| File name: | OneLaunch - Manuals Search_d5vz6.exe |
| Full analysis: | https://app.any.run/tasks/a3f6542c-a178-4cb5-ab96-db9dadc4a793 |
| Verdict: | Malicious activity |
| Analysis date: | June 14, 2024, 09:23:13 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | 13CA60D73776B420ADA5CC15848F8DFB |
| SHA1: | 22BECE82795E9C60D76C19F22F777F3B19AF10D8 |
| SHA256: | FBB5302B06F7E6824ECDAF59162F3A08557CAC0EFE6B40B4502EAB60ECD04D82 |
| SSDEEP: | 98304:u+QqZ8fXEn0IOfbsPk6rJl+KazHnzXM5YJhjsFA+QGfVxk3OUfpdTZTWwqE6SxbT:ff37GT |
MALICIOUS
Drops the executable file immediately after the start
- OneLaunch - Manuals Search_d5vz6.exe (PID: 3988)
- OneLaunch - Manuals Search_d5vz6.tmp (PID: 4004)
SUSPICIOUS
Executable content was dropped or overwritten
- OneLaunch - Manuals Search_d5vz6.exe (PID: 3988)
- OneLaunch - Manuals Search_d5vz6.tmp (PID: 4004)
Reads the Windows owner or organization settings
- OneLaunch - Manuals Search_d5vz6.tmp (PID: 4004)
Reads settings of System Certificates
- OneLaunch - Manuals Search_d5vz6.tmp (PID: 4004)
Reads the Internet Settings
- OneLaunch - Manuals Search_d5vz6.tmp (PID: 4004)
INFO
Create files in a temporary directory
- OneLaunch - Manuals Search_d5vz6.exe (PID: 3988)
- OneLaunch - Manuals Search_d5vz6.tmp (PID: 4004)
Checks supported languages
- OneLaunch - Manuals Search_d5vz6.exe (PID: 3988)
- OneLaunch - Manuals Search_d5vz6.tmp (PID: 4004)
- wmpnscfg.exe (PID: 4032)
Reads the computer name
- OneLaunch - Manuals Search_d5vz6.tmp (PID: 4004)
- wmpnscfg.exe (PID: 4032)
Reads the software policy settings
- OneLaunch - Manuals Search_d5vz6.tmp (PID: 4004)
Reads the machine GUID from the registry
- OneLaunch - Manuals Search_d5vz6.tmp (PID: 4004)
Manual execution by a user
- wmpnscfg.exe (PID: 4032)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Inno Setup installer (67.7) |
|---|---|---|
| .exe | | | Win32 EXE PECompact compressed (generic) (25.6) |
| .exe | | | Win32 Executable (generic) (2.7) |
| .exe | | | Win16/32 Executable Delphi generic (1.2) |
| .exe | | | Generic Win/DOS Executable (1.2) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2020:11:15 09:48:30+00:00 |
| ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi |
| PEType: | PE32 |
| LinkerVersion: | 2.25 |
| CodeSize: | 741376 |
| InitializedDataSize: | 151552 |
| UninitializedDataSize: | - |
| EntryPoint: | 0xb5eec |
| OSVersion: | 6.1 |
| ImageVersion: | 6 |
| SubsystemVersion: | 6.1 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 5.31.4.0 |
| ProductVersionNumber: | 5.31.4.0 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | Neutral |
| CharacterSet: | Unicode |
| Comments: | This installation was built with Inno Setup. |
| CompanyName: | OneLaunch |
| FileDescription: | OneLaunch Setup |
| FileVersion: | 5.31.4 |
| LegalCopyright: | Copyright OneLaunch. All rights reserved. |
| OriginalFileName: | |
| ProductName: | OneLaunch |
| ProductVersion: | 5.31.4 |
Total processes
35
Monitored processes
3
Malicious processes
2
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 3988 | "C:\Users\admin\AppData\Local\Temp\OneLaunch - Manuals Search_d5vz6.exe" | C:\Users\admin\AppData\Local\Temp\OneLaunch - Manuals Search_d5vz6.exe | explorer.exe | ||||||||||||
User: admin Company: OneLaunch Integrity Level: MEDIUM Description: OneLaunch Setup Version: 5.31.4 Modules
| |||||||||||||||
| 4004 | "C:\Users\admin\AppData\Local\Temp\is-PES8N.tmp\OneLaunch - Manuals Search_d5vz6.tmp" /SL5="$30136,2484196,893952,C:\Users\admin\AppData\Local\Temp\OneLaunch - Manuals Search_d5vz6.exe" | C:\Users\admin\AppData\Local\Temp\is-PES8N.tmp\OneLaunch - Manuals Search_d5vz6.tmp | OneLaunch - Manuals Search_d5vz6.exe | ||||||||||||
User: admin Company: OneLaunch Integrity Level: MEDIUM Description: Setup/Uninstall Version: 51.1052.0.0 Modules
| |||||||||||||||
| 4032 | "C:\Program Files\Windows Media Player\wmpnscfg.exe" | C:\Program Files\Windows Media Player\wmpnscfg.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Media Player Network Sharing Service Configuration Application Exit code: 0 Version: 12.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
4 821
Read events
4 804
Write events
17
Delete events
0
Modification events
| (PID) Process: | (4004) OneLaunch - Manuals Search_d5vz6.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000 |
| Operation: | write | Name: | Owner |
Value: A40F00002026CD7E3CBEDA01 | |||
| (PID) Process: | (4004) OneLaunch - Manuals Search_d5vz6.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000 |
| Operation: | write | Name: | SessionHash |
Value: 4B4A4D473F4364AAC6151A0656C2E75B99827E8D61F47F7F32B0290DCE8982D0 | |||
| (PID) Process: | (4004) OneLaunch - Manuals Search_d5vz6.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000 |
| Operation: | write | Name: | Sequence |
Value: 1 | |||
| (PID) Process: | (4004) OneLaunch - Manuals Search_d5vz6.tmp | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
Executable files
3
Suspicious files
4
Text files
9
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3988 | OneLaunch - Manuals Search_d5vz6.exe | C:\Users\admin\AppData\Local\Temp\is-PES8N.tmp\OneLaunch - Manuals Search_d5vz6.tmp | executable | |
MD5:5C6DC4F810BF08224A748763E915D294 | SHA256:44F80EDCBB47C543B362916340AF40E5E0F5FA38C1C17713AF1AB463D1389E9D | |||
| 4004 | OneLaunch - Manuals Search_d5vz6.tmp | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 | compressed | |
MD5:49AEBF8CBD62D92AC215B2923FB1B9F5 | SHA256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F | |||
| 4004 | OneLaunch - Manuals Search_d5vz6.tmp | C:\Users\admin\AppData\Local\Temp\Cab2CEE.tmp | compressed | |
MD5:49AEBF8CBD62D92AC215B2923FB1B9F5 | SHA256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F | |||
| 4004 | OneLaunch - Manuals Search_d5vz6.tmp | C:\Users\admin\AppData\Local\Temp\is-F8U6D.tmp\Win32Library.dll | executable | |
MD5:564F2DFB6BEF1F47798DFB5D182232F0 | SHA256:671FB4649DDD8428C7F6FD1E14B30FD4735EFBBB8C142E2662E157D87F96C9C0 | |||
| 4004 | OneLaunch - Manuals Search_d5vz6.tmp | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 | binary | |
MD5:89865BB4A0026CB701DDA230FD19FA77 | SHA256:BE59DBD176DC0A3F85CC8D3F6EA5C3F41F772B30DB0967F6ECAA054FED403182 | |||
| 4004 | OneLaunch - Manuals Search_d5vz6.tmp | C:\Users\admin\AppData\Local\Temp\is-F8U6D.tmp\min-10-dark.png | image | |
MD5:14CA04108E5AC6A1B8C7A2B689382E44 | SHA256:9CB22401A923DFECAFC5F51DACEF5CBAE440B53B9932217C6BC4626F04920929 | |||
| 4004 | OneLaunch - Manuals Search_d5vz6.tmp | C:\Users\admin\AppData\Local\Temp\Tar2CEF.tmp | binary | |
MD5:4EA6026CF93EC6338144661BF1202CD1 | SHA256:8EFBC21559EF8B1BCF526800D8070BAAD42474CE7198E26FA771DBB41A76B1D8 | |||
| 4004 | OneLaunch - Manuals Search_d5vz6.tmp | C:\Users\admin\AppData\Local\Temp\is-F8U6D.tmp\onelaunch.png | image | |
MD5:D3110FB775EE7FD24426503D67840C25 | SHA256:F8392390DC81756E79EC5F359DBDCAC3B4BD219B5188A429B814FC51AABB6E36 | |||
| 4004 | OneLaunch - Manuals Search_d5vz6.tmp | C:\Users\admin\AppData\Local\Temp\is-F8U6D.tmp\min-pressed.bmp | image | |
MD5:CC62DDE39B9CAA24626A3A0EB93C70FA | SHA256:8D25A76A6552A927407CB0D7BA1E61E8644D76420C2690F8CB3DB90F75ECC1E7 | |||
| 4004 | OneLaunch - Manuals Search_d5vz6.tmp | C:\Users\admin\AppData\Local\Temp\is-F8U6D.tmp\onelaunch.bmp | image | |
MD5:6A360D71735931F6DEED2F1FC0D1E0A0 | SHA256:98F2C973DF13A6B642274E76F9DF0E5C04D213958BDDB0693A7C4F689C64DFCB | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
12
DNS requests
7
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
4004 | OneLaunch - Manuals Search_d5vz6.tmp | GET | 200 | 95.101.54.136:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?b0e5913832e7551f | unknown | — | — | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4004 | OneLaunch - Manuals Search_d5vz6.tmp | 18.173.205.127:443 | attribution.onelaunch.com | — | US | unknown |
4004 | OneLaunch - Manuals Search_d5vz6.tmp | 104.26.13.224:443 | update.onelaunch.com | CLOUDFLARENET | US | unknown |
4004 | OneLaunch - Manuals Search_d5vz6.tmp | 95.101.54.136:80 | ctldl.windowsupdate.com | Akamai International B.V. | DE | unknown |
4004 | OneLaunch - Manuals Search_d5vz6.tmp | 35.162.63.149:443 | api.keen.io | AMAZON-02 | US | unknown |
1088 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
4004 | OneLaunch - Manuals Search_d5vz6.tmp | 35.186.241.51:443 | api.mixpanel.com | GOOGLE | US | whitelisted |
4004 | OneLaunch - Manuals Search_d5vz6.tmp | 172.67.68.170:443 | update.onelaunch.com | CLOUDFLARENET | US | unknown |
4004 | OneLaunch - Manuals Search_d5vz6.tmp | 54.186.96.245:443 | api.keen.io | AMAZON-02 | US | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
attribution.onelaunch.com |
| whitelisted |
update.onelaunch.com |
| unknown |
ctldl.windowsupdate.com |
| whitelisted |
api.keen.io |
| whitelisted |
api.mixpanel.com |
| whitelisted |
release-cdn.onelaunch.com |
| unknown |