| File name: | OneLaunch - ManualsLibrary_f7acl.exe |
| Full analysis: | https://app.any.run/tasks/e5246d08-28e0-4e9a-8b6c-5550966d20e4 |
| Verdict: | Malicious activity |
| Analysis date: | May 28, 2024, 01:52:49 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | 2D083E880E7DC3554F2561BCF21CD23D |
| SHA1: | 8AA9E9F69636A354722CF7E3FC391E9A510E19C9 |
| SHA256: | 6B3F1414D14CDA0B582420FFE7F1484356882FCC21E7FB1A19AB86008CA57B70 |
| SSDEEP: | 98304:x+QqZ8fXANzKEZKw1vknbamyM2bcihyptBtDODgRrjJyNHNJOWpvbUSnduGQXOCi:Z1BGx |
MALICIOUS
Drops the executable file immediately after the start
- OneLaunch - ManualsLibrary_f7acl.exe (PID: 3984)
- OneLaunch - ManualsLibrary_f7acl.tmp (PID: 4000)
SUSPICIOUS
Executable content was dropped or overwritten
- OneLaunch - ManualsLibrary_f7acl.exe (PID: 3984)
- OneLaunch - ManualsLibrary_f7acl.tmp (PID: 4000)
Reads the Windows owner or organization settings
- OneLaunch - ManualsLibrary_f7acl.tmp (PID: 4000)
Reads settings of System Certificates
- OneLaunch - ManualsLibrary_f7acl.tmp (PID: 4000)
Reads the Internet Settings
- OneLaunch - ManualsLibrary_f7acl.tmp (PID: 4000)
INFO
Checks supported languages
- OneLaunch - ManualsLibrary_f7acl.tmp (PID: 4000)
- OneLaunch - ManualsLibrary_f7acl.exe (PID: 3984)
- wmpnscfg.exe (PID: 4088)
Reads the computer name
- OneLaunch - ManualsLibrary_f7acl.tmp (PID: 4000)
- wmpnscfg.exe (PID: 4088)
Create files in a temporary directory
- OneLaunch - ManualsLibrary_f7acl.exe (PID: 3984)
- OneLaunch - ManualsLibrary_f7acl.tmp (PID: 4000)
Reads the machine GUID from the registry
- OneLaunch - ManualsLibrary_f7acl.tmp (PID: 4000)
Reads the software policy settings
- OneLaunch - ManualsLibrary_f7acl.tmp (PID: 4000)
Manual execution by a user
- wmpnscfg.exe (PID: 4088)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Inno Setup installer (67.7) |
|---|---|---|
| .exe | | | Win32 EXE PECompact compressed (generic) (25.6) |
| .exe | | | Win32 Executable (generic) (2.7) |
| .exe | | | Win16/32 Executable Delphi generic (1.2) |
| .exe | | | Generic Win/DOS Executable (1.2) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2020:11:15 09:48:30+00:00 |
| ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi |
| PEType: | PE32 |
| LinkerVersion: | 2.25 |
| CodeSize: | 741376 |
| InitializedDataSize: | 151552 |
| UninitializedDataSize: | - |
| EntryPoint: | 0xb5eec |
| OSVersion: | 6.1 |
| ImageVersion: | 6 |
| SubsystemVersion: | 6.1 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 5.31.3.0 |
| ProductVersionNumber: | 5.31.3.0 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | Neutral |
| CharacterSet: | Unicode |
| Comments: | This installation was built with Inno Setup. |
| CompanyName: | OneLaunch |
| FileDescription: | OneLaunch Setup |
| FileVersion: | 5.31.3 |
| LegalCopyright: | Copyright OneLaunch. All rights reserved. |
| OriginalFileName: | |
| ProductName: | OneLaunch |
| ProductVersion: | 5.31.3 |
Total processes
35
Monitored processes
3
Malicious processes
2
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 3984 | "C:\Users\admin\Desktop\OneLaunch - ManualsLibrary_f7acl.exe" | C:\Users\admin\Desktop\OneLaunch - ManualsLibrary_f7acl.exe | explorer.exe | ||||||||||||
User: admin Company: OneLaunch Integrity Level: MEDIUM Description: OneLaunch Setup Version: 5.31.3 Modules
| |||||||||||||||
| 4000 | "C:\Users\admin\AppData\Local\Temp\is-RNNR6.tmp\OneLaunch - ManualsLibrary_f7acl.tmp" /SL5="$20138,2484213,893952,C:\Users\admin\Desktop\OneLaunch - ManualsLibrary_f7acl.exe" | C:\Users\admin\AppData\Local\Temp\is-RNNR6.tmp\OneLaunch - ManualsLibrary_f7acl.tmp | OneLaunch - ManualsLibrary_f7acl.exe | ||||||||||||
User: admin Company: OneLaunch Integrity Level: MEDIUM Description: Setup/Uninstall Version: 51.1052.0.0 Modules
| |||||||||||||||
| 4088 | "C:\Program Files\Windows Media Player\wmpnscfg.exe" | C:\Program Files\Windows Media Player\wmpnscfg.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Media Player Network Sharing Service Configuration Application Exit code: 0 Version: 12.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
4 817
Read events
4 800
Write events
17
Delete events
0
Modification events
| (PID) Process: | (4000) OneLaunch - ManualsLibrary_f7acl.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000 |
| Operation: | write | Name: | Owner |
Value: A00F00009EE1BAC3A1B0DA01 | |||
| (PID) Process: | (4000) OneLaunch - ManualsLibrary_f7acl.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000 |
| Operation: | write | Name: | SessionHash |
Value: 379153F44125DD5A6A802305A9EBF190EDAD297AE283FA4A5CAD709A3B700982 | |||
| (PID) Process: | (4000) OneLaunch - ManualsLibrary_f7acl.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000 |
| Operation: | write | Name: | Sequence |
Value: 1 | |||
| (PID) Process: | (4000) OneLaunch - ManualsLibrary_f7acl.tmp | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
Executable files
2
Suspicious files
3
Text files
8
Unknown types
1
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3984 | OneLaunch - ManualsLibrary_f7acl.exe | C:\Users\admin\AppData\Local\Temp\is-RNNR6.tmp\OneLaunch - ManualsLibrary_f7acl.tmp | executable | |
MD5:C0E3F092B137EF1604C7E1B31A755E06 | SHA256:1829C12B58954D0D71389ACD73DA79D13E2571ACD1EEAE3CF48273CEABA98D31 | |||
| 4000 | OneLaunch - ManualsLibrary_f7acl.tmp | C:\Users\admin\AppData\Local\Temp\Cab445E.tmp | compressed | |
MD5:29F65BA8E88C063813CC50A4EA544E93 | SHA256:1ED81FA8DFB6999A9FEDC6E779138FFD99568992E22D300ACD181A6D2C8DE184 | |||
| 4000 | OneLaunch - ManualsLibrary_f7acl.tmp | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 | compressed | |
MD5:29F65BA8E88C063813CC50A4EA544E93 | SHA256:1ED81FA8DFB6999A9FEDC6E779138FFD99568992E22D300ACD181A6D2C8DE184 | |||
| 4000 | OneLaunch - ManualsLibrary_f7acl.tmp | C:\Users\admin\AppData\Local\Temp\is-AKMOJ.tmp\Win32Library.dll | executable | |
MD5:F801D3A6F441E1475342906BAE8B73E8 | SHA256:DADB7C8637D9B9D6F0F36B110D324BBEB80E3CCFFD8E376235857A0162DE090C | |||
| 4000 | OneLaunch - ManualsLibrary_f7acl.tmp | C:\Users\admin\AppData\Local\Temp\is-AKMOJ.tmp\min-rest.bmp | image | |
MD5:C32BFC11F1A32BAB6A1ED327C8A89E0E | SHA256:24BEE6D5DA65DC8A65EB639E3C189F257BC4B231940BD078BBEA23BA985EABB5 | |||
| 4000 | OneLaunch - ManualsLibrary_f7acl.tmp | C:\Users\admin\AppData\Local\Temp\is-AKMOJ.tmp\min-pressed.bmp | image | |
MD5:CC62DDE39B9CAA24626A3A0EB93C70FA | SHA256:8D25A76A6552A927407CB0D7BA1E61E8644D76420C2690F8CB3DB90F75ECC1E7 | |||
| 4000 | OneLaunch - ManualsLibrary_f7acl.tmp | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 | binary | |
MD5:03B758F39A4EC77115693D2693548660 | SHA256:D5731D40437A57CA53CE1BC0DD204682018BFF3A3FD81DF1C3842E29CAEFBDEC | |||
| 4000 | OneLaunch - ManualsLibrary_f7acl.tmp | C:\Users\admin\AppData\Local\Temp\is-AKMOJ.tmp\min-hover.bmp | image | |
MD5:E08B0A658E4A166C5461C542BE2B0D2F | SHA256:6F696C0C59CEDD0456270BCC868B6B3D7CBCA43911390904014F532CD7B131D5 | |||
| 4000 | OneLaunch - ManualsLibrary_f7acl.tmp | C:\Users\admin\AppData\Local\Temp\is-AKMOJ.tmp\manuals.bmp | image | |
MD5:1374FACDFEA685909559CD5F2395FA3C | SHA256:1F082E0D27E6D4710D8F7586CB1AB6160E72CD98850F040348BC5A558B9803BE | |||
| 4000 | OneLaunch - ManualsLibrary_f7acl.tmp | C:\Users\admin\AppData\Local\Temp\is-AKMOJ.tmp\onelaunch.bmp | image | |
MD5:6A360D71735931F6DEED2F1FC0D1E0A0 | SHA256:98F2C973DF13A6B642274E76F9DF0E5C04D213958BDDB0693A7C4F689C64DFCB | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
9
DNS requests
6
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
4000 | OneLaunch - ManualsLibrary_f7acl.tmp | GET | 200 | 93.184.221.240:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?60da87739b649fea | unknown | — | — | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | unknown |
— | — | 224.0.0.252:5355 | — | — | — | unknown |
4000 | OneLaunch - ManualsLibrary_f7acl.tmp | 18.173.205.38:443 | attribution.onelaunch.com | — | US | unknown |
4000 | OneLaunch - ManualsLibrary_f7acl.tmp | 104.26.12.224:443 | update.onelaunch.com | CLOUDFLARENET | US | unknown |
4000 | OneLaunch - ManualsLibrary_f7acl.tmp | 93.184.221.240:80 | ctldl.windowsupdate.com | EDGECAST | GB | whitelisted |
4000 | OneLaunch - ManualsLibrary_f7acl.tmp | 52.88.125.197:443 | api.keen.io | AMAZON-02 | US | unknown |
4000 | OneLaunch - ManualsLibrary_f7acl.tmp | 130.211.34.183:443 | api.mixpanel.com | GOOGLE | US | whitelisted |
4000 | OneLaunch - ManualsLibrary_f7acl.tmp | 104.26.13.224:443 | update.onelaunch.com | CLOUDFLARENET | US | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
attribution.onelaunch.com |
| whitelisted |
update.onelaunch.com |
| unknown |
ctldl.windowsupdate.com |
| whitelisted |
api.keen.io |
| whitelisted |
api.mixpanel.com |
| whitelisted |
release-cdn.onelaunch.com |
| unknown |