6b3f1414d14cda0b582420ffe7f1484356882fcc21e7fb1a19ab86008ca57b70

Analysis

max time kernel
146s
max time network
120s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 01:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.22854.exe
Size

3.2MB
MD5

2d083e880e7dc3554f2561bcf21cd23d
SHA1

8aa9e9f69636a354722cf7e3fc391e9a510e19c9
SHA256

6b3f1414d14cda0b582420ffe7f1484356882fcc21e7fb1a19ab86008ca57b70
SHA512

7a390b76401823cef95dcab3a2c6ae21fc958f3a1dbb7384183ee4cd2698debf37a7c4802b8a56ae62a5c6924c3cb6b99d4cb4e07453633622d807e43d361379
SSDEEP

49152:zqe3f6Rz4O5RLa6I8SwvMHDB+q0gabxS5xru87+DjqVX5rIJwI2J5PiH7nBGtm:uSiRz4iRPsA9f85xSLjgJLTiH7BUm

Score

6^/10

Malware Config

Signatures

Downloads MZ/PE file
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

8 api.keen.io
9 api.keen.io
20 api.keen.io

flow	ioc
8	api.keen.io
9	api.keen.io
20	api.keen.io

Executes dropped EXE 4 IoCs

Processes:

SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.22854.tmpSecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.22854.tmpOneLaunch Setup_.exeOneLaunch Setup_.tmp

pid	process
2272	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.22854.tmp
2756	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.22854.tmp
2540	OneLaunch Setup_.exe
2604	OneLaunch Setup_.tmp

Loads dropped DLL 11 IoCs

Processes:

SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.22854.exeSecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.22854.tmpSecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.22854.exeSecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.22854.tmpOneLaunch Setup_.exeOneLaunch Setup_.tmp

pid	process
2408	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.22854.exe
2272	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.22854.tmp
2272	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.22854.tmp
2272	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.22854.tmp
2736	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.22854.exe
2756	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.22854.tmp
2756	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.22854.tmp
2540	OneLaunch Setup_.exe
2604	OneLaunch Setup_.tmp
2604	OneLaunch Setup_.tmp
2604	OneLaunch Setup_.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 15 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.22854.tmpOneLaunch Setup_.tmp

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.22854.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.22854.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.22854.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.22854.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.22854.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.22854.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.22854.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.22854.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	OneLaunch Setup_.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d46240f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a190000000100000010000000fd960962ac6938e0d4b0769aa1a64e262000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	OneLaunch Setup_.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.22854.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.22854.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.22854.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.22854.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.22854.tmp

Script User-Agent 5 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	3	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	9	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	18	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	20	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	23	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

OneLaunch Setup_.tmp

pid process

2604 OneLaunch Setup_.tmp
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.22854.tmp

pid process

2272 SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.22854.tmp

pid	process
2604	OneLaunch Setup_.tmp

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.22854.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.22854.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2408

C:\Users\Admin\AppData\Local\Temp\is-NFJBK.tmp\SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.22854.tmp
"C:\Users\Admin\AppData\Local\Temp\is-NFJBK.tmp\SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.22854.tmp" /SL5="$30132,2484213,893952,C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.22854.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2272

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.22854.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.22854.exe" /PDATA=eyJpbnN0YWxsX3RpbWUiOjE3MTY0Mjg3NjksImRpc3RpbmN0X2lkIjoiMDYwNzkzQkMtOUVCMy00OEM4LUE4MzEtNjE3NEY3RkNENUVCIiwiZGVmYXVsdF9icm93c2VyIjoiIiwiaW5pdGluYWxfdmVyc2lvbiI6IjUuMzEuMy4wIiwicGFja2FnZWRfYnJvd3NlciI6Ik5vbmUiLCJzcGxpdCI6ImEiLCJub19zcGxpdCI6ZmFsc2UsInNwbGl0MiI6ImIiLCJzZXJ2ZXJfc2lkZV9zcGxpdF8yOF8xMV9udHBfZGlzdHJpYnV0aW9uIjoiY29udHJvbCIsImVuY29kZWRfc3BsaXRzIjoiMDAwIn0= /LAUNCHER /VERYSILENT
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2736

C:\Users\Admin\AppData\Local\Temp\is-38BAG.tmp\SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.22854.tmp
"C:\Users\Admin\AppData\Local\Temp\is-38BAG.tmp\SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.22854.tmp" /SL5="$40172,2484213,893952,C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.22854.exe" /PDATA=eyJpbnN0YWxsX3RpbWUiOjE3MTY0Mjg3NjksImRpc3RpbmN0X2lkIjoiMDYwNzkzQkMtOUVCMy00OEM4LUE4MzEtNjE3NEY3RkNENUVCIiwiZGVmYXVsdF9icm93c2VyIjoiIiwiaW5pdGluYWxfdmVyc2lvbiI6IjUuMzEuMy4wIiwicGFja2FnZWRfYnJvd3NlciI6Ik5vbmUiLCJzcGxpdCI6ImEiLCJub19zcGxpdCI6ZmFsc2UsInNwbGl0MiI6ImIiLCJzZXJ2ZXJfc2lkZV9zcGxpdF8yOF8xMV9udHBfZGlzdHJpYnV0aW9uIjoiY29udHJvbCIsImVuY29kZWRfc3BsaXRzIjoiMDAwIn0= /LAUNCHER /VERYSILENT
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2756

C:\Users\Admin\AppData\Local\Temp\OneLaunch Setup_.exe
"C:\Users\Admin\AppData\Local\Temp\OneLaunch Setup_.exe" /PDATA=eyJpbnN0YWxsX3RpbWUiOjE3MTY0Mjg3NjksImRpc3RpbmN0X2lkIjoiMDYwNzkzQkMtOUVCMy00OEM4LUE4MzEtNjE3NEY3RkNENUVCIiwiZGVmYXVsdF9icm93c2VyIjoiIiwiaW5pdGluYWxfdmVyc2lvbiI6IjUuMzEuMy4wIiwicGFja2FnZWRfYnJvd3NlciI6Ik5vbmUiLCJzcGxpdCI6ImEiLCJub19zcGxpdCI6ZmFsc2UsInNwbGl0MiI6ImIiLCJzZXJ2ZXJfc2lkZV9zcGxpdF8yOF8xMV9udHBfZGlzdHJpYnV0aW9uIjoiY29udHJvbCIsImVuY29kZWRfc3BsaXRzIjoiMDAwIn0=
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2540

C:\Users\Admin\AppData\Local\Temp\is-M6BCH.tmp\OneLaunch Setup_.tmp
"C:\Users\Admin\AppData\Local\Temp\is-M6BCH.tmp\OneLaunch Setup_.tmp" /SL5="$2019E,105340057,893952,C:\Users\Admin\AppData\Local\Temp\OneLaunch Setup_.exe" /PDATA=eyJpbnN0YWxsX3RpbWUiOjE3MTY0Mjg3NjksImRpc3RpbmN0X2lkIjoiMDYwNzkzQkMtOUVCMy00OEM4LUE4MzEtNjE3NEY3RkNENUVCIiwiZGVmYXVsdF9icm93c2VyIjoiIiwiaW5pdGluYWxfdmVyc2lvbiI6IjUuMzEuMy4wIiwicGFja2FnZWRfYnJvd3NlciI6Ik5vbmUiLCJzcGxpdCI6ImEiLCJub19zcGxpdCI6ZmFsc2UsInNwbGl0MiI6ImIiLCJzZXJ2ZXJfc2lkZV9zcGxpdF8yOF8xMV9udHBfZGlzdHJpYnV0aW9uIjoiY29udHJvbCIsImVuY29kZWRfc3BsaXRzIjoiMDAwIn0=
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: GetForegroundWindowSpam
PID:2604

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
001e8415fab99e0bc7275a96dd497d90

SHA1
62f09eb71a0b447b0f8a69d644facc8b8a6eb2fe

SHA256
de5fe24b3107e61f6466c3cf6c70f49482026e4699135d9bcb93f0ca28d87532

SHA512
c26f1937b35bba7ef8e38c07b6e4bc83cf6a640f4469c8a391c1fbb74b1c2eeea6275c89956935c08535c6ecac525cffb373c1ba90242071a8aa21fa4b8853b2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
ed7398a12059f18dd1c1d087cbe9e1dd

SHA1
f5c40b9cfb537d7cf2f42dd4c32fcc1481cd92ce

SHA256
7f0418d0faf4d720374341461273aca5226c72ba3e68d31e5aa55dcddc21195a

SHA512
62e0e12ad98e5221795e11e6f3f452bb999b179f186dfb2256df611580feb34a58db2d11cd01428b203eaa61778975af0a9173fe16f084b17588b07af5f63d97

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
f8f002c255aae767b50b84f633383b58

SHA1
72f5c2b8e93c4d8fa527aa08722fd4464de12c1d

SHA256
20e9de3f062a4b1d291452e26ed3e72965c98dce92a2fbb29c641ad083624806

SHA512
565a91a9e8cca08f1b58d721a747d8a9aadd76f2fcca505a64bfdb563e9e6dbd76308f7fedf6135c24a120689e7cd9bb69995ba3b2a95910640aa58aff5453e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
5e964287aaefdf693e267018a48c0bbe

SHA1
307fd5edad4b497b723025ff09d26fb5fc3a20cd

SHA256
31ee6036159d978385d45a86804759c370e4dcf359fc4b01f49300c5d999f8f4

SHA512
bfd4c4266ae14c6a65e553c7bd0ceb92a92d9c4918be044a7cae3d73281eb8becaca18dd56c103ac2bc9dc0c04df1cffafa1ce298a403d895195a7e7be144796

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab11ED.tmp
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar124E.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1HT7A.tmp\onelaunch.png
Filesize
70KB

MD5
d3110fb775ee7fd24426503d67840c25

SHA1
54f649c8bf3af2ad3a4d92cd8b1397bad1a49a75

SHA256
f8392390dc81756e79ec5f359dbdcac3b4bd219b5188a429b814fc51aabb6e36

SHA512
f6b79f728be17c9060edb2df2dac2b0f59a4dffd8c416e7e957bc3fa4696f4237e5969647309f5425a6297f189e351e20c99c642f90d1476050285929657c32f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HNFR2.tmp\checkmark-10-dark.png
Filesize
371B

MD5
33b22a3b44ff331d3eb0f34ccef86a79

SHA1
bbc863377473df98400def44a5a95ef7dde6ce2d

SHA256
902e9ddc6078297f7034ed362649bff39de484c9616507b336e2d721cd2e9b2c

SHA512
2ae6a520a5771adf29f212d3f05f7ce5d8db0189fc2016d959649b4257cef4249eb64dac9b2645f895d2e8c597007cc8412577aef85ad783f6124c9b7a5a65c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HNFR2.tmp\min-10-dark.png
Filesize
5KB

MD5
14ca04108e5ac6a1b8c7a2b689382e44

SHA1
f961882b5e83f5fa89b41ba6022723f212a5dbc5

SHA256
9cb22401a923dfecafc5f51dacef5cbae440b53b9932217c6bc4626f04920929

SHA512
3cdbbaed156b7a3b425a1942691cd76a56700d6429bc3f9a1fe53d74a0c5b43d4089974ef485b3329bfbbab60c573cf09c7acaff3fc3c6ffd0f476414c1262a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HNFR2.tmp\min-rest.bmp
Filesize
24KB

MD5
c32bfc11f1a32bab6a1ed327c8a89e0e

SHA1
ad754d278df04ffd70c9f56df0c29a55e2a3a136

SHA256
24bee6d5da65dc8a65eb639e3c189f257bc4b231940bd078bbea23ba985eabb5

SHA512
1e399845043018a7bbb712683ec445a0d6ac9ba4a16c73d4b5244ecd2a8fb37e98401395d112efd7d5c823dd9bd0d871a1f1282f082084513bbc96c1c6a711c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HNFR2.tmp\onelaunch.bmp
Filesize
725KB

MD5
6a360d71735931f6deed2f1fc0d1e0a0

SHA1
3fc9e13a1f8ce21f322fff6df7442153f4d2cb77

SHA256
98f2c973df13a6b642274e76f9df0e5c04d213958bddb0693a7c4f689c64dfcb

SHA512
6622e09549c9b4ee42a17aa6e819a4be0e7d0d5ab4015336cbb89b1ed5f2ec745c8fa8efec22bc8e948ce5e29640a6609ed693bf8954a0e33e124725dbc3aa7e

Download Submit
\Users\Admin\AppData\Local\Temp\is-1HT7A.tmp\Win32Library.dll
Filesize
46KB

MD5
f801d3a6f441e1475342906bae8b73e8

SHA1
e2a5a128afda6b2bfe7ff4c4225b28bf5b0e2aec

SHA256
dadb7c8637d9b9d6f0f36b110d324bbeb80e3ccffd8e376235857a0162de090c

SHA512
ce893b13b55078059ac7e5898393e14321966a54ee660b29b916baa3de0cfb99aa7d296b26ae566e2ce4321c57a8b2fa38f5a2d567c49a95e363e08705ddbf2a

Download Submit
\Users\Admin\AppData\Local\Temp\is-M6BCH.tmp\OneLaunch Setup_.tmp
Filesize
3.0MB

MD5
81f40127b8567ea5f7d94059751951d7

SHA1
750d2616e7f3068171f06f610b2a239b56fa9ad7

SHA256
90d52bc27d2fb921014664fe4ae774436d382ae58037a0d58f25bce33b5b551a

SHA512
68bb44476c950a37dc90786911c3fa4a28c5bf6af9416ad06e050a421c7e52f68f5b1ebe24d9dea7ca1a5ddbc45632962c9a2133c0aef00b07f063c4ea193bbc

Download Submit
\Users\Admin\AppData\Local\Temp\is-NFJBK.tmp\SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.22854.tmp
Filesize
3.0MB

MD5
c0e3f092b137ef1604c7e1b31a755e06

SHA1
c09c89a30537d2d5f1fe21f46ec1459ec2479a00

SHA256
1829c12b58954d0d71389acd73da79d13e2571acd1eeae3cf48273ceaba98d31

SHA512
2a1301d966a89b017d8f32084d9061df25bcf7d8a7ebc6da47664c784fd8e523f80b63d2830429b37bab94dcf5337cf689b823fa24280a9a125ab6ddf366e5d1

Download Submit
memory/2272-281-0x0000000003850000-0x0000000003990000-memory.dmp

Filesize
1.2MB

Download
memory/2272-376-0x0000000003850000-0x0000000003990000-memory.dmp

Filesize
1.2MB

Download
memory/2272-318-0x0000000003850000-0x0000000003990000-memory.dmp

Filesize
1.2MB

Download
memory/2272-385-0x0000000000400000-0x000000000070A000-memory.dmp

Filesize
3.0MB

Download
memory/2272-280-0x0000000003850000-0x0000000003990000-memory.dmp

Filesize
1.2MB

Download
memory/2272-279-0x0000000003850000-0x0000000003990000-memory.dmp

Filesize
1.2MB

Download
memory/2272-263-0x0000000074160000-0x0000000074174000-memory.dmp

Filesize
80KB

Download
memory/2272-262-0x0000000004290000-0x00000000042A4000-memory.dmp

Filesize
80KB

Download
memory/2272-14-0x0000000000400000-0x000000000070A000-memory.dmp

Filesize
3.0MB

Download
memory/2408-0-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2408-337-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2408-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/2408-586-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2540-589-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2540-416-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2604-531-0x0000000070430000-0x0000000070444000-memory.dmp

Filesize
80KB

Download
memory/2604-530-0x00000000051D0000-0x00000000051E4000-memory.dmp

Filesize
80KB

Download
memory/2604-521-0x0000000003780000-0x00000000038C0000-memory.dmp

Filesize
1.2MB

Download
memory/2604-520-0x0000000003780000-0x00000000038C0000-memory.dmp

Filesize
1.2MB

Download
memory/2604-590-0x0000000000400000-0x000000000070A000-memory.dmp

Filesize
3.0MB

Download
memory/2736-587-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2736-380-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2756-588-0x0000000000400000-0x000000000070A000-memory.dmp

Filesize
3.0MB

Download

description	pid	process	target process
PID 2408 wrote to memory of 2272	2408	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.22854.exe	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.22854.tmp
PID 2408 wrote to memory of 2272	2408	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.22854.exe	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.22854.tmp
PID 2408 wrote to memory of 2272	2408	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.22854.exe	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.22854.tmp
PID 2408 wrote to memory of 2272	2408	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.22854.exe	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.22854.tmp
PID 2408 wrote to memory of 2272	2408	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.22854.exe	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.22854.tmp
PID 2408 wrote to memory of 2272	2408	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.22854.exe	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.22854.tmp
PID 2408 wrote to memory of 2272	2408	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.22854.exe	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.22854.tmp
PID 2272 wrote to memory of 2736	2272	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.22854.tmp	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.22854.exe
PID 2272 wrote to memory of 2736	2272	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.22854.tmp	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.22854.exe
PID 2272 wrote to memory of 2736	2272	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.22854.tmp	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.22854.exe
PID 2272 wrote to memory of 2736	2272	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.22854.tmp	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.22854.exe
PID 2272 wrote to memory of 2736	2272	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.22854.tmp	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.22854.exe
PID 2272 wrote to memory of 2736	2272	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.22854.tmp	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.22854.exe
PID 2272 wrote to memory of 2736	2272	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.22854.tmp	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.22854.exe
PID 2736 wrote to memory of 2756	2736	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.22854.exe	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.22854.tmp
PID 2736 wrote to memory of 2756	2736	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.22854.exe	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.22854.tmp
PID 2736 wrote to memory of 2756	2736	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.22854.exe	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.22854.tmp
PID 2736 wrote to memory of 2756	2736	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.22854.exe	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.22854.tmp
PID 2736 wrote to memory of 2756	2736	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.22854.exe	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.22854.tmp
PID 2736 wrote to memory of 2756	2736	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.22854.exe	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.22854.tmp
PID 2736 wrote to memory of 2756	2736	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.22854.exe	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.22854.tmp
PID 2756 wrote to memory of 2540	2756	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.22854.tmp	OneLaunch Setup_.exe
PID 2756 wrote to memory of 2540	2756	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.22854.tmp	OneLaunch Setup_.exe
PID 2756 wrote to memory of 2540	2756	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.22854.tmp	OneLaunch Setup_.exe
PID 2756 wrote to memory of 2540	2756	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.22854.tmp	OneLaunch Setup_.exe
PID 2756 wrote to memory of 2540	2756	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.22854.tmp	OneLaunch Setup_.exe
PID 2756 wrote to memory of 2540	2756	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.22854.tmp	OneLaunch Setup_.exe
PID 2756 wrote to memory of 2540	2756	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.22854.tmp	OneLaunch Setup_.exe
PID 2540 wrote to memory of 2604	2540	OneLaunch Setup_.exe	OneLaunch Setup_.tmp
PID 2540 wrote to memory of 2604	2540	OneLaunch Setup_.exe	OneLaunch Setup_.tmp
PID 2540 wrote to memory of 2604	2540	OneLaunch Setup_.exe	OneLaunch Setup_.tmp
PID 2540 wrote to memory of 2604	2540	OneLaunch Setup_.exe	OneLaunch Setup_.tmp
PID 2540 wrote to memory of 2604	2540	OneLaunch Setup_.exe	OneLaunch Setup_.tmp
PID 2540 wrote to memory of 2604	2540	OneLaunch Setup_.exe	OneLaunch Setup_.tmp
PID 2540 wrote to memory of 2604	2540	OneLaunch Setup_.exe	OneLaunch Setup_.tmp