OneDriveStandaloneUpdater.exe Persistence
TLDR: Replace this executable with your malware. Runs automatically, once per day:
%localappdata%\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe
OneDrive Standalone Update Task
- Executes once per day. The exact execution time seems to vary from host to host (possibly affected by first boot time during Windows install).
- Also gets executed a second time with the
/reportingflag added by the “OneDrive Reporting Task”.
- Also gets executed a second time with the
- Enabled by default in Windows 10 - even if the user has disabled OneDrive from running on startup
- OneDriveStandaloneUpdater.exe - Lives in a user-writable location on disk:
%localappdata%\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe
- Replacing the EXE doesn’t break anything that the user may observe. 🙂
