6b3f1414d14cda0b582420ffe7f1484356882fcc21e7fb1a19ab86008ca57b70

Analysis

max time kernel
141s
max time network
125s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 01:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.exe
Size

3.2MB
MD5

2d083e880e7dc3554f2561bcf21cd23d
SHA1

8aa9e9f69636a354722cf7e3fc391e9a510e19c9
SHA256

6b3f1414d14cda0b582420ffe7f1484356882fcc21e7fb1a19ab86008ca57b70
SHA512

7a390b76401823cef95dcab3a2c6ae21fc958f3a1dbb7384183ee4cd2698debf37a7c4802b8a56ae62a5c6924c3cb6b99d4cb4e07453633622d807e43d361379
SSDEEP

49152:zqe3f6Rz4O5RLa6I8SwvMHDB+q0gabxS5xru87+DjqVX5rIJwI2J5PiH7nBGtm:uSiRz4iRPsA9f85xSLjgJLTiH7BUm

Score

6^/10

Malware Config

Signatures

Downloads MZ/PE file
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service
T1102

Processes:

flow ioc

8 api.keen.io
9 api.keen.io
20 api.keen.io
21 api.keen.io

flow	ioc
8	api.keen.io
9	api.keen.io
20	api.keen.io
21	api.keen.io

Executes dropped EXE 4 IoCs

Processes:

SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.tmpSecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.tmpOneLaunch Setup_.exeOneLaunch Setup_.tmp

pid	process
2068	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.tmp
2108	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.tmp
2844	OneLaunch Setup_.exe
2756	OneLaunch Setup_.tmp

Loads dropped DLL 11 IoCs

Processes:

SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.exeSecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.tmpSecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.exeSecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.tmpOneLaunch Setup_.exeOneLaunch Setup_.tmp

pid	process
1980	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.exe
2068	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.tmp
2068	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.tmp
2068	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.tmp
1456	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.exe
2108	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.tmp
2108	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.tmp
2844	OneLaunch Setup_.exe
2756	OneLaunch Setup_.tmp
2756	OneLaunch Setup_.tmp
2756	OneLaunch Setup_.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 15 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

OneLaunch Setup_.tmpSecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.tmp

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	OneLaunch Setup_.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d46240f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a190000000100000010000000fd960962ac6938e0d4b0769aa1a64e262000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	OneLaunch Setup_.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.tmp

Script User-Agent 5 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	3	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	9	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	18	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	21	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	24	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

OneLaunch Setup_.tmp

pid process

2756 OneLaunch Setup_.tmp
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.tmp

pid process

2068 SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.tmp

pid	process
2756	OneLaunch Setup_.tmp

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1980

C:\Users\Admin\AppData\Local\Temp\is-UJ4JI.tmp\SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.tmp
"C:\Users\Admin\AppData\Local\Temp\is-UJ4JI.tmp\SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.tmp" /SL5="$5014E,2484213,893952,C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2068

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.exe" /PDATA=eyJpbnN0YWxsX3RpbWUiOjE3MTY0Mjg4MjYsImRpc3RpbmN0X2lkIjoiMUE4NTg4MUItQkUyQy00QzUxLTk4RjgtQTREOERCQjRCMjY5IiwiZGVmYXVsdF9icm93c2VyIjoiIiwiaW5pdGluYWxfdmVyc2lvbiI6IjUuMzEuMy4wIiwicGFja2FnZWRfYnJvd3NlciI6Ik5vbmUiLCJzcGxpdCI6ImEiLCJub19zcGxpdCI6ZmFsc2UsInNwbGl0MiI6ImIiLCJzZXJ2ZXJfc2lkZV9zcGxpdF8yOF8xMV9udHBfZGlzdHJpYnV0aW9uIjoiY29udHJvbCIsImVuY29kZWRfc3BsaXRzIjoiMDAwIn0= /LAUNCHER /VERYSILENT
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1456

C:\Users\Admin\AppData\Local\Temp\is-6TNJI.tmp\SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.tmp
"C:\Users\Admin\AppData\Local\Temp\is-6TNJI.tmp\SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.tmp" /SL5="$201D8,2484213,893952,C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.exe" /PDATA=eyJpbnN0YWxsX3RpbWUiOjE3MTY0Mjg4MjYsImRpc3RpbmN0X2lkIjoiMUE4NTg4MUItQkUyQy00QzUxLTk4RjgtQTREOERCQjRCMjY5IiwiZGVmYXVsdF9icm93c2VyIjoiIiwiaW5pdGluYWxfdmVyc2lvbiI6IjUuMzEuMy4wIiwicGFja2FnZWRfYnJvd3NlciI6Ik5vbmUiLCJzcGxpdCI6ImEiLCJub19zcGxpdCI6ZmFsc2UsInNwbGl0MiI6ImIiLCJzZXJ2ZXJfc2lkZV9zcGxpdF8yOF8xMV9udHBfZGlzdHJpYnV0aW9uIjoiY29udHJvbCIsImVuY29kZWRfc3BsaXRzIjoiMDAwIn0= /LAUNCHER /VERYSILENT
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2108

C:\Users\Admin\AppData\Local\Temp\OneLaunch Setup_.exe
"C:\Users\Admin\AppData\Local\Temp\OneLaunch Setup_.exe" /PDATA=eyJpbnN0YWxsX3RpbWUiOjE3MTY0Mjg4MjYsImRpc3RpbmN0X2lkIjoiMUE4NTg4MUItQkUyQy00QzUxLTk4RjgtQTREOERCQjRCMjY5IiwiZGVmYXVsdF9icm93c2VyIjoiIiwiaW5pdGluYWxfdmVyc2lvbiI6IjUuMzEuMy4wIiwicGFja2FnZWRfYnJvd3NlciI6Ik5vbmUiLCJzcGxpdCI6ImEiLCJub19zcGxpdCI6ZmFsc2UsInNwbGl0MiI6ImIiLCJzZXJ2ZXJfc2lkZV9zcGxpdF8yOF8xMV9udHBfZGlzdHJpYnV0aW9uIjoiY29udHJvbCIsImVuY29kZWRfc3BsaXRzIjoiMDAwIn0=
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2844

C:\Users\Admin\AppData\Local\Temp\is-ODU08.tmp\OneLaunch Setup_.tmp
"C:\Users\Admin\AppData\Local\Temp\is-ODU08.tmp\OneLaunch Setup_.tmp" /SL5="$2019C,105340057,893952,C:\Users\Admin\AppData\Local\Temp\OneLaunch Setup_.exe" /PDATA=eyJpbnN0YWxsX3RpbWUiOjE3MTY0Mjg4MjYsImRpc3RpbmN0X2lkIjoiMUE4NTg4MUItQkUyQy00QzUxLTk4RjgtQTREOERCQjRCMjY5IiwiZGVmYXVsdF9icm93c2VyIjoiIiwiaW5pdGluYWxfdmVyc2lvbiI6IjUuMzEuMy4wIiwicGFja2FnZWRfYnJvd3NlciI6Ik5vbmUiLCJzcGxpdCI6ImEiLCJub19zcGxpdCI6ZmFsc2UsInNwbGl0MiI6ImIiLCJzZXJ2ZXJfc2lkZV9zcGxpdF8yOF8xMV9udHBfZGlzdHJpYnV0aW9uIjoiY29udHJvbCIsImVuY29kZWRfc3BsaXRzIjoiMDAwIn0=
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: GetForegroundWindowSpam
PID:2756

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
f512c65f65f14708e50c0a81e5afb9e9

SHA1
6086cd20ad8427b16c2ec9b16ed601da935ec7ff

SHA256
2a455ec198893dd3cdd0a207da11150c4f075aa4c3dbd8168a8daedfbfc8d45a

SHA512
b9f55d15973795fbc2536723079497d11489b161ed55fe9c2fe1c0dc8d3c35306312d5345a016c8547d91eb01c989db45f2f437cec986a6a86c4de11c001bb54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
9eee8f00396cf5719e048db6ae21c79b

SHA1
29da2e7c52800ae6abd23328e4613971465c7f2f

SHA256
231ac5cfbf233efe8fd7cd7b30992e80722750c9f3ef28baa51dcf82efe03272

SHA512
3620121c15bbd5c59953d56192cf9590591c99cdff64e412f8f27d7edda3cba399ebd93a7d7f0cfb55c10cf2daac2215a64793cd9a757d9098f7a244b348a44d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
448954e8b0ceb20eeacde83fe878e2f7

SHA1
baf36647890b233dfd26b2558c8196d7fe0bd581

SHA256
4211434d63ded53b1218ea039f8e2e4759b465095646ad505a101575f1186704

SHA512
d68318e53a1f6e99a9561ae2b4cedd5578267a82ea0df9669279f35cad24667691e60e7ce935e7cfb137cce3ed23af328560b1463544255208378a6f8275db19

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
80430a6d793afc9a1cab763524711edf

SHA1
06ffeece216d00be5133bbffef6ba1f6b5f8d4bc

SHA256
c8c9c3137055f07cda99ffddfa020df9a19032048407e747fcf4595a16c13b9f

SHA512
a4cbda1a3ca75ef5340a8f06f629d68647da6a7767e124ca54d9dcfd08ab48d6f5b8846bb9c9c350d558f0d0bb529a9b8ffe0c56d5392b515578efb2f4690fc1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
73a3df2539f793400e0535d00477cd9a

SHA1
b3bb1e66a8d994d22d8c6f29b91036e027ad75bf

SHA256
da76f75593948a846f14a00affed245f44f2c801521458b29de6729ad1997999

SHA512
8b10b363a981414c2486e14b3b507a0827ad18553ccc85cbe1d0a2308239e8cfa594b6cbabc942c51e230256834b4e5c1ca9e0292e7ecdcc8e70dec60abcceb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab24C2.tmp
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2513.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-84686.tmp\onelaunch.png
Filesize
70KB

MD5
d3110fb775ee7fd24426503d67840c25

SHA1
54f649c8bf3af2ad3a4d92cd8b1397bad1a49a75

SHA256
f8392390dc81756e79ec5f359dbdcac3b4bd219b5188a429b814fc51aabb6e36

SHA512
f6b79f728be17c9060edb2df2dac2b0f59a4dffd8c416e7e957bc3fa4696f4237e5969647309f5425a6297f189e351e20c99c642f90d1476050285929657c32f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-DIFKU.tmp\checkmark-10-dark.png
Filesize
371B

MD5
33b22a3b44ff331d3eb0f34ccef86a79

SHA1
bbc863377473df98400def44a5a95ef7dde6ce2d

SHA256
902e9ddc6078297f7034ed362649bff39de484c9616507b336e2d721cd2e9b2c

SHA512
2ae6a520a5771adf29f212d3f05f7ce5d8db0189fc2016d959649b4257cef4249eb64dac9b2645f895d2e8c597007cc8412577aef85ad783f6124c9b7a5a65c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-DIFKU.tmp\min-10-dark.png
Filesize
5KB

MD5
14ca04108e5ac6a1b8c7a2b689382e44

SHA1
f961882b5e83f5fa89b41ba6022723f212a5dbc5

SHA256
9cb22401a923dfecafc5f51dacef5cbae440b53b9932217c6bc4626f04920929

SHA512
3cdbbaed156b7a3b425a1942691cd76a56700d6429bc3f9a1fe53d74a0c5b43d4089974ef485b3329bfbbab60c573cf09c7acaff3fc3c6ffd0f476414c1262a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-DIFKU.tmp\min-rest.bmp
Filesize
24KB

MD5
c32bfc11f1a32bab6a1ed327c8a89e0e

SHA1
ad754d278df04ffd70c9f56df0c29a55e2a3a136

SHA256
24bee6d5da65dc8a65eb639e3c189f257bc4b231940bd078bbea23ba985eabb5

SHA512
1e399845043018a7bbb712683ec445a0d6ac9ba4a16c73d4b5244ecd2a8fb37e98401395d112efd7d5c823dd9bd0d871a1f1282f082084513bbc96c1c6a711c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-DIFKU.tmp\onelaunch.bmp
Filesize
725KB

MD5
6a360d71735931f6deed2f1fc0d1e0a0

SHA1
3fc9e13a1f8ce21f322fff6df7442153f4d2cb77

SHA256
98f2c973df13a6b642274e76f9df0e5c04d213958bddb0693a7c4f689c64dfcb

SHA512
6622e09549c9b4ee42a17aa6e819a4be0e7d0d5ab4015336cbb89b1ed5f2ec745c8fa8efec22bc8e948ce5e29640a6609ed693bf8954a0e33e124725dbc3aa7e

Download Submit
\Users\Admin\AppData\Local\Temp\is-84686.tmp\Win32Library.dll
Filesize
46KB

MD5
f801d3a6f441e1475342906bae8b73e8

SHA1
e2a5a128afda6b2bfe7ff4c4225b28bf5b0e2aec

SHA256
dadb7c8637d9b9d6f0f36b110d324bbeb80e3ccffd8e376235857a0162de090c

SHA512
ce893b13b55078059ac7e5898393e14321966a54ee660b29b916baa3de0cfb99aa7d296b26ae566e2ce4321c57a8b2fa38f5a2d567c49a95e363e08705ddbf2a

Download Submit
\Users\Admin\AppData\Local\Temp\is-ODU08.tmp\OneLaunch Setup_.tmp
Filesize
3.0MB

MD5
81f40127b8567ea5f7d94059751951d7

SHA1
750d2616e7f3068171f06f610b2a239b56fa9ad7

SHA256
90d52bc27d2fb921014664fe4ae774436d382ae58037a0d58f25bce33b5b551a

SHA512
68bb44476c950a37dc90786911c3fa4a28c5bf6af9416ad06e050a421c7e52f68f5b1ebe24d9dea7ca1a5ddbc45632962c9a2133c0aef00b07f063c4ea193bbc

Download Submit
\Users\Admin\AppData\Local\Temp\is-UJ4JI.tmp\SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.tmp
Filesize
3.0MB

MD5
c0e3f092b137ef1604c7e1b31a755e06

SHA1
c09c89a30537d2d5f1fe21f46ec1459ec2479a00

SHA256
1829c12b58954d0d71389acd73da79d13e2571acd1eeae3cf48273ceaba98d31

SHA512
2a1301d966a89b017d8f32084d9061df25bcf7d8a7ebc6da47664c784fd8e523f80b63d2830429b37bab94dcf5337cf689b823fa24280a9a125ab6ddf366e5d1

Download Submit
memory/1456-569-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/1456-361-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/1980-568-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/1980-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/1980-317-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/1980-0-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2068-318-0x0000000000400000-0x000000000070A000-memory.dmp

Filesize
3.0MB

Download
memory/2068-242-0x0000000005070000-0x0000000005084000-memory.dmp

Filesize
80KB

Download
memory/2068-357-0x00000000029A0000-0x0000000002AE0000-memory.dmp

Filesize
1.2MB

Download
memory/2068-298-0x00000000029A0000-0x0000000002AE0000-memory.dmp

Filesize
1.2MB

Download
memory/2068-465-0x0000000000400000-0x000000000070A000-memory.dmp

Filesize
3.0MB

Download
memory/2068-8-0x0000000000400000-0x000000000070A000-memory.dmp

Filesize
3.0MB

Download
memory/2068-243-0x0000000074430000-0x0000000074444000-memory.dmp

Filesize
80KB

Download
memory/2068-259-0x00000000029A0000-0x0000000002AE0000-memory.dmp

Filesize
1.2MB

Download
memory/2068-260-0x00000000029A0000-0x0000000002AE0000-memory.dmp

Filesize
1.2MB

Download
memory/2068-261-0x00000000029A0000-0x0000000002AE0000-memory.dmp

Filesize
1.2MB

Download
memory/2108-570-0x0000000000400000-0x000000000070A000-memory.dmp

Filesize
3.0MB

Download
memory/2756-512-0x00000000045A0000-0x00000000045B4000-memory.dmp

Filesize
80KB

Download
memory/2756-513-0x0000000070700000-0x0000000070714000-memory.dmp

Filesize
80KB

Download
memory/2756-503-0x00000000029A0000-0x0000000002AE0000-memory.dmp

Filesize
1.2MB

Download
memory/2756-502-0x00000000029A0000-0x0000000002AE0000-memory.dmp

Filesize
1.2MB

Download
memory/2756-572-0x0000000000400000-0x000000000070A000-memory.dmp

Filesize
3.0MB

Download
memory/2844-396-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2844-571-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download

description	pid	process	target process
PID 1980 wrote to memory of 2068	1980	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.exe	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.tmp
PID 1980 wrote to memory of 2068	1980	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.exe	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.tmp
PID 1980 wrote to memory of 2068	1980	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.exe	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.tmp
PID 1980 wrote to memory of 2068	1980	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.exe	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.tmp
PID 1980 wrote to memory of 2068	1980	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.exe	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.tmp
PID 1980 wrote to memory of 2068	1980	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.exe	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.tmp
PID 1980 wrote to memory of 2068	1980	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.exe	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.tmp
PID 2068 wrote to memory of 1456	2068	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.tmp	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.exe
PID 2068 wrote to memory of 1456	2068	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.tmp	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.exe
PID 2068 wrote to memory of 1456	2068	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.tmp	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.exe
PID 2068 wrote to memory of 1456	2068	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.tmp	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.exe
PID 2068 wrote to memory of 1456	2068	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.tmp	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.exe
PID 2068 wrote to memory of 1456	2068	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.tmp	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.exe
PID 2068 wrote to memory of 1456	2068	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.tmp	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.exe
PID 1456 wrote to memory of 2108	1456	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.exe	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.tmp
PID 1456 wrote to memory of 2108	1456	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.exe	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.tmp
PID 1456 wrote to memory of 2108	1456	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.exe	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.tmp
PID 1456 wrote to memory of 2108	1456	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.exe	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.tmp
PID 1456 wrote to memory of 2108	1456	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.exe	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.tmp
PID 1456 wrote to memory of 2108	1456	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.exe	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.tmp
PID 1456 wrote to memory of 2108	1456	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.exe	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.tmp
PID 2108 wrote to memory of 2844	2108	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.tmp	OneLaunch Setup_.exe
PID 2108 wrote to memory of 2844	2108	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.tmp	OneLaunch Setup_.exe
PID 2108 wrote to memory of 2844	2108	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.tmp	OneLaunch Setup_.exe
PID 2108 wrote to memory of 2844	2108	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.tmp	OneLaunch Setup_.exe
PID 2108 wrote to memory of 2844	2108	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.tmp	OneLaunch Setup_.exe
PID 2108 wrote to memory of 2844	2108	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.tmp	OneLaunch Setup_.exe
PID 2108 wrote to memory of 2844	2108	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.31359.tmp	OneLaunch Setup_.exe
PID 2844 wrote to memory of 2756	2844	OneLaunch Setup_.exe	OneLaunch Setup_.tmp
PID 2844 wrote to memory of 2756	2844	OneLaunch Setup_.exe	OneLaunch Setup_.tmp
PID 2844 wrote to memory of 2756	2844	OneLaunch Setup_.exe	OneLaunch Setup_.tmp
PID 2844 wrote to memory of 2756	2844	OneLaunch Setup_.exe	OneLaunch Setup_.tmp
PID 2844 wrote to memory of 2756	2844	OneLaunch Setup_.exe	OneLaunch Setup_.tmp
PID 2844 wrote to memory of 2756	2844	OneLaunch Setup_.exe	OneLaunch Setup_.tmp
PID 2844 wrote to memory of 2756	2844	OneLaunch Setup_.exe	OneLaunch Setup_.tmp