File name:

download

Full analysis: https://app.any.run/tasks/98b8c44d-a9c4-4c84-9fac-10d261ab6f9a
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: December 24, 2024, 20:07:12
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
stealer
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 10 sections
MD5:

CE5C07B80B5B217C41E8401F2F8A506B

SHA1:

226FDE4A6E8778019EFC7416EDDB7A0AB02968C0

SHA256:

49A04B61179E3B16FB0F1F126C7ABE1218A863E1C300942759696BC8D7E07B2A

SSDEEP:

98304:6+QqZ8fX9S4PKlCsmhSwvuCiaHvdJqGRHRDMMCpaRJT4CaX6957tOmffXoXmsso9:6thFSEGN

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • OneLaunch Setup_.tmp (PID: 6228)
      • OneLaunch.exe (PID: 4548)

    • Steals credentials from Web Browsers

      • chromium.exe (PID: 6568)
      • chromium.exe (PID: 3840)

    • Actions looks like stealing of personal data

      • chromium.exe (PID: 6568)
      • chromium.exe (PID: 3840)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • download.exe (PID: 6516)
      • download.tmp (PID: 6536)
      • download.exe (PID: 5628)
      • OneLaunch Setup_.exe (PID: 6208)
      • OneLaunch Setup_.tmp (PID: 6228)
      • download.tmp (PID: 6160)

    • Reads the Windows owner or organization settings

      • download.tmp (PID: 6536)
      • download.tmp (PID: 6160)
      • OneLaunch Setup_.tmp (PID: 6228)

    • There is functionality for taking screenshot (YARA)

      • download.tmp (PID: 6536)
      • download.tmp (PID: 6160)
      • OneLaunch Setup_.tmp (PID: 6228)
      • OneLaunch.exe (PID: 4548)

    • Reads security settings of Internet Explorer

      • download.tmp (PID: 6536)
      • download.tmp (PID: 6160)
      • OneLaunch Setup_.tmp (PID: 6228)
      • OneLaunch.exe (PID: 4548)
      • chromium.exe (PID: 6568)
      • onelaunchtray.exe (PID: 6680)
      • chromium.exe (PID: 3840)
      • ShellExperienceHost.exe (PID: 7968)

    • The process drops Mozilla's DLL files

      • OneLaunch Setup_.tmp (PID: 6228)

    • Deletes scheduled task without confirmation

      • schtasks.exe (PID: 2940)
      • schtasks.exe (PID: 1512)
      • schtasks.exe (PID: 5788)
      • schtasks.exe (PID: 7016)
      • schtasks.exe (PID: 6604)
      • schtasks.exe (PID: 4596)

    • Uses ICACLS.EXE to modify access control lists

      • OneLaunch Setup_.tmp (PID: 6228)

    • Uses TASKKILL.EXE to kill process

      • OneLaunch Setup_.tmp (PID: 6228)

    • Process drops legitimate windows executable

      • OneLaunch Setup_.tmp (PID: 6228)

    • Application launched itself

      • chromium.exe (PID: 6584)
      • chromium.exe (PID: 6568)
      • chromium.exe (PID: 9088)
      • chromium.exe (PID: 732)
      • chromium.exe (PID: 2928)
      • chromium.exe (PID: 7656)
      • chromium.exe (PID: 8388)

    • Reads the date of Windows installation

      • OneLaunch.exe (PID: 4548)

    • Starts CMD.EXE for commands execution

      • OneLaunch Setup_.tmp (PID: 6228)

    • Executing commands from a ".bat" file

      • OneLaunch Setup_.tmp (PID: 6228)

    • Executes application which crashes

      • OneLaunch Setup_.tmp (PID: 6228)

    • The process checks if it is being run in the virtual environment

      • chromium.exe (PID: 6568)

    • Potential Corporate Privacy Violation

      • OneLaunch.exe (PID: 4548)

  • INFO

    • Create files in a temporary directory

      • download.exe (PID: 6516)
      • download.tmp (PID: 6536)
      • download.exe (PID: 5628)
      • download.tmp (PID: 6160)
      • OneLaunch Setup_.exe (PID: 6208)
      • OneLaunch Setup_.tmp (PID: 6228)
      • chromium.exe (PID: 6568)
      • chromium.exe (PID: 3840)

    • Checks supported languages

      • download.exe (PID: 6516)
      • download.tmp (PID: 6536)
      • download.exe (PID: 5628)
      • download.tmp (PID: 6160)
      • OneLaunch Setup_.exe (PID: 6208)
      • OneLaunch Setup_.tmp (PID: 6228)
      • OneLaunch.exe (PID: 4548)
      • chromium.exe (PID: 6568)
      • chromium.exe (PID: 6584)
      • chromium.exe (PID: 6524)
      • onelaunchtray.exe (PID: 6680)
      • chromium.exe (PID: 3140)
      • chromium.exe (PID: 7000)
      • chromium.exe (PID: 7044)
      • chromium.exe (PID: 6836)
      • chromium.exe (PID: 3840)
      • chromium.exe (PID: 5460)
      • chromium.exe (PID: 4128)
      • chromium.exe (PID: 876)
      • chromium.exe (PID: 4300)
      • chromium.exe (PID: 4136)
      • chromium.exe (PID: 2676)
      • chromium.exe (PID: 6408)
      • chromium.exe (PID: 6716)
      • chromium.exe (PID: 4724)
      • chromium.exe (PID: 6060)
      • chromium.exe (PID: 7060)
      • chromium.exe (PID: 6536)
      • chromium.exe (PID: 7400)
      • chromium.exe (PID: 7408)
      • chromium.exe (PID: 7604)
      • chromium.exe (PID: 7664)
      • chromium.exe (PID: 7428)
      • chromium.exe (PID: 7464)
      • chromium.exe (PID: 8040)
      • chromium.exe (PID: 7444)
      • chromium.exe (PID: 7920)
      • chromium.exe (PID: 7716)
      • chromium.exe (PID: 7456)
      • ShellExperienceHost.exe (PID: 7968)
      • chromium.exe (PID: 6248)
      • chromium.exe (PID: 5236)
      • chromium.exe (PID: 7108)
      • chromium.exe (PID: 7500)
      • chromium.exe (PID: 7508)
      • chromium.exe (PID: 7852)
      • chromium.exe (PID: 7944)
      • chromium.exe (PID: 7436)
      • chromium.exe (PID: 8780)
      • chromium.exe (PID: 8944)
      • chromium.exe (PID: 9088)
      • chromium.exe (PID: 9104)
      • chromium.exe (PID: 8624)
      • chromium.exe (PID: 9160)
      • chromium.exe (PID: 8400)
      • chromium.exe (PID: 8376)
      • chromium.exe (PID: 7472)
      • chromium.exe (PID: 4596)
      • chromium.exe (PID: 732)
      • chromium.exe (PID: 6188)
      • chromium.exe (PID: 5008)
      • chromium.exe (PID: 8676)
      • chromium.exe (PID: 2928)
      • chromium.exe (PID: 7352)
      • chromium.exe (PID: 7656)
      • chromium.exe (PID: 8788)
      • chromium.exe (PID: 7684)
      • chromium.exe (PID: 8820)
      • chromium.exe (PID: 4576)
      • chromium.exe (PID: 8388)
      • chromium.exe (PID: 8336)
      • chromium.exe (PID: 8840)
      • chromium.exe (PID: 8108)
      • chromium.exe (PID: 4980)
      • chromium.exe (PID: 8056)

    • Reads the computer name

      • download.tmp (PID: 6536)
      • download.tmp (PID: 6160)
      • OneLaunch Setup_.tmp (PID: 6228)
      • OneLaunch.exe (PID: 4548)
      • chromium.exe (PID: 6568)
      • chromium.exe (PID: 6584)
      • onelaunchtray.exe (PID: 6680)
      • chromium.exe (PID: 7000)
      • chromium.exe (PID: 3140)
      • chromium.exe (PID: 3840)
      • ShellExperienceHost.exe (PID: 7968)
      • chromium.exe (PID: 7500)
      • chromium.exe (PID: 9088)
      • chromium.exe (PID: 8400)
      • chromium.exe (PID: 7472)
      • chromium.exe (PID: 2928)
      • chromium.exe (PID: 732)
      • chromium.exe (PID: 7656)
      • chromium.exe (PID: 8388)

    • Reads the software policy settings

      • download.tmp (PID: 6536)
      • download.tmp (PID: 6160)
      • OneLaunch Setup_.tmp (PID: 6228)
      • OneLaunch.exe (PID: 4548)
      • chromium.exe (PID: 3840)
      • WerFault.exe (PID: 6836)
      • chromium.exe (PID: 6568)
      • WerFault.exe (PID: 1296)

    • Checks proxy server information

      • download.tmp (PID: 6536)
      • OneLaunch.exe (PID: 4548)
      • chromium.exe (PID: 6568)
      • WerFault.exe (PID: 6836)
      • WerFault.exe (PID: 1296)

    • Reads the machine GUID from the registry

      • download.tmp (PID: 6536)
      • OneLaunch Setup_.tmp (PID: 6228)
      • download.tmp (PID: 6160)
      • OneLaunch.exe (PID: 4548)
      • onelaunchtray.exe (PID: 6680)
      • chromium.exe (PID: 6568)
      • chromium.exe (PID: 3840)
      • chromium.exe (PID: 7472)
      • chromium.exe (PID: 3140)

    • The process uses the downloaded file

      • download.tmp (PID: 6536)
      • download.tmp (PID: 6160)
      • OneLaunch Setup_.tmp (PID: 6228)
      • OneLaunch.exe (PID: 4548)

    • Process checks computer location settings

      • download.tmp (PID: 6536)
      • download.tmp (PID: 6160)
      • OneLaunch Setup_.tmp (PID: 6228)
      • chromium.exe (PID: 6568)
      • chromium.exe (PID: 7044)
      • OneLaunch.exe (PID: 4548)
      • chromium.exe (PID: 876)
      • chromium.exe (PID: 7944)
      • chromium.exe (PID: 8108)
      • chromium.exe (PID: 7684)
      • chromium.exe (PID: 4576)
      • chromium.exe (PID: 8820)
      • chromium.exe (PID: 9160)
      • chromium.exe (PID: 8840)

    • The sample compiled with english language support

      • OneLaunch Setup_.tmp (PID: 6228)

    • Creates files or folders in the user directory

      • OneLaunch Setup_.tmp (PID: 6228)
      • OneLaunch.exe (PID: 4548)
      • chromium.exe (PID: 6568)
      • onelaunchtray.exe (PID: 6680)
      • chromium.exe (PID: 7000)
      • chromium.exe (PID: 3840)
      • WerFault.exe (PID: 6836)
      • WerFault.exe (PID: 1296)
      • chromium.exe (PID: 9088)
      • chromium.exe (PID: 3140)
      • chromium.exe (PID: 7656)
      • chromium.exe (PID: 8388)

    • Creates files in the program directory

      • OneLaunch.exe (PID: 4548)
      • onelaunchtray.exe (PID: 6680)

    • Creates a software uninstall entry

      • OneLaunch Setup_.tmp (PID: 6228)

    • Sends debugging messages

      • chromium.exe (PID: 6524)
      • chromium.exe (PID: 6584)
      • OneLaunch.exe (PID: 4548)
      • onelaunchtray.exe (PID: 6680)
      • ShellExperienceHost.exe (PID: 7968)

    • Reads Environment values

      • OneLaunch.exe (PID: 4548)

    • Disables trace logs

      • OneLaunch.exe (PID: 4548)

    • Local mutex for internet shortcut management

      • chromium.exe (PID: 3840)

    • Manual execution by a user

      • chrome.exe (PID: 3836)
      • chrome.exe (PID: 7920)
      • Taskmgr.exe (PID: 7264)
      • Taskmgr.exe (PID: 7048)

    • Application launched itself

      • chrome.exe (PID: 7920)
      • chrome.exe (PID: 3836)

    • Reads security settings of Internet Explorer

      • Taskmgr.exe (PID: 7048)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (67.7)
.exe | Win32 EXE PECompact compressed (generic) (25.6)
.exe | Win32 Executable (generic) (2.7)
.exe | Win16/32 Executable Delphi generic (1.2)
.exe | Generic Win/DOS Executable (1.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2020:11:15 09:48:30+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 741376
InitializedDataSize: 151552
UninitializedDataSize: -
EntryPoint: 0xb5eec
OSVersion: 6.1
ImageVersion: 6
SubsystemVersion: 6.1
Subsystem: Windows GUI
FileVersionNumber: 5.33.0.0
ProductVersionNumber: 5.33.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName: OneLaunch
FileDescription: OneLaunch Setup
FileVersion: 5.33.0
LegalCopyright: Copyright OneLaunch. All rights reserved.
OriginalFileName:
ProductName: OneLaunch
ProductVersion: 5.33.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
271
Monitored processes
127
Malicious processes
9
Suspicious processes
0

Behavior graph

Click at the process to see the details
start download.exe download.tmp download.exe download.tmp onelaunch setup_.exe onelaunch setup_.tmp taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs icacls.exe no specs conhost.exe no specs icacls.exe no specs conhost.exe no specs onelaunch.exe chromium.exe chromium.exe chromium.exe onelaunchtray.exe chromium.exe no specs chromium.exe chromium.exe no specs chromium.exe cmd.exe no specs conhost.exe no specs chromium.exe no specs chromium.exe no specs chromium.exe no specs chromium.exe no specs chromium.exe no specs chromium.exe no specs chromium.exe no specs chromium.exe no specs werfault.exe chromium.exe no specs chromium.exe no specs chromium.exe no specs chromium.exe no specs chromium.exe no specs werfault.exe chromium.exe no specs chromium.exe no specs chromium.exe no specs chromium.exe no specs chromium.exe no specs chromium.exe no specs chromium.exe no specs chromium.exe no specs chromium.exe no specs chromium.exe no specs chromium.exe no specs chromium.exe no specs chromium.exe no specs chromium.exe no specs chromium.exe no specs chromium.exe no specs shellexperiencehost.exe no specs chromium.exe no specs chromium.exe no specs chromium.exe no specs chromium.exe no specs chromium.exe no specs chromium.exe no specs chromium.exe no specs chromium.exe no specs chromium.exe no specs chromium.exe no specs chromium.exe no specs chromium.exe no specs chromium.exe no specs chromium.exe no specs chromium.exe no specs chromium.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chromium.exe no specs chrome.exe no specs chromium.exe no specs chromium.exe no specs chrome.exe no specs chrome.exe no specs chromium.exe no specs chromium.exe no specs chrome.exe no specs chromium.exe no specs chromium.exe no specs chromium.exe no specs chromium.exe no specs chromium.exe no specs chromium.exe no specs chromium.exe no specs chromium.exe no specs chromium.exe no specs chromium.exe no specs chromium.exe no specs chromium.exe no specs chromium.exe no specs chromium.exe no specs chrome.exe no specs taskmgr.exe no specs taskmgr.exe chrome.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
520\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeicacls.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
732"C:\Users\admin\AppData\Local\OneLaunch\5.33.0\chromium\chromium.exe" https://wbd_ol.ampxdirect.com/amazon?sub1=default&sub2=amazon --tab-trigger=appC:\Users\admin\AppData\Local\OneLaunch\5.33.0\chromium\chromium.exeOneLaunch.exe
User:
admin
Company:
OneLaunch
Integrity Level:
MEDIUM
Description:
OneLaunch
Exit code:
0
Version:
127.0.0.0
876"C:\Users\admin\AppData\Local\OneLaunch\5.33.0\chromium\chromium.exe" --type=renderer --instant-process --enable-dinosaur-easter-egg-alt-images --no-pre-read-main-dll --no-subproc-heap-profiling --no-sandbox --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --metrics-shmem-handle=4132,i,14759813710966054992,1758270092614970958,2097152 --field-trial-handle=4140,i,152470740693388377,8378749923704408401,262144 --variations-seed-version --mojo-platform-channel-handle=4148 /prefetch:1C:\Users\admin\AppData\Local\OneLaunch\5.33.0\chromium\chromium.exechromium.exe
User:
admin
Company:
OneLaunch
Integrity Level:
MEDIUM
Description:
OneLaunch
Exit code:
0
Version:
127.0.0.0
Modules
Images
c:\users\admin\appdata\local\onelaunch\5.33.0\chromium\chromium.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
1296C:\WINDOWS\SysWOW64\WerFault.exe -u -p 6228 -s 2228C:\Windows\SysWOW64\WerFault.exe
OneLaunch Setup_.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
1512"schtasks" /Delete /TN "OneLaunchLaunchTask" /FC:\Windows\System32\schtasks.exeOneLaunch Setup_.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
1556"icacls" "C:\Users\admin\AppData\Local\OneLaunch\chromium" /grant *S-1-15-3-1024-2302894289-466761758-1166120688-1039016420-2430351297-4240214049-4028510897-3317428798:(OI)(CI)(RX) /tC:\Windows\System32\icacls.exeOneLaunch Setup_.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\icacls.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1616\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exetaskkill.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2412"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --disable-quic --no-appcompat-clear --mojo-platform-channel-handle=3548 --field-trial-handle=1840,i,13067483559445962313,16749020393965404055,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
122.0.6261.70
2676"C:\Users\admin\AppData\Local\OneLaunch\5.33.0\chromium\chromium.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-sandbox --no-pre-read-main-dll --no-subproc-heap-profiling --metrics-shmem-handle=4560,i,6162825074176292062,6349056589593669122,524288 --field-trial-handle=4672,i,152470740693388377,8378749923704408401,262144 --variations-seed-version --mojo-platform-channel-handle=4676 /prefetch:8C:\Users\admin\AppData\Local\OneLaunch\5.33.0\chromium\chromium.exechromium.exe
User:
admin
Company:
OneLaunch
Integrity Level:
MEDIUM
Description:
OneLaunch
Exit code:
0
Version:
127.0.0.0
Modules
Images
c:\users\admin\appdata\local\onelaunch\5.33.0\chromium\chromium.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
2928C:\Users\admin\AppData\Local\OneLaunch\5.33.0\chromium\chromium.exe --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\OneLaunch\User Data" /prefetch:4 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\admin\AppData\Local\OneLaunch\User Data" --monitor-self-argument=/prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\OneLaunch\User Data\Crashpad" --annotation=plat=Win32 --annotation=prod=OneLaunch --annotation=ver=127.0.0.0 --initial-client-data=0x188,0x18c,0x190,0x164,0x194,0x6fbcbc84,0x6fbcbc90,0x6fbcbc9cC:\Users\admin\AppData\Local\OneLaunch\5.33.0\chromium\chromium.exechromium.exe
User:
admin
Company:
OneLaunch
Integrity Level:
MEDIUM
Description:
OneLaunch
Exit code:
0
Version:
127.0.0.0
Total events
27 761
Read events
27 477
Write events
268
Delete events
16

Modification events

(PID) Process:(6160) download.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0001
Operation:writeName:Owner
Value:
101800009195F5853F56DB01
(PID) Process:(6160) download.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0001
Operation:writeName:SessionHash
Value:
196CE000D520E999588D7079E28CBA0BF6DD840174B53730BEC59C6DD9277207
(PID) Process:(6160) download.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0001
Operation:writeName:Sequence
Value:
1
(PID) Process:(6228) OneLaunch Setup_.tmpKey:HKEY_CURRENT_USER\SOFTWARE\OneLaunch
Operation:writeName:version
Value:
5.33.0.0
(PID) Process:(6228) OneLaunch Setup_.tmpKey:HKEY_CURRENT_USER\SOFTWARE\OneLaunch
Operation:writeName:assembly
Value:
C:\Users\admin\AppData\Local\OneLaunch\5.33.0\onelaunch.exe
(PID) Process:(6228) OneLaunch Setup_.tmpKey:HKEY_CURRENT_USER\SOFTWARE\OneLaunch
Operation:writeName:install_info
Value:
{"install_time":1735070843,"distinct_id":"AD2CE5B8-0FD0-4ED7-8E52-C9D628C98A6E","default_browser":"MSEdgeHTM","initinal_version":"5.33.0.0","packaged_browser":"chromium","split":"a","no_split":false,"split2":"b","server_side_split_28_11_ntp_distribution":"control","encoded_splits":"000"}
(PID) Process:(6228) OneLaunch Setup_.tmpKey:HKEY_CURRENT_USER\SOFTWARE\OneLaunch
Operation:writeName:settings
Value:
{"amazon_url":"https://wbd_ol.ampxdirect.com/amazon?sub1=default&sub2=amazon","suggest_url":"https://us.search.yahoo.com/sugg/gossip/gossip-us-partner?output=fxjson&appid=reb&command={searchTerms}","extensions":["hffgmnbojgnbalmhedkdikfhaflnfcno;https://chrmxtnsnhdnnlnch.onelaunch.com/ex?hf"],"new_tab_url":"https://onenews.com/v8/?s=https%3A%2F%2Fsearch.yahoo.com%2Fyhs%2Fsearch%3Fhspart%3Dreb%26hsimp%3Dyhs-ext_onelaunch%26p%3D%7BsearchTerms%7D%26type%3D0_1000_100_1000_100_241224","preload_extensions":["gcklppdiegejnfnpepkaagjmdneobkgi;https://static.slickdealscdn.com/attachment/extension/onelaunch/sd-3.6.8.crx"],"ob_new_tab_url":"https://onenews.com/v8/?s=https%3A%2F%2Fsearch.yahoo.com%2Fyhs%2Fsearch%3Fhspart%3Dreb%26hsimp%3Dyhs-ext_onelaunch%26p%3D%7BsearchTerms%7D%26type%3D0_1000_100_1000_100_241224","accuweather_api":"7f64ed3093d8436e994f9dc7e382a06a","url_app_overrides":["ebay_popular;https://ebay.com","ebay;https://ebay.com"],"rich_suggest_url":"https://us.search.yahoo.com/sugg/gossip/gossip-us-fastbreak?command={searchTerms}&output=fxjson&appid=reb-rich","type_tag":"0_1000_100_1000_100_241224","search_name":"Yahoo!","thanks_url":"","search_url":"https://search.yahoo.com/yhs/search?hspart=reb&hsimp=yhs-ext_onelaunch&p={searchTerms}&type=0_1000_100_1000_100_691231","iframe_ntp_url":"https://onenews.com/v8/","is_ntp_iframe":"false"}
(PID) Process:(6228) OneLaunch Setup_.tmpKey:HKEY_CURRENT_USER\SOFTWARE\OneLaunch
Operation:writeName:reinstall_count
Value:
0
(PID) Process:(6228) OneLaunch Setup_.tmpKey:HKEY_CURRENT_USER\SOFTWARE\OneLaunch
Operation:writeName:attribution_keys
Value:
{"keyList":["nokey"]}
(PID) Process:(6228) OneLaunch Setup_.tmpKey:HKEY_CURRENT_USER\SOFTWARE\OneLaunch
Operation:writeName:update_count
Value:
0
Executable files
253
Suspicious files
663
Text files
313
Unknown types
44

Dropped files

PID
Process
Filename
Type
6536download.tmpC:\Users\admin\AppData\Local\Temp\is-AU7H2.tmp\is-1J10N.tmp
MD5:
SHA256:
6536download.tmpC:\Users\admin\AppData\Local\Temp\is-AU7H2.tmp\OneLaunch Setup.exe
MD5:
SHA256:
6536download.tmpC:\Users\admin\AppData\Local\Temp\OneLaunch Setup.exe
MD5:
SHA256:
6160download.tmpC:\Users\admin\AppData\Local\Temp\OneLaunch Setup_.exe
MD5:
SHA256:
6536download.tmpC:\Users\admin\AppData\Local\Temp\is-AU7H2.tmp\min-10-light.pngimage
MD5:2257B1D0D33A41F509E7C3E117819F8B
SHA256:D43E4B285B5B54313B53E87D2A56CA9BA0C85F8F55C9C5FDCDB4FAC815FF4D02
6516download.exeC:\Users\admin\AppData\Local\Temp\is-3MBK2.tmp\download.tmpexecutable
MD5:4F1E4827E080754AC98753A05E5846B9
SHA256:D379EC5E2897187A7FA92A82F4FB246CCA419CC9EB351A1ED52DAAE24A84DA10
6536download.tmpC:\Users\admin\AppData\Local\Temp\is-AU7H2.tmp\min-rest.bmpimage
MD5:2484489C7443EC4745488A77ED084D80
SHA256:70B6921812F29B698F454927802DB818C1625402BAEFD53CED1BFB9135C17D5A
6536download.tmpC:\Users\admin\AppData\Local\Temp\is-AU7H2.tmp\_isetup\_setup64.tmpexecutable
MD5:E4211D6D009757C078A9FAC7FF4F03D4
SHA256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
6536download.tmpC:\Users\admin\AppData\Local\Temp\is-AU7H2.tmp\min-hover.bmpimage
MD5:C94A77553F2C392D5F1FE2F08E30EFB2
SHA256:8DAA69B6252F6F773CEB6D7090664B933537478731473E1B54CAF67791C2D336
6536download.tmpC:\Users\admin\AppData\Local\Temp\is-AU7H2.tmp\min-pressed.bmpimage
MD5:4B549427F8B753A01272BEC3A658E7BA
SHA256:FE03E30C13229D50685E3387F4F271BEFE57DFA74BE890D09C089FB3688469A1
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
58
TCP/UDP connections
474
DNS requests
512
Threats
5

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.162:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5064
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5496
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6808
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
3420
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
3420
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
4548
OneLaunch.exe
GET
200
2.16.238.22:80
http://api.accuweather.com/locations/v1/cities/ipaddress?&apikey=7f64ed3093d8436e994f9dc7e382a06a
unknown
whitelisted
6836
WerFault.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
104.126.37.162:443
www.bing.com
Akamai International B.V.
DE
whitelisted
5064
SearchApp.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
4712
MoUsoCoreWorker.exe
23.48.23.162:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5496
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
6536
download.tmp
104.26.12.224:443
update.onelaunch.com
CLOUDFLARENET
US
suspicious
6536
download.tmp
52.89.216.217:443
api.keen.io
AMAZON-02
US
whitelisted
1144
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
google.com
  • 142.250.184.206
whitelisted
www.bing.com
  • 104.126.37.162
  • 104.126.37.155
  • 104.126.37.139
  • 104.126.37.185
  • 104.126.37.178
  • 104.126.37.170
  • 104.126.37.131
  • 104.126.37.130
  • 104.126.37.144
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
crl.microsoft.com
  • 23.48.23.162
  • 23.48.23.190
  • 23.48.23.159
  • 23.48.23.167
  • 23.48.23.173
  • 23.48.23.176
  • 23.48.23.194
  • 23.48.23.183
  • 23.48.23.156
  • 2.16.164.120
  • 2.16.164.72
whitelisted
www.microsoft.com
  • 184.30.21.171
  • 163.181.92.250
  • 163.181.131.244
  • 47.246.46.239
  • 163.181.92.251
  • 88.221.169.152
whitelisted
update.onelaunch.com
  • 104.26.12.224
  • 172.67.68.170
  • 104.26.13.224
unknown
api.keen.io
  • 52.89.216.217
  • 44.231.123.243
  • 35.83.190.101
whitelisted
release-cdn.onelaunch.com
  • 172.67.68.170
  • 104.26.12.224
  • 104.26.13.224
unknown
login.live.com
  • 40.126.32.138
  • 20.190.160.22
  • 40.126.32.133
  • 40.126.32.72
  • 20.190.160.14
  • 40.126.32.76
  • 40.126.32.134
  • 40.126.32.68
whitelisted

Threats

PID
Process
Class
Message
7000
chromium.exe
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare Network Error Logging (NEL)
7000
chromium.exe
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare Network Error Logging (NEL)
2192
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Image Sharing Service (imgur.com)
4548
OneLaunch.exe
Potential Corporate Privacy Violation
ET POLICY Dropbox.com Offsite File Backup in Use
4548
OneLaunch.exe
Potential Corporate Privacy Violation
ET POLICY Dropbox.com Offsite File Backup in Use
Process
Message
chromium.exe
[1224/200842.946:ERROR:crash_report_database_win.cc(613)] CreateDirectory C:\Users\admin\AppData\Local\OneLaunch\User Data\Crashpad: The system cannot find the path specified. (0x3)
chromium.exe
[1224/200842.946:ERROR:registration_protocol_win.cc(136)] TransactNamedPipe: The pipe has been ended. (0x6D)
chromium.exe
[1224/200842.946:ERROR:crash_report_database_win.cc(613)] CreateDirectory C:\Users\admin\AppData\Local\OneLaunch\User Data\Crashpad: The system cannot find the path specified. (0x3)
OneLaunch.exe
2024-12-24 20:08:44,384 DEBUG [ 1] (Com.WebBar.App: 0) - Previous Version (Major.Minor)= Current Version = 5.33.0.0
OneLaunch.exe
2024-12-24 20:08:44,774 DEBUG [ 1] (Com.WebBar.Popups.PopupScheduler+PopupSchedule: 0) - scheduled popup slot app_wizard with ViewModel type AppWizardPopupViewModel to be shown at 12/24/2024 20:38:44 +00:00
onelaunchtray.exe
log4net:ERROR Appender named [Analytics] not found.
onelaunchtray.exe
log4net:ERROR XmlHierarchyConfigurator: No appender named [Analytics] could be found.
onelaunchtray.exe
Rebase.OneLaunch.Tray.TrayApp: 2024-12-24 20:08:45,290 [1] INFO - starting up
OneLaunch.exe
2024-12-24 20:08:46,009 DEBUG [ 1] (Com.WebBar.Dock.DisplayUtilities: 0) - update size and location
OneLaunch.exe
2024-12-24 20:08:46,883 DEBUG [ 4] (Com.WebBar.Dock.DisplayUtilities: 0) - update size and location
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
download