File name:

OneLaunch - Easy PDF_5g48t.exe

Full analysis: https://app.any.run/tasks/226b150e-0864-4846-84e3-0426084f1cc7
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: May 09, 2025, 20:13:35
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
inno
installer
delphi
stealer
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 10 sections
MD5:

BA8D05DD65D28B7BFEF589B6345DB3BB

SHA1:

21E5CC4F99D0B288A218D2CA4309124F948F1B3F

SHA256:

265A5261F1779CE1EC5C292F62094F82CF35F462C7C82A1042B21E8F92CF43C8

SSDEEP:

98304:D+QqZ8fXx1f0JLXfZvgEsLO+GfRY0FsczDYNOKUXMlqyiNYP4zAu9kz5i+HVUMc8:3GY

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Create files in the Startup directory

      • OneLaunch Setup_5g48t.tmp (PID: 5436)

    • Changes the autorun value in the registry

      • OneLaunch Setup_5g48t.tmp (PID: 5436)
      • OneLaunch.exe (PID: 3176)

    • Actions looks like stealing of personal data

      • chromium.exe (PID: 968)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • OneLaunch - Easy PDF_5g48t.exe (PID: 1312)
      • OneLaunch - Easy PDF_5g48t.tmp (PID: 4120)
      • OneLaunch - Easy PDF_5g48t.exe (PID: 2420)
      • OneLaunch - Easy PDF_5g48t.tmp (PID: 5400)
      • OneLaunch Setup_5g48t.exe (PID: 3008)
      • OneLaunch Setup_5g48t.tmp (PID: 5436)
      • onelaunch_8dd8f362948fa04.exe (PID: 6632)
      • onelaunch_8dd8f362948fa04.tmp (PID: 6256)

    • Reads security settings of Internet Explorer

      • OneLaunch - Easy PDF_5g48t.tmp (PID: 4120)
      • OneLaunch - Easy PDF_5g48t.tmp (PID: 5400)
      • OneLaunch Setup_5g48t.tmp (PID: 5436)
      • chromium.exe (PID: 968)
      • OneLaunch.exe (PID: 3176)
      • onelaunchtray.exe (PID: 1056)

    • Reads the Windows owner or organization settings

      • OneLaunch - Easy PDF_5g48t.tmp (PID: 4120)
      • OneLaunch - Easy PDF_5g48t.tmp (PID: 5400)
      • OneLaunch Setup_5g48t.tmp (PID: 5436)

    • There is functionality for taking screenshot (YARA)

      • OneLaunch - Easy PDF_5g48t.tmp (PID: 4120)
      • OneLaunch - Easy PDF_5g48t.tmp (PID: 5400)
      • OneLaunch Setup_5g48t.tmp (PID: 5436)
      • OneLaunch.exe (PID: 3176)
      • onelaunchtray.exe (PID: 1056)

    • Uses TASKKILL.EXE to kill process

      • OneLaunch Setup_5g48t.tmp (PID: 5436)

    • Process drops legitimate windows executable

      • OneLaunch Setup_5g48t.tmp (PID: 5436)
      • onelaunch_8dd8f362948fa04.tmp (PID: 6256)

    • The process drops Mozilla's DLL files

      • OneLaunch Setup_5g48t.tmp (PID: 5436)
      • onelaunch_8dd8f362948fa04.tmp (PID: 6256)

    • Deletes scheduled task without confirmation

      • schtasks.exe (PID: 1188)
      • schtasks.exe (PID: 4728)
      • schtasks.exe (PID: 6876)
      • schtasks.exe (PID: 2140)
      • schtasks.exe (PID: 4180)
      • schtasks.exe (PID: 7012)
      • schtasks.exe (PID: 6512)
      • schtasks.exe (PID: 2596)
      • schtasks.exe (PID: 2100)
      • schtasks.exe (PID: 5188)
      • schtasks.exe (PID: 4188)
      • schtasks.exe (PID: 664)

    • Application launched itself

      • chromium.exe (PID: 968)
      • chromium.exe (PID: 2644)
      • chromium.exe (PID: 3012)
      • chromium.exe (PID: 5796)

    • Reads the date of Windows installation

      • OneLaunch.exe (PID: 3176)

    • Executes application which crashes

      • OneLaunch Setup_5g48t.tmp (PID: 5436)

    • Potential Corporate Privacy Violation

      • OneLaunch.exe (PID: 3176)

    • Uses ICACLS.EXE to modify access control lists

      • onelaunch_8dd8f362948fa04.tmp (PID: 6256)

    • Starts CMD.EXE for commands execution

      • onelaunch_8dd8f362948fa04.tmp (PID: 6256)

    • Executing commands from a ".bat" file

      • onelaunch_8dd8f362948fa04.tmp (PID: 6256)

  • INFO

    • Checks supported languages

      • OneLaunch - Easy PDF_5g48t.exe (PID: 1312)
      • OneLaunch - Easy PDF_5g48t.tmp (PID: 4120)
      • OneLaunch - Easy PDF_5g48t.exe (PID: 2420)
      • OneLaunch Setup_5g48t.exe (PID: 3008)
      • OneLaunch Setup_5g48t.tmp (PID: 5436)
      • OneLaunch - Easy PDF_5g48t.tmp (PID: 5400)
      • OneLaunch.exe (PID: 3176)
      • chromium.exe (PID: 2644)
      • chromium.exe (PID: 3768)
      • chromium.exe (PID: 968)
      • onelaunchtray.exe (PID: 1056)

    • Create files in a temporary directory

      • OneLaunch - Easy PDF_5g48t.exe (PID: 1312)
      • OneLaunch - Easy PDF_5g48t.tmp (PID: 4120)
      • OneLaunch - Easy PDF_5g48t.exe (PID: 2420)
      • OneLaunch - Easy PDF_5g48t.tmp (PID: 5400)
      • OneLaunch Setup_5g48t.exe (PID: 3008)
      • OneLaunch Setup_5g48t.tmp (PID: 5436)
      • chromium.exe (PID: 968)

    • Reads the computer name

      • OneLaunch - Easy PDF_5g48t.tmp (PID: 4120)
      • OneLaunch - Easy PDF_5g48t.tmp (PID: 5400)
      • OneLaunch Setup_5g48t.tmp (PID: 5436)
      • OneLaunch.exe (PID: 3176)
      • chromium.exe (PID: 968)
      • chromium.exe (PID: 2644)
      • onelaunchtray.exe (PID: 1056)

    • Compiled with Borland Delphi (YARA)

      • OneLaunch - Easy PDF_5g48t.exe (PID: 1312)
      • OneLaunch - Easy PDF_5g48t.tmp (PID: 4120)
      • OneLaunch Setup_5g48t.exe (PID: 3008)
      • OneLaunch - Easy PDF_5g48t.exe (PID: 2420)
      • OneLaunch - Easy PDF_5g48t.tmp (PID: 5400)
      • OneLaunch Setup_5g48t.tmp (PID: 5436)

    • Reads the software policy settings

      • OneLaunch - Easy PDF_5g48t.tmp (PID: 4120)
      • OneLaunch - Easy PDF_5g48t.tmp (PID: 5400)
      • OneLaunch Setup_5g48t.tmp (PID: 5436)
      • slui.exe (PID: 5528)
      • OneLaunch.exe (PID: 3176)

    • Reads the machine GUID from the registry

      • OneLaunch - Easy PDF_5g48t.tmp (PID: 4120)
      • OneLaunch - Easy PDF_5g48t.tmp (PID: 5400)
      • OneLaunch Setup_5g48t.tmp (PID: 5436)
      • OneLaunch.exe (PID: 3176)
      • chromium.exe (PID: 968)
      • onelaunchtray.exe (PID: 1056)

    • Checks proxy server information

      • OneLaunch - Easy PDF_5g48t.tmp (PID: 4120)
      • OneLaunch.exe (PID: 3176)

    • Detects InnoSetup installer (YARA)

      • OneLaunch - Easy PDF_5g48t.tmp (PID: 4120)
      • OneLaunch - Easy PDF_5g48t.exe (PID: 1312)
      • OneLaunch Setup_5g48t.exe (PID: 3008)
      • OneLaunch - Easy PDF_5g48t.exe (PID: 2420)
      • OneLaunch - Easy PDF_5g48t.tmp (PID: 5400)
      • OneLaunch Setup_5g48t.tmp (PID: 5436)

    • Process checks computer location settings

      • OneLaunch - Easy PDF_5g48t.tmp (PID: 4120)
      • OneLaunch - Easy PDF_5g48t.tmp (PID: 5400)
      • OneLaunch Setup_5g48t.tmp (PID: 5436)
      • OneLaunch.exe (PID: 3176)

    • The sample compiled with english language support

      • OneLaunch Setup_5g48t.tmp (PID: 5436)
      • onelaunch_8dd8f362948fa04.tmp (PID: 6256)

    • Creates files or folders in the user directory

      • OneLaunch Setup_5g48t.tmp (PID: 5436)
      • OneLaunch.exe (PID: 3176)
      • chromium.exe (PID: 968)
      • onelaunchtray.exe (PID: 1056)
      • WerFault.exe (PID: 680)

    • Creates a software uninstall entry

      • OneLaunch Setup_5g48t.tmp (PID: 5436)

    • Creates files in the program directory

      • OneLaunch.exe (PID: 3176)
      • onelaunchtray.exe (PID: 1056)

    • Reads Environment values

      • OneLaunch.exe (PID: 3176)

    • Disables trace logs

      • OneLaunch.exe (PID: 3176)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (67.7)
.exe | Win32 EXE PECompact compressed (generic) (25.6)
.exe | Win32 Executable (generic) (2.7)
.exe | Win16/32 Executable Delphi generic (1.2)
.exe | Generic Win/DOS Executable (1.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2020:11:15 09:48:30+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 741376
InitializedDataSize: 151552
UninitializedDataSize: -
EntryPoint: 0xb5eec
OSVersion: 6.1
ImageVersion: 6
SubsystemVersion: 6.1
Subsystem: Windows GUI
FileVersionNumber: 5.25.0.0
ProductVersionNumber: 5.25.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName: OneLaunch
FileDescription: OneLaunch Setup
FileVersion: 5.25.0
LegalCopyright: Copyright OneLaunch. All rights reserved.
OriginalFileName:
ProductName: OneLaunch
ProductVersion: 5.25.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
200
Monitored processes
58
Malicious processes
6
Suspicious processes
2

Behavior graph

Click at the process to see the details
start onelaunch - easy pdf_5g48t.exe onelaunch - easy pdf_5g48t.tmp sppextcomobj.exe no specs slui.exe onelaunch - easy pdf_5g48t.exe onelaunch - easy pdf_5g48t.tmp onelaunch setup_5g48t.exe onelaunch setup_5g48t.tmp taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs onelaunch.exe slui.exe chromium.exe chromium.exe no specs chromium.exe no specs onelaunchtray.exe no specs werfault.exe no specs werfault.exe no specs onelaunch_8dd8f362948fa04.exe onelaunch_8dd8f362948fa04.tmp chromium.exe no specs chromium.exe no specs chromium.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs icacls.exe no specs conhost.exe no specs icacls.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
496\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeschtasks.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
664"schtasks" /delete /tn OneLaunchUpdateTask /fC:\Windows\System32\schtasks.exeonelaunch_8dd8f362948fa04.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
680C:\WINDOWS\SysWOW64\WerFault.exe -u -p 5436 -s 2756C:\Windows\SysWOW64\WerFault.exeOneLaunch Setup_5g48t.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
812\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
968"C:\Users\admin\AppData\Local\OneLaunch\5.25.0\chromium\chromium.exe" --start-maximized --tab-trigger=LaunchC:\Users\admin\AppData\Local\OneLaunch\5.25.0\chromium\chromium.exe
OneLaunch Setup_5g48t.tmp
User:
admin
Company:
OneLaunch
Integrity Level:
MEDIUM
Description:
OneLaunch
Exit code:
4294930433
Version:
118.0.0.0
Modules
Images
c:\users\admin\appdata\local\onelaunch\5.25.0\chromium\chromium.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
1056"C:\Users\admin\AppData\Local\OneLaunch\5.25.0\onelaunchtray.exe" C:\Users\admin\AppData\Local\OneLaunch\5.25.0\onelaunchtray.exeOneLaunch.exe
User:
admin
Company:
OneLaunch
Integrity Level:
MEDIUM
Description:
OneLaunchTray
Version:
5.25.0.0
Modules
Images
c:\users\admin\appdata\local\onelaunch\5.25.0\onelaunchtray.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1096\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeschtasks.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1188"schtasks" /Delete /TN "OneLaunchLaunchTask" /FC:\Windows\System32\schtasks.exeOneLaunch Setup_5g48t.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
1312"C:\Users\admin\AppData\Local\Temp\OneLaunch - Easy PDF_5g48t.exe" C:\Users\admin\AppData\Local\Temp\OneLaunch - Easy PDF_5g48t.exe
explorer.exe
User:
admin
Company:
OneLaunch
Integrity Level:
MEDIUM
Description:
OneLaunch Setup
Exit code:
0
Version:
5.25.0
Modules
Images
c:\users\admin\appdata\local\temp\onelaunch - easy pdf_5g48t.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
2100"schtasks" /Delete /TN "OneLaunchLaunchTask" /FC:\Windows\System32\schtasks.exeonelaunch_8dd8f362948fa04.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
Total events
18 613
Read events
18 413
Write events
193
Delete events
7

Modification events

(PID) Process:(5400) OneLaunch - Easy PDF_5g48t.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0001
Operation:writeName:Owner
Value:
1815000036FE41EE1EC1DB01
(PID) Process:(5400) OneLaunch - Easy PDF_5g48t.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0001
Operation:writeName:SessionHash
Value:
46721588D3E134CE9BEEE441E29B0CB59A480FAC0D558AB7D4661036B95F9C1C
(PID) Process:(5400) OneLaunch - Easy PDF_5g48t.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0001
Operation:writeName:Sequence
Value:
1
(PID) Process:(5436) OneLaunch Setup_5g48t.tmpKey:HKEY_CURRENT_USER\SOFTWARE\OneLaunch
Operation:writeName:version
Value:
5.25.0.0
(PID) Process:(5436) OneLaunch Setup_5g48t.tmpKey:HKEY_CURRENT_USER\SOFTWARE\OneLaunch
Operation:writeName:assembly
Value:
C:\Users\admin\AppData\Local\OneLaunch\5.25.0\onelaunch.exe
(PID) Process:(5436) OneLaunch Setup_5g48t.tmpKey:HKEY_CURRENT_USER\SOFTWARE\OneLaunch
Operation:writeName:install_info
Value:
{"message":"No Record Found","install_time":1746821625,"distinct_id":"F2DB79C9-FEA9-4996-9292-EF608864DD99","default_browser":"MSEdgeHTM","initinal_version":"5.25.0.0","packaged_browser":"chromium","split":"c","no_split":false,"split2":"a","split_22_12_more_educational_miniprompts":"control","encoded_splits":"000"}
(PID) Process:(5436) OneLaunch Setup_5g48t.tmpKey:HKEY_CURRENT_USER\SOFTWARE\OneLaunch
Operation:writeName:settings
Value:
{"ob_new_tab_url":"https://onenews.com/?s=https%3A%2F%2Fsearch.yahoo.com%2Fyhs%2Fsearch%3Fhspart%3Dreb%26hsimp%3Dyhs-ext_onelaunch%26p%3D%7BsearchTerms%7D%26type%3D0_1000_100_1000_100_250509","accuweather_api":"7f64ed3093d8436e994f9dc7e382a06a","thanks_url":"","amazon_url":"https://wbd_ol.ampxdirect.com/amazon?sub1=default&sub2=amazon","search_name":"Yahoo!","extensions":["hffgmnbojgnbalmhedkdikfhaflnfcno;https://chrmxtnsnhdnnlnch.onelaunch.com/ex?hf"],"search_url":"https://search.yahoo.com/yhs/search?hspart=reb&hsimp=yhs-ext_onelaunch&p={searchTerms}&type=0_1000_100_1000_100_691231","preload_extensions":["gcklppdiegejnfnpepkaagjmdneobkgi;https://static.slickdealscdn.com/attachment/extension/onelaunch/sd-3.6.8.crx"],"suggest_url":"https://us.search.yahoo.com/sugg/gossip/gossip-us-partner?output=fxjson&appid=reb&command={searchTerms}","type_tag":"0_1000_100_1000_100_250509","rich_suggest_url":"https://us.search.yahoo.com/sugg/gossip/gossip-us-fastbreak?command={searchTerms}&output=fxjson&appid=reb-rich","url_app_overrides":["ebay_popular;https://ebay.com","ebay;https://ebay.com"],"new_tab_url":"https://onenews.com/","iframe_ntp_url":"https://onenews.com/","is_ntp_iframe":"false"}
(PID) Process:(5436) OneLaunch Setup_5g48t.tmpKey:HKEY_CURRENT_USER\SOFTWARE\OneLaunch
Operation:writeName:reinstall_count
Value:
0
(PID) Process:(5436) OneLaunch Setup_5g48t.tmpKey:HKEY_CURRENT_USER\SOFTWARE\OneLaunch
Operation:writeName:attribution_keys
Value:
{"keyList":["5g48t"]}
(PID) Process:(5436) OneLaunch Setup_5g48t.tmpKey:HKEY_CURRENT_USER\SOFTWARE\OneLaunch
Operation:writeName:update_count
Value:
0
Executable files
496
Suspicious files
334
Text files
293
Unknown types
1

Dropped files

PID
Process
Filename
Type
4120OneLaunch - Easy PDF_5g48t.tmpC:\Users\admin\AppData\Local\Temp\is-KI82G.tmp\is-A200J.tmp
MD5:
SHA256:
4120OneLaunch - Easy PDF_5g48t.tmpC:\Users\admin\AppData\Local\Temp\is-KI82G.tmp\OneLaunch Setup.exe
MD5:
SHA256:
4120OneLaunch - Easy PDF_5g48t.tmpC:\Users\admin\AppData\Local\Temp\OneLaunch Setup.exe
MD5:
SHA256:
5400OneLaunch - Easy PDF_5g48t.tmpC:\Users\admin\AppData\Local\Temp\OneLaunch Setup_5g48t.exe
MD5:
SHA256:
4120OneLaunch - Easy PDF_5g48t.tmpC:\Users\admin\AppData\Local\Temp\is-KI82G.tmp\_isetup\_setup64.tmpexecutable
MD5:E4211D6D009757C078A9FAC7FF4F03D4
SHA256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
4120OneLaunch - Easy PDF_5g48t.tmpC:\Users\admin\AppData\Local\Temp\is-KI82G.tmp\min-10-light.pngimage
MD5:2257B1D0D33A41F509E7C3E117819F8B
SHA256:D43E4B285B5B54313B53E87D2A56CA9BA0C85F8F55C9C5FDCDB4FAC815FF4D02
5436OneLaunch Setup_5g48t.tmpC:\Users\admin\AppData\Local\Temp\is-AMVAT.tmp\exit-10-light.pngimage
MD5:2CCE6763F61DDDB4599CB058D6761C56
SHA256:0FC8E40A3B0E7A516E108DC0F3267DCCCB4DE04D28A21EB68A45A8AC1BB9DF8F
4120OneLaunch - Easy PDF_5g48t.tmpC:\Users\admin\AppData\Local\Temp\is-KI82G.tmp\onelaunch.pngimage
MD5:D3110FB775EE7FD24426503D67840C25
SHA256:F8392390DC81756E79EC5F359DBDCAC3B4BD219B5188A429B814FC51AABB6E36
4120OneLaunch - Easy PDF_5g48t.tmpC:\Users\admin\AppData\Local\Temp\is-KI82G.tmp\Win32Library.dllexecutable
MD5:CC5F1D8D698D4E0ADF12675B73A5F5C7
SHA256:57AC4E4F5E8479BD0D232EE44BBEC4B689848CB4099833707F4F1FE321DFE041
4120OneLaunch - Easy PDF_5g48t.tmpC:\Users\admin\AppData\Local\Temp\is-KI82G.tmp\min-pressed.bmpimage
MD5:4B549427F8B753A01272BEC3A658E7BA
SHA256:FE03E30C13229D50685E3387F4F271BEFE57DFA74BE890D09C089FB3688469A1
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
54
TCP/UDP connections
262
DNS requests
160
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
104.124.11.17:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
DE
binary
825 b
whitelisted
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
DE
binary
471 b
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
DE
binary
868 b
whitelisted
3176
OneLaunch.exe
HEAD
301
2.19.225.87:80
http://pages.ebay.com/messages/page_not_responding.html
FR
whitelisted
6876
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
QA
binary
419 b
whitelisted
3176
OneLaunch.exe
HEAD
301
2.19.225.87:80
http://pages.ebay.com/messages/page_not_responding.html
FR
whitelisted
6876
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
QA
binary
407 b
whitelisted
3176
OneLaunch.exe
HEAD
301
2.19.225.87:80
http://pages.ebay.com/messages/page_not_responding.html
FR
whitelisted
3176
OneLaunch.exe
HEAD
301
2.19.225.87:80
http://pages.ebay.com/messages/page_not_responding.html
FR
whitelisted
3176
OneLaunch.exe
GET
200
23.72.249.8:80
http://api.accuweather.com/locations/v1/cities/ipaddress?&apikey=7f64ed3093d8436e994f9dc7e382a06a
FR
binary
1.06 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4024
RUXIMICS.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5496
MoUsoCoreWorker.exe
104.124.11.17:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5496
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
2112
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4120
OneLaunch - Easy PDF_5g48t.tmp
18.173.205.55:443
attribution.onelaunch.com
US
whitelisted
4120
OneLaunch - Easy PDF_5g48t.tmp
104.26.12.224:443
update.onelaunch.com
CLOUDFLARENET
US
suspicious

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.174
whitelisted
crl.microsoft.com
  • 104.124.11.17
  • 104.124.11.58
whitelisted
www.microsoft.com
  • 23.35.229.160
  • 2.23.246.101
  • 23.219.150.101
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
attribution.onelaunch.com
  • 18.173.205.55
  • 18.173.205.127
  • 18.173.205.66
  • 18.173.205.38
whitelisted
update.onelaunch.com
  • 104.26.12.224
  • 104.26.13.224
  • 172.67.68.170
unknown
api.keen.io
  • 44.224.17.28
  • 52.42.51.124
  • 52.38.117.119
whitelisted
client.wns.windows.com
  • 172.211.123.250
  • 172.211.123.248
whitelisted
release-cdn.onelaunch.com
  • 172.67.68.170
  • 104.26.13.224
  • 104.26.12.224
unknown
login.live.com
  • 20.190.160.2
  • 40.126.32.134
  • 20.190.160.65
  • 20.190.160.14
  • 20.190.160.132
  • 40.126.32.74
  • 20.190.160.17
  • 40.126.32.133
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Image Sharing Service (imgur.com)
3176
OneLaunch.exe
Potential Corporate Privacy Violation
ET INFO Dropbox.com Offsite File Backup in Use
3176
OneLaunch.exe
Potential Corporate Privacy Violation
ET INFO Dropbox.com Offsite File Backup in Use
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
OneLaunch - Easy PDF_5g48t.exe