onedrv.exe

The application onedrv.exe has been detected as a potentially unwanted program by 2 anti-malware scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘OneDrive’.
Version:
1.0.0.0

MD5:
59a46b142017350ee7fa662fa0ced62f

SHA-1:
4031cc141a596b07be41d91e5d1c3a1d8890e4bf

SHA-256:
ab795829cff23bbb832e1bbac9b1a5117a844c5a6f6118863f2d4ba0488f92b9

Scanner detections:
2 / 68

Status:
Potentially unwanted

Analysis date:
12/27/2024 12:31:53 AM UTC  (today)

Scan engine
Detection
Engine version

avast!
Win32:Malware-gen
160327-1

ESET NOD32
Win32/Adware.BrowSecX.AK application
8.0.319.0

File size:
1.6 MB (1,709,568 bytes)

Product version:
1.0.0.0

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\Documents and Settings\{user}\Application data\google\update\onedrv.exe

File PE Metadata
Compilation timestamp:
5/11/2016 11:54:52 AM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
49152:SfqQiRYnSXSlh9aS68vRI87IGgyTPOLi7FJ7Mie0:Sfq3RYASlh9aS68vNRgcPUi7FJ7Mid

Entry address:
0x453890

Entry point:
60, BE, 00, 20, 6C, 00, 8D, BE, 00, F0, D3, FF, C7, 87, 10, 2C, 33, 00, 0C, 77, 0C, 9E, 57, 83, CD, FF, EB, 0E, 90, 90, 90, 90, 8A, 06, 46, 88, 07, 47, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 72, ED, B8, 01, 00, 00, 00, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, 01, DB, 73, 0B, 75, 28, 8B, 1E, 83, EE, FC, 11, DB, 72, 1F, 48, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, EB, D4, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C9, EB, 52, 31, C9, 83, E8, 03, 72, 11, C1, E0, 08, 8A, 06, 46...
 
[+]

Entropy:
7.9076

Packer / compiler:
UPX v0.89.6 - v1.02 / v1.05 -v1.22 (Delphi) stub

Code size:
1.6 MB (1,646,592 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
OneDrive

Command:
"C:\Documents and Settings\{user}\Application data\google\update\onedrv.exe"


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to ec2-54-72-9-51.eu-west-1.compute.amazonaws.com  (54.72.9.51:80)

TCP (HTTP SSL):
Connects to xx-fbcdn-shv-01-mrs1.fbcdn.net  (31.13.75.12:443)

TCP (HTTP):
Connects to admarketplace.dmarc.lga1.atlanticmetro.net  (108.60.149.204:80)

TCP (HTTP):
Connects to sg2plpkivs-v01.any.prod.sin2.secureserver.net  (182.50.136.237:80)

TCP (HTTP SSL):
Connects to edge-star-mini-shv-01-mrs1.facebook.com  (31.13.75.36:443)

TCP (HTTP SSL):
Connects to ec2-52-201-97-156.compute-1.amazonaws.com  (52.201.97.156:443)

TCP (HTTP):
Connects to server-54-230-149-173.sin2.r.cloudfront.net  (54.230.149.173:80)

TCP (HTTP SSL):
Connects to ec2-52-7-154-8.compute-1.amazonaws.com  (52.7.154.8:443)

TCP (HTTP SSL):
Connects to ec2-52-3-176-101.compute-1.amazonaws.com  (52.3.176.101:443)

Remove onedrv.exe - Powered by Reason Core Security