.1264.77\msedgewebview2.exe
OneDrive.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge WebView2
Exit code:
0
Version:
103.0.1264.77
Modules
Images
c:\program files (x86)\microsoft\edgewebview\application\103.0.1264.77\msedgewebview2.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edgewebview\application\103.0.1264.77\msedge_elf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
4248 /updateInstalled /backgroundC:\Program Files\Microsoft OneDrive\OneDrive.exe
OneDriveSetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft OneDrive
Exit code:
3011
Version:
24.128.0625.0001
Modules
Images
c:\program files\microsoft onedrive\onedrive.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
Total events
60 918
Read events
59 653
Write events
577
Delete events
688

Modification events

(PID) Process:(252) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\General
Operation:writeName:VerInfo
Value:
005B0500AF8954AA66D7DA01
(PID) Process:(252) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(252) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(252) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\OneDriveStandaloneUpdater.exe.zip
(PID) Process:(252) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(252) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(252) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(252) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(252) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\DialogEditHistory\ExtrPath
Operation:writeName:0
Value:
C:\Users\admin\Desktop
(PID) Process:(4356) OneDriveStandaloneUpdater.exeKey:HKEY_CURRENT_USER\Software\Microsoft\OneDrive
Operation:writeName:StandaloneUpdaterSafeMode
Value:
2
Executable files
250
Suspicious files
274
Text files
696
Unknown types
2

Dropped files

PID
Process
Filename
Type
4356OneDriveStandaloneUpdater.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe
MD5:
SHA256:
3344OneDriveSetup.exe
MD5:
SHA256:
6088OneDriveSetup.exeC:\Windows\TEMP\tmp3A43.tmp
MD5:
SHA256:
252WinRAR.exeC:\Users\admin\Desktop\OneDriveStandaloneUpdater.exeexecutable
MD5:AF274FDDAD0022CB4C01212614D2951C
SHA256:DFFB728A6A95A20E98B509805419C171C1C4FFF6E7F161CBDE32AE6F042FE629
252WinRAR.exeC:\USERS\ADMIN\APPDATA\ROAMING\WINRAR\VERSION.DATbinary
MD5:5297F9F4493539C30862448C18AF7E7E
SHA256:48740A77B1E37B54F3E6BC5FB34B126F2C4131AD97BBA54E881A47F95C6AFCFA
252WinRAR.exeC:\Users\admin\Desktop\checksums.txttext
MD5:14CE700A4C749EAF1352CC80CF279AC3
SHA256:1BD8AF98D4ED95454D9A8F8FAC120B82EB2182F5E5CE93CF1BFAE85407C7BA41
4356OneDriveStandaloneUpdater.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\Update.xmlxml
MD5:95DBBD688A7A2948A5BE4744F616B710
SHA256:D60DFD51E7EC89C0007ECA1A9C887AE271D3089CD8179A828A7853951DF514A5
4356OneDriveStandaloneUpdater.exeC:\Users\admin\AppData\Local\Temp\wct8CFC.tmpbinary
MD5:63672C40304E4EFAC6F079964748FD8B
SHA256:824EDDBD43047CA616FE82D3F187DCDAF36F111994B7A7FE6FA369167E778FE4
4356OneDriveStandaloneUpdater.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\setup\logs\StandaloneUpdate_2024-07-16_095823_4356-4696.logbinary
MD5:EA0D00AD9522DE45F2D484C900F80235
SHA256:99A90243E381EFEB3177EDA10D3BB5FF5A8DAB9E68797B5485A3006B0751F8F6
4356OneDriveStandaloneUpdater.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\ECSConfig.jsonbinary
MD5:63672C40304E4EFAC6F079964748FD8B
SHA256:824EDDBD43047CA616FE82D3F187DCDAF36F111994B7A7FE6FA369167E778FE4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
17
TCP/UDP connections
64
DNS requests
37
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3984
svchost.exe
GET
304
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?7bc59fe8a71b279c
unknown
whitelisted
1332
svchost.exe
GET
200
88.221.110.216:80
http://www.msftconnecttest.com/connecttest.txt
unknown
whitelisted
3984
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
1088
svchost.exe
POST
403
23.35.238.131:80
http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409
unknown
unknown
1088
svchost.exe
POST
403
23.35.238.131:80
http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409
unknown
unknown
1088
svchost.exe
POST
403
23.35.238.131:80
http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409
unknown
unknown
1088
svchost.exe
POST
403
23.35.238.131:80
http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409
unknown
unknown
1088
svchost.exe
POST
403
23.35.238.131:80
http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409
unknown
unknown
1088
svchost.exe
POST
403
23.35.238.131:80
http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409
unknown
unknown
1088
svchost.exe
POST
403
23.35.238.131:80
http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4552
svchost.exe
239.255.255.250:1900
whitelisted
1332
svchost.exe
88.221.110.147:80
Akamai International B.V.
DE
unknown
4
System
192.168.100.255:137
whitelisted
4332
svchost.exe
23.35.236.109:443
fs.microsoft.com
AKAMAI-AS
DE
unknown
4332
svchost.exe
13.74.129.92:443
g.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4332
svchost.exe
23.35.237.43:443
oneclient.sfx.ms
AKAMAI-AS
DE
unknown
1332
svchost.exe
88.221.110.216:80
Akamai International B.V.
DE
unknown
3984
svchost.exe
40.126.32.72:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
unknown
3984
svchost.exe
93.184.221.240:80
ctldl.windowsupdate.com
EDGECAST
GB
whitelisted
4356
OneDriveStandaloneUpdater.exe
52.113.194.132:443
ecs.office.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.174
whitelisted
fs.microsoft.com
  • 23.35.236.109
whitelisted
g.live.com
  • 13.74.129.92
whitelisted
oneclient.sfx.ms
  • 23.35.237.43
unknown
login.live.com
  • 40.126.32.72
  • 20.190.160.14
  • 20.190.160.17
  • 20.190.160.20
  • 40.126.32.133
  • 40.126.32.76
  • 20.190.160.22
  • 40.126.32.68
  • 40.126.32.134
  • 40.126.32.138
  • 40.126.32.136
whitelisted
ctldl.windowsupdate.com
  • 93.184.221.240
whitelisted
ecs.office.com
  • 52.113.194.132
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
v10.events.data.microsoft.com
  • 20.189.173.10
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted

Threats

PID
Process
Class
Message
1332
svchost.exe
Misc activity
ET INFO Microsoft Connection Test
Process
Message
msedgewebview2.exe
RecursiveDirectoryCreate( C:\Users\admin\AppData\Local\Microsoft\OneDrive directory exists )
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
OneDriveStandaloneUpdater.exe.zip