File name:

onetap.exe

Full analysis: https://app.any.run/tasks/53a433d9-4bf5-43f4-aeb2-dcd8045f7aaf
Verdict: No threats detected
Analysis date: August 21, 2019, 03:35:36
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

25B6B56D81833AA800A5C2C66E731B25

SHA1:

B389B7623F11ED6296CDCC6AE4EE792DEF27B28D

SHA256:

B93482415915D0F4092B0A1D4AF205FDBC7B9750735179D68F621976BCCF9189

SSDEEP:

3072:TEjW9s8DJ9/1R/znrCFmq3B/i5iv6nXAQbzhx4S29vWOV92OHtw:TEi9b1Gmq31i5ivkwQxbO2St

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • Creates files in the user directory

      • opera.exe (PID: 3508)

    • Manual execution by user

      • opera.exe (PID: 3508)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2019:08:05 20:02:47+02:00
PEType: PE32
LinkerVersion: 14
CodeSize: 5120
InitializedDataSize: 192000
UninitializedDataSize: -
EntryPoint: 0x2095
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 05-Aug-2019 18:02:47
Detected languages:
  • English - New Zealand
  • English - United States

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0078
Pages in file: 0x0001
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0x0000
Initial SS value: 0x0000
Initial SP value: 0x0000
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000078

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 7
Time date stamp: 05-Aug-2019 18:02:47
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x000012F1
0x00001400
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.17386
.rdata
0x00003000
0x0000477C
0x00004800
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.34902
.data
0x00008000
0x0000041C
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
1.76523
.00cfg
0x00009000
0x00000004
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
0.0611629
.gfids
0x0000A000
0x00000050
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
0.397516
.rsrc
0x0000B000
0x00029B38
0x00029C00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
6.71559
.reloc
0x00035000
0x000002A8
0x00000400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
4.91914

Resources

Title
Entropy
Size
Codepage
Language
Type
1
4.69958
334
UNKNOWN
English - United States
RT_MANIFEST
2
6.02969
4264
UNKNOWN
English - New Zealand
RT_ICON
3
5.64397
9640
UNKNOWN
English - New Zealand
RT_ICON
4
5.46292
16936
UNKNOWN
English - New Zealand
RT_ICON
5
5.10084
67624
UNKNOWN
English - New Zealand
RT_ICON
6
7.98917
69949
UNKNOWN
English - New Zealand
RT_ICON
9
2.81114
166
UNKNOWN
English - New Zealand
RT_DIALOG
103
2.97412
90
UNKNOWN
English - New Zealand
RT_GROUP_ICON

Imports

KERNEL32.dll
USER32.dll
VCRUNTIME140.dll
api-ms-win-crt-heap-l1-1-0.dll
api-ms-win-crt-locale-l1-1-0.dll
api-ms-win-crt-math-l1-1-0.dll
api-ms-win-crt-runtime-l1-1-0.dll
api-ms-win-crt-stdio-l1-1-0.dll
bass.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
3
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start onetap.exe opera.exe onetap.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3392"C:\Users\admin\AppData\Local\Temp\onetap.exe" C:\Users\admin\AppData\Local\Temp\onetap.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\appdata\local\temp\onetap.exe
c:\systemroot\system32\ntdll.dll
3508"C:\Program Files\Opera\opera.exe" C:\Program Files\Opera\opera.exe
explorer.exe
User:
admin
Company:
Opera Software
Integrity Level:
MEDIUM
Description:
Opera Internet Browser
Exit code:
0
Version:
1748
Modules
Images
c:\program files\opera\opera.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\psapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\rpcrt4.dll
3896"C:\Users\admin\AppData\Local\Temp\onetap.exe" C:\Users\admin\AppData\Local\Temp\onetap.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
3221225781
Modules
Images
c:\users\admin\appdata\local\temp\onetap.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
Total events
243
Read events
131
Write events
112
Delete events
0

Modification events

(PID) Process:(3508) opera.exeKey:HKEY_CURRENT_USER\Software\Opera Software
Operation:writeName:Last CommandLine v2
Value:
C:\Program Files\Opera\opera.exe
(PID) Process:(3508) opera.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\72\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
Executable files
0
Suspicious files
42
Text files
35
Unknown types
20

Dropped files

PID
Process
Filename
Type
3508opera.exeC:\Users\admin\AppData\Roaming\Opera\Opera\oprE68C.tmp
MD5:
SHA256:
3508opera.exeC:\Users\admin\AppData\Roaming\Opera\Opera\oprE729.tmp
MD5:
SHA256:
3508opera.exeC:\Users\admin\AppData\Local\Opera\Opera\cache\sesn\opr00001.tmp
MD5:
SHA256:
3508opera.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KRIXFTRDH6IWXXI5VW98.temp
MD5:
SHA256:
3508opera.exeC:\Users\admin\AppData\Roaming\Opera\Opera\sessions\opr1937.tmp
MD5:
SHA256:
3508opera.exeC:\Users\admin\AppData\Roaming\Opera\Opera\tasks.xmlxml
MD5:
SHA256:
3508opera.exeC:\Users\admin\AppData\Roaming\Opera\Opera\sessions\opr251F.tmp
MD5:
SHA256:
3508opera.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\16ec093b8f51508f.customDestinations-msbinary
MD5:
SHA256:
3508opera.exeC:\Users\admin\AppData\Roaming\Opera\Opera\opssl6.datbinary
MD5:
SHA256:
3508opera.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\16ec093b8f51508f.customDestinations-ms~RF16f225.TMPbinary
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
18
TCP/UDP connections
27
DNS requests
14
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3508
opera.exe
GET
200
172.217.22.78:80
http://clients1.google.com/complete/search?q=fatal&client=opera-suggest-omnibox&hl=de
US
text
117 b
whitelisted
3508
opera.exe
GET
200
172.217.22.78:80
http://clients1.google.com/complete/search?q=fata&client=opera-suggest-omnibox&hl=de
US
text
94 b
whitelisted
3508
opera.exe
GET
200
172.217.22.78:80
http://clients1.google.com/complete/search?q=fatality&client=opera-suggest-omnibox&hl=de
US
text
105 b
whitelisted
3508
opera.exe
GET
200
172.217.22.78:80
http://clients1.google.com/complete/search?q=fatali&client=opera-suggest-omnibox&hl=de
US
text
84 b
whitelisted
3508
opera.exe
GET
200
172.217.18.163:80
http://crl.pki.goog/gsr2/gsr2.crl
US
der
815 b
whitelisted
3508
opera.exe
GET
301
185.11.145.249:80
http://fatality.win/favicon.ico
NL
html
240 b
suspicious
3508
opera.exe
GET
200
172.217.18.163:80
http://ocsp.pki.goog/GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCEEB9KWn%2BWhxw64SnNqfTId8%3D
US
der
471 b
whitelisted
3508
opera.exe
GET
200
192.35.177.64:80
http://crl.identrust.com/DSTROOTCAX3CRL.crl
US
der
896 b
whitelisted
3508
opera.exe
GET
200
185.11.145.249:80
http://fatality.win/bf.jquery.max.js
NL
text
93.6 Kb
suspicious
3508
opera.exe
GET
400
185.26.182.94:80
http://sitecheck2.opera.com/?host=fatality.win&hdn=/FUxe/P2Ijv0wXBVebZcZA==
unknown
html
150 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3508
opera.exe
172.217.22.78:80
clients1.google.com
Google Inc.
US
whitelisted
3508
opera.exe
185.11.145.249:80
fatality.win
Dotsi, Unipessoal Lda.
NL
suspicious
3508
opera.exe
185.26.182.94:80
certs.opera.com
Opera Software AS
whitelisted
3508
opera.exe
151.139.128.14:80
crl.comodoca.com
Highwinds Network Group, Inc.
US
suspicious
3508
opera.exe
209.197.3.15:443
maxcdn.bootstrapcdn.com
Highwinds Network Group, Inc.
US
whitelisted
3508
opera.exe
172.217.18.163:80
ocsp.pki.goog
Google Inc.
US
whitelisted
3508
opera.exe
192.35.177.64:80
crl.identrust.com
IdenTrust
US
malicious
3508
opera.exe
172.217.22.99:443
fonts.gstatic.com
Google Inc.
US
whitelisted
3508
opera.exe
93.184.220.29:80
crl4.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3508
opera.exe
185.26.182.93:443
certs.opera.com
Opera Software AS
whitelisted

DNS requests

Domain
IP
Reputation
certs.opera.com
  • 185.26.182.93
  • 185.26.182.94
whitelisted
crl4.digicert.com
  • 93.184.220.29
whitelisted
clients1.google.com
  • 172.217.22.78
whitelisted
fatality.win
  • 185.11.145.249
suspicious
sitecheck2.opera.com
  • 185.26.182.94
  • 185.26.182.111
  • 185.26.182.112
  • 185.26.182.93
whitelisted
fonts.googleapis.com
  • 172.217.16.202
whitelisted
maxcdn.bootstrapcdn.com
  • 209.197.3.15
whitelisted
crl.comodoca.com
  • 151.139.128.14
whitelisted
crl.usertrust.com
  • 151.139.128.14
whitelisted
ocsp.pki.goog
  • 172.217.18.163
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
onetap.exe