Just remoted into my Laptop which is in the other room and when the login completed I was presented with a Windows dialog (signing authorisation) and a blank background. It said do you want to run Onedrivepatcher.exe which I thought was strange as I havent used the laptop in a couple of weeks.
Searching the web reveals it is a sophisticated malware file although what it does is unclear. I presume it encrypts onedrive files for ransom.
So not taking any chances - in the process of resetting the laptop from the cloud and when thats done updating.
Thoughts?
Found the file in the Onedrive folder under my username OnedrivePatcher.exe it is digitally signed my Microsoft on the 15 April 2026 so could it be legit? Searches say no.
SIarted looking at this and asked ChatGPT.. I'll pastew what it said as it's useful advice:
OneDrivePatcher.exe is a real Microsoft OneDrive component used during OneDrive updates/patching.
But here’s the important bit:
* A legitimate OneDrivePatcher.exe normally lives somewhere like:
* C:\Program Files\Microsoft OneDrive\
* or inside the user profile OneDrive update folders.
* It should be digitally signed by Microsoft.
However, malware authors have started abusing it because:
* it’s Microsoft-signed,
* Windows tends to trust it,
* attackers can pair it with malicious DLLs for DLL hijacking.
So the filename alone means nothing. What matters is:
* file path,
* digital signature,
* what launched it.
Quick checks:
1. Right click → Properties → Digital Signatures
* should say Microsoft Corporation.
2. Check location.
3. Upload the file to:
* VirusTotal
4. If it randomly asked for admin access while you weren’t updating OneDrive, that’s suspicious.
If you want, paste:
* the full file path,
* or a screenshot of Properties → Details / Digital Signatures,
and I’ll tell you whether it looks legit or sketchy.
seb
Print Thread
Banger
