Joe Sandbox Cloud Basic Analysis Report
Edit tour

Windows Analysis Report
OneLaunch.exe

Overview

General Information

Sample Name:OneLaunch.exe
Analysis ID:840120
MD5:6b50f5cd91f309d9b882a36abc7a5b38
SHA1:3d32352e1d4a697def1d2e80a77b88eef22e94ba
SHA256:e6fbc6f99c534c974b5188232c951c54388dbe2f62d4ba80382363330d7a14e2
Infos:

Detection

Score:1
Range:0 - 100
Whitelisted:false
Confidence:60%

Signatures

AV process strings found (often used to terminate AV products)
Queries the volume information (name, serial number etc) of a device
One or more processes crash
Checks if the current process is being debugged

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Analysis Advice

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")
Sample crashes during execution, try analyze it on another analysis machine

Process Tree

  • System is w10x64
  • OneLaunch.exe (PID: 6408 cmdline: C:\Users\user\Desktop\OneLaunch.exe MD5: 6B50F5CD91F309D9B882A36ABC7A5B38)
    • WerFault.exe (PID: 6672 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6408 -s 784 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

  • Compliance
  • Networking
  • System Summary
  • Hooking and other Techniques for Hiding and Protection
  • Malware Analysis System Evasion
  • Anti Debugging
  • Language, Device and Operating System Detection
  • Lowering of HIPS / PFW / Operating System Security Settings

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: OneLaunch.exeStatic PE information: certificate valid
Source: OneLaunch.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: PresentationFramework.ni.pdbRSDS~J source: WER9A9A.tmp.dmp.2.dr
Source: Binary string: PresentationFramework.pdb source: WER9A9A.tmp.dmp.2.dr
Source: Binary string: System.Core.ni.pdbRSDSD source: WER9A9A.tmp.dmp.2.dr
Source: Binary string: PresentationCore.ni.pdbRSDS source: WER9A9A.tmp.dmp.2.dr
Source: Binary string: WindowsBase.pdb source: WER9A9A.tmp.dmp.2.dr
Source: Binary string: System.Xaml.ni.pdb source: WER9A9A.tmp.dmp.2.dr
Source: Binary string: WindowsBase.ni.pdb source: WER9A9A.tmp.dmp.2.dr
Source: Binary string: mscorlib.pdb source: WER9A9A.tmp.dmp.2.dr
Source: Binary string: System.ni.pdbRSDS source: WER9A9A.tmp.dmp.2.dr
Source: Binary string: System.Xaml.ni.pdbRSDS| source: WER9A9A.tmp.dmp.2.dr
Source: Binary string: System.pdbL source: WER9A9A.tmp.dmp.2.dr
Source: Binary string: PresentationCore.ni.pdb source: WER9A9A.tmp.dmp.2.dr
Source: Binary string: System.Xaml.pdb source: WER9A9A.tmp.dmp.2.dr
Source: Binary string: mscorlib.ni.pdb source: WER9A9A.tmp.dmp.2.dr
Source: Binary string: WindowsBase.ni.pdbRSDS source: WER9A9A.tmp.dmp.2.dr
Source: Binary string: System.Core.pdb source: WER9A9A.tmp.dmp.2.dr
Source: Binary string: WindowsBase.pdbMZ@ source: WER9A9A.tmp.dmp.2.dr
Source: Binary string: mscorlib.ni.pdbRSDS source: WER9A9A.tmp.dmp.2.dr
Source: Binary string: PresentationFramework.ni.pdb source: WER9A9A.tmp.dmp.2.dr
Source: Binary string: PresentationCore.pdb source: WER9A9A.tmp.dmp.2.dr
Source: Binary string: System.ni.pdb source: WER9A9A.tmp.dmp.2.dr
Source: Binary string: System.pdb source: WER9A9A.tmp.dmp.2.dr
Source: Binary string: System.Core.ni.pdb source: WER9A9A.tmp.dmp.2.dr
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: "url": "https://www.linkedin.com/", equals www.linkedin.com (Linkedin)
Source: OneLaunch.exeString found in binary or memory: LinkedinSvgIcon3https://www.linkedin.com/ equals www.linkedin.com (Linkedin)
Source: OneLaunch.exeString found in binary or memory: MyspaceSvgIcon_1https://www.myspace.com/ equals www.myspace.com (Myspace)
Source: OneLaunch.exeString found in binary or memory: Vhttps://www.youtube.com/watch?v=vhpC4m61w-o equals www.youtube.com (Youtube)
Source: OneLaunch.exeString found in binary or memory: shopping_videoWhttps://www.youtube.com/watch?v=vhpC4m61w-o equals www.youtube.com (Youtube)
Source: OneLaunch.exeString found in binary or memory: yahoo_news!YahooNewsSvgIcon7https://www.yahoo.com/news/ equals www.yahoo.com (Yahoo)
Source: OneLaunch.exeString found in binary or memory: youtubemusic!YouTubeMusicIcon1https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: OneLaunch.exeString found in binary or memory: http://c36b2225-69a8-4ab3-ab72-69b8a6ceffea.com/?2541b810-da0f-4159-a37e-0c9e9c8c70ae
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://dfsweb.wyo.gov/economic-assistance/snap
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://dhhs.ne.gov/Pages/SNAP.aspx
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://dhr.maryland.gov/food-supplement-program/
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://dhss.alaska.gov/dpa/Pages/SNAP/default.aspx
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://humanservices.hawaii.gov/bessd/snap/
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://jfs.ohio.gov/ocomm_root/1000OurServices.stm#FA-2
Source: OneLaunch.exeString found in binary or memory: http://openspeedtest.com/increase-your-internet-speed.php
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://otda.ny.gov/programs/snap/
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://reddit.com
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://scdmvonline.com/Forms-And-Manuals
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://schemas.microsoft.
Source: Amcache.hve.2.drString found in binary or memory: http://upx.sf.net
Source: OneLaunch.exeString found in binary or memory: http://wbd_ol.ampxdirect.com/amazon?sub1=default&sub2=amazon&sub3=dynamiclink&cu=
Source: OneLaunch.exe, 00000000.00000000.258239673.0000000000F72000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://wpfanimatedgif.codeplex.com
Source: OneLaunch.exeString found in binary or memory: http://www.cc.com/shows
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.dcf.ks.gov/services/ees/Pages/Food/FoodAssistance.aspx
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.dcfs.la.gov/page/93
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.dhhr.wv.gov/bcf/Services/familyassistance/Pages/Supplemental-Nutritional-Assistance-Progr
Source: OneLaunch.exeString found in binary or memory: http://www.dhl.com/khttps://www.trackingmore.com/track/en/
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.dhs.ri.gov/Programs/SNAPApplyNow.php
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.dhs.state.il.us/page.aspx?item=33698
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.dmv.ri.gov/forms/license/index.php
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.dmv.ri.gov/forms/registration/index.php
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.dot.nd.gov/dotnet2/view/forms.aspx?category=yes#driverslicense
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.dot.nd.gov/dotnet2/view/forms.aspx?category=yes#title&registration
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.dot.state.wy.us/home/driver_license_records/formsapplications.html
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.dot.state.wy.us/home/titles_plates_registration.html
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.dss.virginia.gov/benefit/snap.cgi
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.elections.alaska.gov/Core/voterregistration.php
Source: OneLaunch.exeString found in binary or memory: http://www.fedex.com/ohttps://www.trackingmore.com/track/en/
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.mva.maryland.gov/forms/
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.mvd.newmexico.gov/forms.aspx
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.nd.gov/dhs/services/financialhelp/foodstamps.html
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.okdhs.org/services/snap/Pages/default.aspx
Source: OneLaunch.exeString found in binary or memory: http://www.pricegrabber.com/
Source: OneLaunch.exeString found in binary or memory: http://www.shopzilla.com/
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.tennessee.gov/humanservices/topic/supplemental-nutrition-assistance-program-snap
Source: OneLaunch.exeString found in binary or memory: http://www.ups.com/khttps://www.trackingmore.com/track/en/
Source: OneLaunch.exeString found in binary or memory: http://youtube.com
Source: OneLaunch.exeString found in binary or memory: https://abc.com/browse/
Source: OneLaunch.exe, 00000000.00000000.258239673.0000000000F72000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://aol.com/mail
Source: OneLaunch.exeString found in binary or memory: https://api.cognitive.microsofttranslator.com
Source: OneLaunch.exeString found in binary or memory: https://api.keen.io/3.0/projects/
Source: OneLaunch.exeString found in binary or memory: https://api.mapbox.com/geocoding/v5/mapbox.places/
Source: OneLaunch.exeString found in binary or memory: https://api.mixpanel.com/engage?verbose=1#profile-set
Source: OneLaunch.exeString found in binary or memory: https://api.mixpanel.com/engage?verbose=1#profile-set-once
Source: OneLaunch.exeString found in binary or memory: https://api.mixpanel.com/track
Source: OneLaunch.exeString found in binary or memory: https://api.mixpanel.com/trackjhttps://api.mixpanel.com/engage?verbose=1#profile-setthttps://api.mix
Source: OneLaunch.exeString found in binary or memory: https://api.unsplash.com/search/photos
Source: OneLaunch.exeString found in binary or memory: https://api.unsplash.com/search/photosVWB_-Q7UDVbJmcZVL6aynPfuxjyj6r_cQZeNBJzGYV0M8An
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://azdot.gov/motor-vehicles/forms-and-publications
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://azsos.gov/elections/voting-election/register-vote-or-update-your-current-voter-information
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://benefind.ky.gov/General/SnapOverview
Source: OneLaunch.exeString found in binary or memory: https://ca.indeed.com/?r=us
Source: OneLaunch.exeString found in binary or memory: https://calendar.yahoo.com/subscribe
Source: OneLaunch.exeString found in binary or memory: https://cards.barclaycardus.com/
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://dcf.vermont.gov/benefits/3SquaresVT
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://dds.georgia.gov/dds-forms-and-manuals/forms
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://des.az.gov/services/basic-needs/food/nutrition-assistance-formerly-food-stamp-program
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://dfcs.georgia.gov/food-stamps
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://dhr.alabama.gov/food-assistance/
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://dhs.dc.gov/service/supplemental-nutrition-assistance-snap
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://dhs.iowa.gov/food-assistance
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://dld.utah.gov/handbooksprintableforms/
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://dmv.dc.gov/page/dc-dmv-forms
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://dmv.de.gov/forms/index.shtml
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://dmv.nebraska.gov/forms
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://dmv.ny.gov/forms
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://dmv.vermont.gov/forms-and-information
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://dmvnv.com/dmvforms.htm
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://doa.alaska.gov/dmv/forms/
Source: OneLaunch.exeString found in binary or memory: https://docs.google.com/document/?usp=docs_alc
Source: OneLaunch.exeString found in binary or memory: https://docs.google.com/presentation/?usp=slides_alc
Source: OneLaunch.exeString found in binary or memory: https://docs.google.com/spreadsheets/?usp=sheets_alc
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://dojmt.gov/driving/driver-licensing-forms/
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://dojmt.gov/driving/vehicle-title-registration-forms/
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://dor.georgia.gov/documents/forms?field_lp_form_type_target_id=36051
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://dor.mo.gov/forms/index.php?category=1
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://dor.mo.gov/forms/index.php?category=2
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://dos.myflorida.com/elections/for-voters/voter-registration/register-to-vote-or-update-your-in
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://dphhs.mt.gov/hcsd/SNAP
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://dps.mn.gov/divisions/dvs/forms-documents/Pages/drivers-license-forms.aspx
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://dps.mn.gov/divisions/dvs/forms-documents/Pages/motor-vehicle-forms.aspx
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://dps.sd.gov/resource-library?keyword=&agencyTopic=5&sort=1&paging=50
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://dss.sc.gov/assistance-programs/snap/
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://dss.sd.gov/economicassistance/snap/
Source: OneLaunch.exeString found in binary or memory: https://duckduckgo.com/?q=
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://dwss.nv.gov/SNAP/Food/
Source: OneLaunch.exeString found in binary or memory: https://earth.google.com/web/
Source: OneLaunch.exeString found in binary or memory: https://ebay.us/KyCMip/
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://elect.ky.gov/registertovote/Pages/default.aspx
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://elections.delaware.gov/voter/votereg.shtml
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://elections.hawaii.gov/voters/registration/
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://elections.maryland.gov/voter_registration/application.html
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://elections.ri.gov/voting/registration.php
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://elections.wi.gov/forms
Source: OneLaunch.exeString found in binary or memory: https://fast.com/
Source: OneLaunch.exeString found in binary or memory: https://fast.com/phttps://templates.office.com/en-US/Search/results?query=
Source: OneLaunch.exeString found in binary or memory: https://genius.com/search?q=
Source: OneLaunch.exeString found in binary or memory: https://gmail.com
Source: OneLaunch.exeString found in binary or memory: https://gmail.com/1https://mail.google.com/9https://accounts.google.com/
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://healthandwelfare.idaho.gov/FoodCashAssistance/FoodStamps/tabid/90/Default.aspx
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://humanservices.arkansas.gov/about-dhs/dco/programs-services/support-services#snap
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://idahovotes.gov/
Source: OneLaunch.exeString found in binary or memory: https://imgur.com/
Source: OneLaunch.exeString found in binary or memory: https://instagram.com
Source: OneLaunch.exeString found in binary or memory: https://instagram.com/
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://iowadot.seamlessgov.com/driver-id-services
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://iowadot.seamlessgov.com/vehicles
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://itd.idaho.gov/itddmv/?target=drivers-license-id-cards#forms
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://itd.idaho.gov/itddmv/?target=registration-plates#forms-publications
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://jobs.utah.gov/customereducation/services/foodstamps/index.html
Source: OneLaunch.exeString found in binary or memory: https://keep.google.com/
Source: OneLaunch.exeString found in binary or memory: https://kizi.com/
Source: OneLaunch.exeString found in binary or memory: https://login.aol.com/
Source: OneLaunch.exe, 00000000.00000000.258239673.0000000000F72000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://login.aol.com/?src=mail
Source: OneLaunch.exeString found in binary or memory: https://login.yahoo.com/
Source: OneLaunch.exe, 00000000.00000000.258239673.0000000000F72000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://mail.live.com
Source: OneLaunch.exe, 00000000.00000000.258239673.0000000000F72000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://mail.yahoo.com
Source: OneLaunch.exe, 00000000.00000000.258239673.0000000000F72000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://mail.yahoo.com/
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://mn.gov/dhs/people-we-serve/adults/economic-assistance/food-nutrition/programs-and-services/s
Source: OneLaunch.exeString found in binary or memory: https://music.amazon.com/home
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://mydss.mo.gov/food-assistance/food-stamp-program
Source: OneLaunch.exeString found in binary or memory: https://office.live.com/start/Excel.aspx?omkt=en-US
Source: OneLaunch.exeString found in binary or memory: https://office.live.com/start/PowerPoint.aspx?omkt=en-US
Source: OneLaunch.exeString found in binary or memory: https://office.live.com/start/Word.aspx?omkt=en-US
Source: OneLaunch.exeString found in binary or memory: https://onelaunch.com/eulaIhttps://onelaunch.com/privacy-policy
Source: OneLaunch.exeString found in binary or memory: https://onelaunch.com/uninstalli/onelaunch;component/ui/aboutdialog/aboutdialog.xaml
Source: OneLaunch.exeString found in binary or memory: https://open.spotify.com/
Source: OneLaunch.exeString found in binary or memory: https://outlook.live.com/owa/
Source: OneLaunch.exeString found in binary or memory: https://outlook.live.com/owa/?nlp=1
Source: OneLaunch.exeString found in binary or memory: https://outlook.office.com/calendar/
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://ovr.sos.wv.gov/Register/Landing#Landing
Source: OneLaunch.exeString found in binary or memory: https://play.getfungamesnow.com
Source: OneLaunch.exeString found in binary or memory: https://play.getfungamesnow.com/games?g=checkers-legend
Source: OneLaunch.exeString found in binary or memory: https://play.getfungamesnow.com/games?g=freecell-solitaire
Source: OneLaunch.exeString found in binary or memory: https://play.getfungamesnow.com/games?g=mahjong-deluxe
Source: OneLaunch.exeString found in binary or memory: https://play.getfungamesnow.com/games?g=solitaire
Source: OneLaunch.exeString found in binary or memory: https://play.getfungamesnow.com/games?g=spider-solitaire
Source: OneLaunch.exeString found in binary or memory: https://play.getfungamesnow.com/games?g=sudoku-html5
Source: OneLaunch.exeString found in binary or memory: https://play.getfungamesnow.com/games?g=tentrix
Source: OneLaunch.exeString found in binary or memory: https://play.getfungamesnow.com/games?g=tic-tac-toe-html5
Source: OneLaunch.exeString found in binary or memory: https://plus.onelaunch.com/api/news/newscategoriesmCouldn
Source: OneLaunch.exeString found in binary or memory: https://poki.com/
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://portal.ct.gov/DMV/Online-Forms/Online-Forms/All-DMV-Forms
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://portal.ct.gov/DSS/SNAP/Supplemental-Nutrition-Assistance-Program---SNAP/Documents
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://portal.ct.gov/SOTS/Election-Services/Register-to-Vote/Voter-Registration-Application-English
Source: OneLaunch.exeString found in binary or memory: https://r.v2i8b.com/api/v1/bid/redirect?campaign_id=01GSZ9YW40ZVTQ8S2EVDWJVPCN&url=https://amazon.co
Source: OneLaunch.exeString found in binary or memory: https://rdbrckrebase.zendesk.com/api/v2/tickets.json
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://revenue.alabama.gov/forms/?d=motor-vehicle
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://sddor.seamlessgov.com/CO19011000093206930
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://sdsos.gov/elections-voting/voting/register-to-vote/default.aspx
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://search-safely.com/ntp/index.html?p=6osz&s=https%3A%2F%2Fsearch-safely.com%2Fsn%3Fa%3Dxle_rne
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://search-safely.com/sn?a=xle_rnew_00_00_ssg60&cd=_cd_&cr=_cr_&q=
Source: OneLaunch.exeString found in binary or memory: https://search.yahoo.com/search?p=
Source: OneLaunch.exeString found in binary or memory: https://sohu.com/
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://sos.ga.gov/index.php/Elections/register_to_vote
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://sos.iowa.gov/elections/voterinformation/voterregistration.html
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://sos.kansas.gov/elections/registration-voting/
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://sos.nebraska.gov/elections/voter-forms
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://sos.nh.gov/HowRegVote.aspx
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://sos.oregon.gov/voting/Pages/registration.aspx?lang=en
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://sos.tn.gov/products/elections/register-vote
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://sos.vermont.gov/elections/voters/registration/
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://sosmt.gov/elections/vote/
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://soswy.state.wy.us/Elections/RegisteringToVote.aspx
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://stackoverflow.com/
Source: OneLaunch.exeString found in binary or memory: https://stackoverflow.com/%wellsfargo_popular9/favicons/wellsfargo.com.png
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://studentaid.gov/resources
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://suggestqueries.google.com/complete/search?output=firefox&q=
Source: OneLaunch.exeString found in binary or memory: https://support.onelaunch.com/hc/en-us
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://tax.utah.gov/forms-pubs/mv-forms
Source: OneLaunch.exeString found in binary or memory: https://templates.office.com/en-US/Search/results?query=
Source: OneLaunch.exeString found in binary or memory: https://templates.office.com/en-US/Search/results?query=calendar
Source: OneLaunch.exeString found in binary or memory: https://templates.office.com/en-us/brochures
Source: OneLaunch.exeString found in binary or memory: https://templates.office.com/en-us/budgets
Source: OneLaunch.exeString found in binary or memory: https://templates.office.com/en-us/business
Source: OneLaunch.exeString found in binary or memory: https://templates.office.com/en-us/calendars
Source: OneLaunch.exeString found in binary or memory: https://templates.office.com/en-us/flyers
Source: OneLaunch.exeString found in binary or memory: https://templates.office.com/en-us/invoices
Source: OneLaunch.exeString found in binary or memory: https://templates.office.com/en-us/letters
Source: OneLaunch.exeString found in binary or memory: https://templates.office.com/en-us/presentations
Source: OneLaunch.exeString found in binary or memory: https://templates.office.com/en-us/resumes-and-cover-letters
Source: OneLaunch.exeString found in binary or memory: https://translate.google.ca/?sl=
Source: OneLaunch.exeString found in binary or memory: https://translate.google.ca/history?sl=
Source: OneLaunch.exeString found in binary or memory: https://translate.google.ca/saved?sl=
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://transportation.ky.gov/Organizational-Resources/Pages/Forms-Library-(TC-94).aspx
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://transportation.ky.gov/Organizational-Resources/Pages/Forms-Library-(TC-96).aspx
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://transportation.wv.gov/DMV/Forms/Pages/Search-Results.aspx?Title=&DMVFormNumber=&DMVFormCateg
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://travel.state.gov/content/travel/en/passports/how-apply/forms.html
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://travel.state.gov/content/travel/en/us-visas/visa-information-resources/forms.html
Source: OneLaunch.exeString found in binary or memory: https://twitter.com
Source: OneLaunch.exeString found in binary or memory: https://twitter.com/
Source: OneLaunch.exeString found in binary or memory: https://unsplash.com/
Source: OneLaunch.exeString found in binary or memory: https://update.onelaunch.com/settings
Source: OneLaunch.exeString found in binary or memory: https://update.onelaunch.com/settingssSomething
Source: OneLaunch.exeString found in binary or memory: https://update.onelaunch.com/update)Installing
Source: OneLaunch.exeString found in binary or memory: https://videos-cdn.onelaunch.com/
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://vip.sos.nd.gov/PortalListDetails.aspx?ptlhPKID=73&ptlPKID=7
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://voteinfo.utah.gov/
Source: OneLaunch.exeString found in binary or memory: https://wbd_ol.ampxdirect.com/amazon?sub1=default&sub2=amazon
Source: OneLaunch.exeString found in binary or memory: https://web.whatsapp.com/
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://wisconsindot.gov/Pages/dmv/license-drvs/rcd-crsh-rpt/driver-forms.aspx
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://wisconsindot.gov/Pages/dmv/vehicles/frms-pubs/veh-forms.aspx
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.alea.gov/dps/driver-license/driver-license-forms
Source: OneLaunch.exeString found in binary or memory: https://www.allrecipes.com/search?q=O/onelaunch;component/ui/apps/tvapp.xaml
Source: OneLaunch.exeString found in binary or memory: https://www.ally.com/
Source: OneLaunch.exeString found in binary or memory: https://www.amazon.com/gp/help/customer/display.html/ref=hp_bc_nav?ie=UTF8&nodeId=201887920)DailyDea
Source: OneLaunch.exeString found in binary or memory: https://www.amazon.com/gp/help/customer/display.html/ref=hp_bc_nav?ie=UTF8&nodeId=201887920Hhttps://
Source: OneLaunch.exeString found in binary or memory: https://www.amazon.com/s?k=
Source: OneLaunch.exeString found in binary or memory: https://www.amc.com/
Source: OneLaunch.exeString found in binary or memory: https://www.americanexpress.com/en-us/account/login/
Source: OneLaunch.exeString found in binary or memory: https://www.apple.com/
Source: OneLaunch.exeString found in binary or memory: https://www.apple.com/apple-tv-plus/
Source: OneLaunch.exeString found in binary or memory: https://www.astrology.com/horoscope/daily-chinese/dog.html
Source: OneLaunch.exeString found in binary or memory: https://www.astrology.com/horoscope/daily-chinese/dragon.html
Source: OneLaunch.exeString found in binary or memory: https://www.astrology.com/horoscope/daily-chinese/horse.html
Source: OneLaunch.exeString found in binary or memory: https://www.astrology.com/horoscope/daily-chinese/monkey.html
Source: OneLaunch.exeString found in binary or memory: https://www.astrology.com/horoscope/daily-chinese/pig.html
Source: OneLaunch.exeString found in binary or memory: https://www.astrology.com/horoscope/daily-chinese/rabbit.html
Source: OneLaunch.exeString found in binary or memory: https://www.astrology.com/horoscope/daily-chinese/rooster.html
Source: OneLaunch.exeString found in binary or memory: https://www.astrology.com/horoscope/daily-chinese/sheep.html
Source: OneLaunch.exeString found in binary or memory: https://www.astrology.com/horoscope/daily-chinese/snake.html
Source: OneLaunch.exeString found in binary or memory: https://www.astrology.com/horoscope/daily-chinese/tiger.html
Source: OneLaunch.exeString found in binary or memory: https://www.astrology.com/horoscope/daily-chinese/today/ox.html
Source: OneLaunch.exeString found in binary or memory: https://www.astrology.com/horoscope/daily-chinese/today/rat.html
Source: OneLaunch.exeString found in binary or memory: https://www.astrology.com/horoscope/daily/aquarius.html
Source: OneLaunch.exeString found in binary or memory: https://www.astrology.com/horoscope/daily/aries.html
Source: OneLaunch.exeString found in binary or memory: https://www.astrology.com/horoscope/daily/cancer.html
Source: OneLaunch.exeString found in binary or memory: https://www.astrology.com/horoscope/daily/capricorn.html
Source: OneLaunch.exeString found in binary or memory: https://www.astrology.com/horoscope/daily/gemini.html
Source: OneLaunch.exeString found in binary or memory: https://www.astrology.com/horoscope/daily/leo.html
Source: OneLaunch.exeString found in binary or memory: https://www.astrology.com/horoscope/daily/libra.html
Source: OneLaunch.exeString found in binary or memory: https://www.astrology.com/horoscope/daily/pisces.html
Source: OneLaunch.exeString found in binary or memory: https://www.astrology.com/horoscope/daily/sagittarius.html
Source: OneLaunch.exeString found in binary or memory: https://www.astrology.com/horoscope/daily/scorpio.html
Source: OneLaunch.exeString found in binary or memory: https://www.astrology.com/horoscope/daily/taurus.html
Source: OneLaunch.exeString found in binary or memory: https://www.astrology.com/horoscope/daily/virgo.html
Source: OneLaunch.exeString found in binary or memory: https://www.bankofamerica.com/
Source: OneLaunch.exeString found in binary or memory: https://www.bankrate.com/calculators/index-of-debt-management-calculators.aspx
Source: OneLaunch.exeString found in binary or memory: https://www.bankrate.com/calculators/index-of-debt-management-calculators.aspxRhttps://www.bankrate.
Source: OneLaunch.exeString found in binary or memory: https://www.bestbuy.com/
Source: OneLaunch.exeString found in binary or memory: https://www.bestcrosswords.com/bestcrosswords/SolvableOnline.page
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.bmv.ohio.gov/forms-dl.aspx
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.bmv.ohio.gov/forms-vr.aspx
Source: OneLaunch.exeString found in binary or memory: https://www.bnymellon.com/us/en/client-access.html/
Source: OneLaunch.exeString found in binary or memory: https://www.calculatestuff.com/
Source: OneLaunch.exeString found in binary or memory: https://www.calculatestuff.com/Bhttps://www.dictionary.com/browse
Source: OneLaunch.exeString found in binary or memory: https://www.cancer.org/healthy/eat-healthy-get-active/take-control-your-weight/body-mass-index-bmi-c
Source: OneLaunch.exeString found in binary or memory: https://www.capitalone.com/
Source: OneLaunch.exeString found in binary or memory: https://www.cbs.com/shows/
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.cdss.ca.gov/food-nutrition/calfresh
Source: OneLaunch.exeString found in binary or memory: https://www.chase.com/
Source: OneLaunch.exeString found in binary or memory: https://www.citi.com/
Source: OneLaunch.exeString found in binary or memory: https://www.classifiedads.com/search.php?lid=z
Source: OneLaunch.exeString found in binary or memory: https://www.classifiedads.com/search.php?lid=z8https://genius.com/search?q=
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.cms.gov/Medicare/CMS-Forms/CMS-Forms/CMS-Forms-List
Source: OneLaunch.exeString found in binary or memory: https://www.cnn.com/
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.colorado.gov/pacific/cdhs/supplemental-nutrition-assistance-program-snap
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.colorado.gov/pacific/dmv/forms-licenses
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.colorado.gov/pacific/dmv/forms-vehicles
Source: OneLaunch.exeString found in binary or memory: https://www.convertworld.com/en/
Source: OneLaunch.exeString found in binary or memory: https://www.coupons.com/
Source: OneLaunch.exeString found in binary or memory: https://www.craigslist.org/
Source: OneLaunch.exeString found in binary or memory: https://www.craigslist.org/about/sites
Source: OneLaunch.exeString found in binary or memory: https://www.crazygames.com/
Source: OneLaunch.exeString found in binary or memory: https://www.creativecenter.brother/en-us/home/home-category/calendars/monthly-calendars
Source: OneLaunch.exeString found in binary or memory: https://www.creativecenter.brother/en-us/home/home-category/calendars/yearly-calendars
Source: OneLaunch.exeString found in binary or memory: https://www.cwtv.com/shows/
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.cyberdriveillinois.com/publications/motorist/home.html
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.dcboe.org/Data-Resources-Forms/Forms-and-Resources
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.dfa.arkansas.gov/driver-services/forms/
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.dfa.arkansas.gov/motor-vehicle/motor-vehicle-forms/
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.dhhs.nh.gov/dfa/foodstamps/index.htm
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.dhs.wisconsin.gov/foodshare/index.htm
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.dhss.delaware.gov/dhss/dss/foodstamps.html
Source: OneLaunch.exeString found in binary or memory: https://www.dictionary.com/browse/
Source: OneLaunch.exeString found in binary or memory: https://www.disneyplus.com/
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.dmv.ca.gov/portal/dmv/detail/forms/forms
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.dmv.pa.gov/_layouts/pa.penndot.formsandpubs/formsandpubs.aspx
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.dmv.virginia.gov/forms/
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.dol.wa.gov/forms/formsdriver.html
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.dol.wa.gov/forms/formsvehicle.html
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.dor.ms.gov/Pages/MotorVehicle-Forms.aspx
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.dps.texas.gov/internetforms/SectionDetail.aspx?ID=15&SpeclSection=Driver%20License
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.driverservicebureau.dps.ms.gov/files-pdfs
Source: OneLaunch.exeString found in binary or memory: https://www.dropbox.com/
Source: OneLaunch.exeString found in binary or memory: https://www.ecosia.org/search?q=
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.elections.il.gov/
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.elections.ny.gov/votingregister.html
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.elections.virginia.gov/registration/voter-forms/
Source: OneLaunch.exeString found in binary or memory: https://www.epicurious.com/search/Fhttps://www.foodnetwork.com/search/dhttps://www.myfoodandfamily.c
Source: OneLaunch.exeString found in binary or memory: https://www.epicurious.com/search/Ghttps://www.foodnetwork.com/search/ehttps://www.myfoodandfamily.c
Source: OneLaunch.exeString found in binary or memory: https://www.espn.com/
Source: OneLaunch.exeString found in binary or memory: https://www.etsy.com/
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.expresslane.org/Pages/Forms-and-Manuals.aspx
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.flhsmv.gov/resources/forms/
Source: OneLaunch.exeString found in binary or memory: https://www.fox.com/entertainment/
Source: OneLaunch.exeString found in binary or memory: https://www.geico.com/save/local-gas-prices/
Source: OneLaunch.exeString found in binary or memory: https://www.goldmansachs.com/
Source: OneLaunch.exeString found in binary or memory: https://www.google.ca/maps
Source: OneLaunch.exeString found in binary or memory: https://www.google.com/calendar/
Source: OneLaunch.exeString found in binary or memory: https://www.google.com/maps/
Source: OneLaunch.exeString found in binary or memory: https://www.google.com/maps/Jdir/?api=1&origin=
Source: OneLaunch.exeString found in binary or memory: https://www.google.com/maps/search/ATMs;OriginSuggestionsPopupVisibleEDestinationSuggestionsPopupVis
Source: OneLaunch.exeString found in binary or memory: https://www.google.com/maps/search/Hotels
Source: OneLaunch.exeString found in binary or memory: https://www.google.com/maps/search/Museums
Source: OneLaunch.exeString found in binary or memory: https://www.google.com/maps/search/Pharmacies
Source: OneLaunch.exeString found in binary or memory: https://www.google.com/maps/search/Restaurants
Source: OneLaunch.exeString found in binary or memory: https://www.google.com/maps/search/Things
Source: OneLaunch.exeString found in binary or memory: https://www.google.com/maps/search/Transit
Source: OneLaunch.exeString found in binary or memory: https://www.google.com/s2/favicons?domain=
Source: OneLaunch.exeString found in binary or memory: https://www.google.com/search?q=
Source: OneLaunch.exeString found in binary or memory: https://www.greetingsisland.com/cards
Source: OneLaunch.exeString found in binary or memory: https://www.greetingsisland.com/cards/birthday
Source: OneLaunch.exeString found in binary or memory: https://www.greetingsisland.com/cards/events-and-occasions
Source: OneLaunch.exeString found in binary or memory: https://www.greetingsisland.com/cards/holidays
Source: OneLaunch.exeString found in binary or memory: https://www.greetingsisland.com/cards/thank-you
Source: OneLaunch.exeString found in binary or memory: https://www.greetingsisland.com/cards/thoughts-and-feelings/congratulations
Source: OneLaunch.exeString found in binary or memory: https://www.greetingsisland.com/cards/thoughts-and-feelings/friendship
Source: OneLaunch.exeString found in binary or memory: https://www.greetingsisland.com/cards/thoughts-and-feelings/love-and-romance
Source: OneLaunch.exeString found in binary or memory: https://www.greetingsisland.com/invitations
Source: OneLaunch.exeString found in binary or memory: https://www.greetingsisland.com/search/en/
Source: OneLaunch.exeString found in binary or memory: https://www.groupon.com/
Source: OneLaunch.exeString found in binary or memory: https://www.hbo.com/series/all-series
Source: OneLaunch.exeString found in binary or memory: https://www.homedepot.com/
Source: OneLaunch.exeString found in binary or memory: https://www.hsbc.com/
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.hsd.state.nm.us/LookingForAssistance/Supplemental_Nutrition_Assistance_Program__SNAP_.as
Source: OneLaunch.exeString found in binary or memory: https://www.hulu.com/
Source: OneLaunch.exeString found in binary or memory: https://www.icloud.com/calendar
Source: OneLaunch.exeString found in binary or memory: https://www.imdb.com/
Source: OneLaunch.exeString found in binary or memory: https://www.imom.com/printable_categories/printable-calendars/
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.in.gov/bmv/2472.htm
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.in.gov/bmv/2524.htm
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.in.gov/fssa/dfr/2691.htm
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.in.gov/sos/elections/2403.htm
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.irs.gov/forms-instructions
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ksrevenue.org/dovforms.html
Source: OneLaunch.exeString found in binary or memory: https://www.linkedin.com/
Source: OneLaunch.exeString found in binary or memory: https://www.locanto.com/
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.maine.gov/dhhs/ofi/services/snap/index.html
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.maine.gov/sos/bmv/forms/index.html
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.maine.gov/sos/cec/elec/voter-info/voterguide.html
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.mass.gov/lists/rmv-forms-and-applications
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.mass.gov/snap-benefits-formerly-food-stamps
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.mdhs.ms.gov/economic-assistance/snap/
Source: OneLaunch.exeString found in binary or memory: https://www.messenger.com/
Source: OneLaunch.exeString found in binary or memory: https://www.michaels.com/
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.michigan.gov/mdhhs/0
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.michigan.gov/sos/0
Source: OneLaunch.exeString found in binary or memory: https://www.msn.com/
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.myflfamilies.com/service-programs/access/food-assistance-and-suncap.shtml
Source: OneLaunch.exeString found in binary or memory: https://www.myspace.com/
Source: OneLaunch.exeString found in binary or memory: https://www.nbc.com/shows/all/popular
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ncdhhs.gov/assistance/low-income-services/food-nutrition-services-food-stamps
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ncdot.gov/dmv/downloads/Pages/default.aspx
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ncsbe.gov/Voters/Registering-to-Vote
Source: OneLaunch.exeString found in binary or memory: https://www.netflix.com/
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.nh.gov/safety/divisions/dmv/forms/index.htm
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.nj.gov/humanservices/dfd/programs/njsnap/
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.nvsos.gov/SOSVoterRegForm/
Source: OneLaunch.exeString found in binary or memory: https://www.nytimes.com/
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.office.com/
Source: OneLaunch.exeString found in binary or memory: https://www.office.com/%craigslist_popular9/favicons/craigslist.org.png
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ohiosos.gov/elections/voters/register/#gref
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ok.gov/dps/Forms/index.html
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ok.gov/elections/Voter_Info/Register_to_Vote/
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ok.gov/tax/Individuals/Motor_Vehicle/Forms_&_Publications/General_Motor_Vehicle_Forms/
Source: OneLaunch.exeString found in binary or memory: https://www.onenote.com/notebooks?omkt=en-US
Source: OneLaunch.exeString found in binary or memory: https://www.oodle.com/
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.oregon.gov/DHS/ASSISTANCE/FOOD-BENEFITS/pages/index.aspx
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.oregon.gov/odot/dmv/pages/form/index.aspx?wp2624=l:100
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.pavoterservices.pa.gov/Pages/VoterRegistrationApplication.aspx
Source: OneLaunch.exeString found in binary or memory: https://www.paypal.com/us
Source: OneLaunch.exeString found in binary or memory: https://www.paypal.com/us/
Source: OneLaunch.exeString found in binary or memory: https://www.pinterest.com/
Source: OneLaunch.exeString found in binary or memory: https://www.pnc.com/
Source: OneLaunch.exeString found in binary or memory: https://www.primevideo.com/
Source: OneLaunch.exeString found in binary or memory: https://www.reddit.com/
Source: OneLaunch.exeString found in binary or memory: https://www.retailmenot.com/
Source: OneLaunch.exeString found in binary or memory: https://www.salesforce.com/
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.scvotes.org/south-carolina-voter-registration-information
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.sec.state.ma.us/ele/eleifv/howreg.htm
Source: OneLaunch.exeString found in binary or memory: https://www.sho.com/series
Source: OneLaunch.exeString found in binary or memory: https://www.shopify.com/
Source: OneLaunch.exeString found in binary or memory: https://www.sodapdf.com/services/web/add-page-numbers-to-pdf/?uid=1018533&wid=7135&ref=sodapdf.com/o
Source: OneLaunch.exeString found in binary or memory: https://www.sodapdf.com/services/web/add-watermark-to-pdf/?uid=1018533&wid=7135&ref=sodapdf.com/onli
Source: OneLaunch.exeString found in binary or memory: https://www.sodapdf.com/services/web/compress-pdf/?uid=1018533&wid=7135&ref=sodapdf.com/online&cmp=o
Source: OneLaunch.exeString found in binary or memory: https://www.sodapdf.com/services/web/delete-pdf-pages/?uid=1018533&wid=7135&ref=sodapdf.com/online&c
Source: OneLaunch.exeString found in binary or memory: https://www.sodapdf.com/services/web/excel-to-pdf/?uid=1018533&wid=7135&ref=sodapdf.com/online&cmp=o
Source: OneLaunch.exeString found in binary or memory: https://www.sodapdf.com/services/web/gif-to-pdf/?uid=1018533&wid=7135&ref=sodapdf.com/online&cmp=ol&
Source: OneLaunch.exeString found in binary or memory: https://www.sodapdf.com/services/web/html-to-pdf/?uid=1018533&wid=7135&ref=sodapdf.com/online&cmp=ol
Source: OneLaunch.exeString found in binary or memory: https://www.sodapdf.com/services/web/jpg-to-pdf/?uid=1018533&wid=7135&ref=sodapdf.com/online&cmp=ol&
Source: OneLaunch.exeString found in binary or memory: https://www.sodapdf.com/services/web/merge-pdf/?uid=1018533&wid=7135&ref=sodapdf.com/online&cmp=ol&k
Source: OneLaunch.exeString found in binary or memory: https://www.sodapdf.com/services/web/ocr-pdf/?uid=1018533&wid=7135&ref=sodapdf.com/online&cmp=ol&key
Source: OneLaunch.exeString found in binary or memory: https://www.sodapdf.com/services/web/password-protect-pdf/?uid=1018533&wid=7135&ref=sodapdf.com%2Fon
Source: OneLaunch.exeString found in binary or memory: https://www.sodapdf.com/services/web/password-protect-pdf/?uid=1018533&wid=7135&ref=sodapdf.com/onli
Source: OneLaunch.exeString found in binary or memory: https://www.sodapdf.com/services/web/pdf-converter/?uid=1018533&wid=7135&ref=sodapdf.com/online&cmp=
Source: OneLaunch.exeString found in binary or memory: https://www.sodapdf.com/services/web/pdf-creator/?uid=1018533&wid=7135&ref=sodapdf.com/online&cmp=ol
Source: OneLaunch.exeString found in binary or memory: https://www.sodapdf.com/services/web/pdf-editor/?uid=1018533&wid=7135&ref=sodapdf.com/online&cmp=ol&
Source: OneLaunch.exeString found in binary or memory: https://www.sodapdf.com/services/web/pdf-form-filler-creator/?uid=1018533&wid=7135&ref=sodapdf.com/o
Source: OneLaunch.exeString found in binary or memory: https://www.sodapdf.com/services/web/pdf-reader/?uid=1018533&wid=7135&ref=sodapdf.com/online&cmp=ol&
Source: OneLaunch.exeString found in binary or memory: https://www.sodapdf.com/services/web/pdf-to-excel/?uid=1018533&wid=7135&ref=sodapdf.com/online&cmp=o
Source: OneLaunch.exeString found in binary or memory: https://www.sodapdf.com/services/web/pdf-to-html/?uid=1018533&wid=7135&ref=sodapdf.com/online&cmp=ol
Source: OneLaunch.exeString found in binary or memory: https://www.sodapdf.com/services/web/pdf-to-jpg/?uid=1018533&wid=7135&ref=sodapdf.com/online&cmp=ol&
Source: OneLaunch.exeString found in binary or memory: https://www.sodapdf.com/services/web/pdf-to-ppt/?uid=1018533&wid=7135&ref=sodapdf.com/online&cmp=ol&
Source: OneLaunch.exeString found in binary or memory: https://www.sodapdf.com/services/web/pdf-to-word/?uid=1018533&wid=7135&ref=sodapdf.com/online&cmp=ol
Source: OneLaunch.exeString found in binary or memory: https://www.sodapdf.com/services/web/png-to-pdf/?uid=1018533&wid=7135&ref=sodapdf.com/online&cmp=ol&
Source: OneLaunch.exeString found in binary or memory: https://www.sodapdf.com/services/web/ppt-to-pdf/?uid=1018533&wid=7135&ref=sodapdf.com/online&cmp=ol&
Source: OneLaunch.exeString found in binary or memory: https://www.sodapdf.com/services/web/resize-pdf/?uid=1018533&wid=7135&ref=sodapdf.com/online&cmp=ol&
Source: OneLaunch.exeString found in binary or memory: https://www.sodapdf.com/services/web/rotate-pdf/?uid=1018533&wid=7135&ref=sodapdf.com/online&cmp=ol&
Source: OneLaunch.exeString found in binary or memory: https://www.sodapdf.com/services/web/sign-pdf/?uid=1018533&wid=7135&ref=sodapdf.com/online&cmp=ol&ke
Source: OneLaunch.exeString found in binary or memory: https://www.sodapdf.com/services/web/split-pdf/?uid=1018533&wid=7135&ref=sodapdf.com/online&cmp=ol&k
Source: OneLaunch.exeString found in binary or memory: https://www.sodapdf.com/services/web/txt-to-pdf/?uid=1018533&wid=7135&ref=sodapdf.com/online&cmp=ol&
Source: OneLaunch.exeString found in binary or memory: https://www.sodapdf.com/services/web/unlock-pdf/?uid=1018533&wid=7135&ref=sodapdf.com/online&cmp=ol&
Source: OneLaunch.exeString found in binary or memory: https://www.sodapdf.com/services/web/word-to-pdf/?uid=1018533&wid=7135&ref=sodapdf.com/online&cmp=ol
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.sos.alabama.gov/alabama-votes/voter/register-to-vote
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.sos.arkansas.gov/elections/voter-information/voter-registration-information
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.sos.ca.gov/elections/voter-registration/
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.sos.la.gov/ElectionsAndVoting/RegisterToVote/Pages/default.aspx
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.sos.mo.gov/elections/goVoteMissouri/register
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.sos.ms.gov/elections-voting/pages/voter-registration-information.aspx
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.sos.state.co.us/pubs/elections/vote/VoterHomeMobile.htm
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.sos.state.mn.us/elections-voting/register-to-vote/
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.sos.state.nm.us/voting-and-elections/voter-information/
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.sos.state.tx.us/elections/voter/reqvr.shtml
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.sos.wa.gov/elections/print-voter-registration-forms.aspx
Source: OneLaunch.exeString found in binary or memory: https://www.sparkchess.com/
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ssa.gov/forms/
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.state.nj.us/mvc/about/forms.htm
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.state.nj.us/state/elections/voter-registration.shtml
Source: OneLaunch.exeString found in binary or memory: https://www.td.com/
Source: OneLaunch.exeString found in binary or memory: https://www.techwalla.com/articles/how-to-speed-up-an-internet-connection
Source: OneLaunch.exeString found in binary or memory: https://www.ted.com/opack://application:
Source: OneLaunch.exeString found in binary or memory: https://www.thesaurus.com/browse/
Source: OneLaunch.exeString found in binary or memory: https://www.tiktok.com/trending/?lang=en
Source: OneLaunch.exeString found in binary or memory: https://www.timeanddate.com/calendar/create.html#Monthly
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.tmall.com/
Source: OneLaunch.exeString found in binary or memory: https://www.tmall.com/%The
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.tn.gov/revenue/title-and-registration/forms.html
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.tn.gov/safety/driver-services.html
Source: OneLaunch.exeString found in binary or memory: https://www.trackingmore.com/%packagetracker_app
Source: OneLaunch.exeString found in binary or memory: https://www.trackingmore.com/track/en/
Source: OneLaunch.exeString found in binary or memory: https://www.tripadvisor.com/
Source: OneLaunch.exeString found in binary or memory: https://www.truist.com/
Source: OneLaunch.exeString found in binary or memory: https://www.trustpilot.com/evaluate/onelaunch.com
Source: OneLaunch.exeString found in binary or memory: https://www.trustpilot.com/evaluate/onelaunch.comhhttps://rdbrckrebase.zendesk.com/api/v2/tickets.js
Source: OneLaunch.exeString found in binary or memory: https://www.tumblr.com/
Source: OneLaunch.exeString found in binary or memory: https://www.twitch.tv/
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.txdmv.gov/forms
Source: OneLaunch.exeString found in binary or memory: https://www.unionbank.com/
Source: OneLaunch.exeString found in binary or memory: https://www.usbank.com/index.html/
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.uscis.gov/forms
Source: OneLaunch.exeString found in binary or memory: https://www.usps.com/mhttps://www.trackingmore.com/track/en/
Source: OneLaunch.exeString found in binary or memory: https://www.walmart.com/
Source: OneLaunch.exeString found in binary or memory: https://www.wellsfargo.com/
Source: OneLaunch.exeString found in binary or memory: https://www.wikihow.com/Maximize-the-Speed-of-Your-Internet-Connection
Source: OneLaunch.exeString found in binary or memory: https://www.xe.com/currencyconverter/
Source: OneLaunch.exeString found in binary or memory: https://www.xe.com/currencyconverter/Ahttps://www.convertworld.com/en/Shttps://www.bankrate.com/calc
Source: OneLaunch.exeString found in binary or memory: https://www.yahoo.com/news/
Source: OneLaunch.exeString found in binary or memory: https://www.yelp.com/
Source: OneLaunch.exeString found in binary or memory: https://www.youtube.com/
Source: OneLaunch.exeString found in binary or memory: https://www.youtube.com/watch?v=vhpC4m61w-o
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.zillow.com/
Source: OneLaunch.exeString found in binary or memory: https://www.zillow.com/#pinterest_popular7/favicons/pinterest.com.png
Source: OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://yourtexasbenefits.hhsc.texas.gov/programs/snap
Source: OneLaunch.exeString found in binary or memory: https://youtube.com/
Source: C:\Users\user\Desktop\OneLaunch.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6408 -s 784
Source: OneLaunch.exeStatic PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: C:\Users\user\Desktop\OneLaunch.exeFile read: C:\Users\user\Desktop\OneLaunch.exeJump to behavior
Source: OneLaunch.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\OneLaunch.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: OneLaunch.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.91%
Source: C:\Users\user\Desktop\OneLaunch.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\OneLaunch.exe C:\Users\user\Desktop\OneLaunch.exe
Source: C:\Users\user\Desktop\OneLaunch.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6408 -s 784
Source: C:\Users\user\Desktop\OneLaunch.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6408
Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER9A9A.tmpJump to behavior
Source: OneLaunch.exeString found in binary or memory: https://www.sodapdf.com/services/web/add-watermark-to-pdf/?uid=1018533&wid=7135&ref=sodapdf.com/online&cmp=ol&key1=AddWatermarkToPdf
Source: OneLaunch.exeString found in binary or memory: LaunchOnStartup-LaunchBrowserOnStartup#ClipboardShortcut/ShowSoftwareUpdatePopup'FirstRunAfterUpdate
Source: OneLaunch.exeString found in binary or memory: U--keep-alive-for-test --no-startup-window
Source: OneLaunch.exeString found in binary or memory: https://www.sodapdf.com/services/web/add-page-numbers-to-pdf/?uid=1018533&wid=7135&ref=sodapdf.com/online&cmp=ol&key1=AddPageNumbersToPdf
Source: OneLaunch.exeString found in binary or memory: Vresources/wallpaperassets/loading_40@2x.png
Source: classification engineClassification label: clean1.winEXE@2/6@0/0
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\OneLaunch.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
Source: OneLaunch.exeStatic file information: File size 12398808 > 1048576
Source: OneLaunch.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: OneLaunch.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: OneLaunch.exeStatic PE information: certificate valid
Source: OneLaunch.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0xba3800
Source: OneLaunch.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: PresentationFramework.ni.pdbRSDS~J source: WER9A9A.tmp.dmp.2.dr
Source: Binary string: PresentationFramework.pdb source: WER9A9A.tmp.dmp.2.dr
Source: Binary string: System.Core.ni.pdbRSDSD source: WER9A9A.tmp.dmp.2.dr
Source: Binary string: PresentationCore.ni.pdbRSDS source: WER9A9A.tmp.dmp.2.dr
Source: Binary string: WindowsBase.pdb source: WER9A9A.tmp.dmp.2.dr
Source: Binary string: System.Xaml.ni.pdb source: WER9A9A.tmp.dmp.2.dr
Source: Binary string: WindowsBase.ni.pdb source: WER9A9A.tmp.dmp.2.dr
Source: Binary string: mscorlib.pdb source: WER9A9A.tmp.dmp.2.dr
Source: Binary string: System.ni.pdbRSDS source: WER9A9A.tmp.dmp.2.dr
Source: Binary string: System.Xaml.ni.pdbRSDS| source: WER9A9A.tmp.dmp.2.dr
Source: Binary string: System.pdbL source: WER9A9A.tmp.dmp.2.dr
Source: Binary string: PresentationCore.ni.pdb source: WER9A9A.tmp.dmp.2.dr
Source: Binary string: System.Xaml.pdb source: WER9A9A.tmp.dmp.2.dr
Source: Binary string: mscorlib.ni.pdb source: WER9A9A.tmp.dmp.2.dr
Source: Binary string: WindowsBase.ni.pdbRSDS source: WER9A9A.tmp.dmp.2.dr
Source: Binary string: System.Core.pdb source: WER9A9A.tmp.dmp.2.dr
Source: Binary string: WindowsBase.pdbMZ@ source: WER9A9A.tmp.dmp.2.dr
Source: Binary string: mscorlib.ni.pdbRSDS source: WER9A9A.tmp.dmp.2.dr
Source: Binary string: PresentationFramework.ni.pdb source: WER9A9A.tmp.dmp.2.dr
Source: Binary string: PresentationCore.pdb source: WER9A9A.tmp.dmp.2.dr
Source: Binary string: System.ni.pdb source: WER9A9A.tmp.dmp.2.dr
Source: Binary string: System.pdb source: WER9A9A.tmp.dmp.2.dr
Source: Binary string: System.Core.ni.pdb source: WER9A9A.tmp.dmp.2.dr
Source: C:\Users\user\Desktop\OneLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\OneLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\OneLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\OneLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\OneLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\OneLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\OneLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\OneLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\OneLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\OneLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\OneLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\OneLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\OneLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\OneLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\OneLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\OneLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\OneLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\OneLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\OneLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\OneLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: Amcache.hve.2.drBinary or memory string: VMware
Source: Amcache.hve.2.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.2.drBinary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.2.drBinary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.2.drBinary or memory string: VMware, Inc.
Source: Amcache.hve.2.drBinary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.2.drBinary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.2.drBinary or memory string: VMware7,1
Source: Amcache.hve.2.drBinary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.2.drBinary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.2.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.2.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.2.drBinary or memory string: VMware, Inc.me
Source: Amcache.hve.2.drBinary or memory string: VMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7
Source: Amcache.hve.2.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.2.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.18227214.B64.2106252220,BiosReleaseDate:06/25/2021,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.2.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: C:\Users\user\Desktop\OneLaunch.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\OneLaunch.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\OneLaunch.exeMemory allocated: page read and write | page guardJump to behavior
Source: C:\Users\user\Desktop\OneLaunch.exeQueries volume information: C:\Users\user\Desktop\OneLaunch.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\OneLaunch.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: Amcache.hve.2.drBinary or memory string: c:\users\user\desktop\procexp.exe
Source: Amcache.hve.2.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.2.drBinary or memory string: procexp.exe

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts2
Command and Scripting Interpreter		Path Interception1
Process Injection		1
Virtualization/Sandbox Evasion		OS Credential Dumping21
Security Software Discovery		Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
Disable or Modify Tools		LSASS Memory1
Virtualization/Sandbox Evasion		Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)1
Process Injection		Security Account Manager12
System Information Discovery		SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
Obfuscated Files or Information		NTDS1
Remote System Discovery		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 840120 Sample: OneLaunch.exe Startdate: 03/04/2023 Architecture: WINDOWS Score: 1 5 OneLaunch.exe 2->5         started        process3 7 WerFault.exe 24 9 5->7         started       

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
OneLaunch.exe0%ReversingLabs
OneLaunch.exe0%VirustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://www.sos.state.nm.us/voting-and-elections/voter-information/0%VirustotalBrowse
https://play.getfungamesnow.com/games?g=spider-solitaire1%VirustotalBrowse
https://play.getfungamesnow.com0%Avira URL Cloudsafe
https://videos-cdn.onelaunch.com/0%Avira URL Cloudsafe
https://play.getfungamesnow.com/games?g=mahjong-deluxe0%Avira URL Cloudsafe
https://play.getfungamesnow.com/games?g=sudoku-html50%Avira URL Cloudsafe
https://plus.onelaunch.com/api/news/newscategoriesmCouldn0%Avira URL Cloudsafe
https://www.sos.state.nm.us/voting-and-elections/voter-information/0%Avira URL Cloudsafe
https://play.getfungamesnow.com/games?g=spider-solitaire0%Avira URL Cloudsafe
https://www.sec.state.ma.us/ele/eleifv/howreg.htm0%Avira URL Cloudsafe
https://www.ohiosos.gov/elections/voters/register/#gref0%Avira URL Cloudsafe
http://www.dot.state.wy.us/home/titles_plates_registration.html0%Avira URL Cloudsafe
http://www.dot.state.wy.us/home/driver_license_records/formsapplications.html0%Avira URL Cloudsafe
https://soswy.state.wy.us/Elections/RegisteringToVote.aspx0%Avira URL Cloudsafe
https://r.v2i8b.com/api/v1/bid/redirect?campaign_id=01GSZ9YW40ZVTQ8S2EVDWJVPCN&url=https://amazon.co0%Avira URL Cloudsafe
https://sosmt.gov/elections/vote/0%Avira URL Cloudsafe
https://update.onelaunch.com/settingssSomething0%Avira URL Cloudsafe
https://www.sos.state.tx.us/elections/voter/reqvr.shtml0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

No contacted domains info
NameSourceMaliciousAntivirus DetectionReputation
https://play.getfungamesnow.com/games?g=spider-solitaireOneLaunch.exefalse
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://www.sodapdf.com/services/web/gif-to-pdf/?uid=1018533&wid=7135&ref=sodapdf.com/online&cmp=ol&OneLaunch.exefalse
    		high
    http://www.dss.virginia.gov/benefit/snap.cgiOneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpfalse
      		high
      https://www.sos.state.nm.us/voting-and-elections/voter-information/OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpfalse
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      		unknown
      https://videos-cdn.onelaunch.com/OneLaunch.exefalse
      • Avira URL Cloud: safe
      		unknown
      https://www.astrology.com/horoscope/daily/scorpio.htmlOneLaunch.exefalse
        		high
        https://plus.onelaunch.com/api/news/newscategoriesmCouldnOneLaunch.exefalse
        • Avira URL Cloud: safe
        		unknown
        https://www.google.com/maps/search/RestaurantsOneLaunch.exefalse
          		high
          https://dmv.dc.gov/page/dc-dmv-formsOneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpfalse
            		high
            https://www.crazygames.com/OneLaunch.exefalse
              		high
              https://www.thesaurus.com/browse/OneLaunch.exefalse
                		high
                https://dld.utah.gov/handbooksprintableforms/OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpfalse
                  		high
                  https://www.dropbox.com/OneLaunch.exefalse
                    		high
                    https://www.cnn.com/OneLaunch.exefalse
                      		high
                      https://mail.yahoo.com/OneLaunch.exe, 00000000.00000000.258239673.0000000000F72000.00000002.00000001.01000000.00000003.sdmpfalse
                        		high
                        http://www.dot.nd.gov/dotnet2/view/forms.aspx?category=yes#driverslicenseOneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpfalse
                          		high
                          https://sos.nebraska.gov/elections/voter-formsOneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpfalse
                            		high
                            https://www.astrology.com/horoscope/daily-chinese/horse.htmlOneLaunch.exefalse
                              		high
                              https://play.getfungamesnow.com/games?g=mahjong-deluxeOneLaunch.exefalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://www.astrology.com/horoscope/daily-chinese/today/ox.htmlOneLaunch.exefalse
                                		high
                                https://templates.office.com/en-us/businessOneLaunch.exefalse
                                  		high
                                  https://www.amazon.com/gp/help/customer/display.html/ref=hp_bc_nav?ie=UTF8&nodeId=201887920)DailyDeaOneLaunch.exefalse
                                    		high
                                    https://www.primevideo.com/OneLaunch.exefalse
                                      		high
                                      https://sos.vermont.gov/elections/voters/registration/OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpfalse
                                        		high
                                        https://www.astrology.com/horoscope/daily-chinese/sheep.htmlOneLaunch.exefalse
                                          		high
                                          https://open.spotify.com/OneLaunch.exefalse
                                            		high
                                            https://www.sodapdf.com/services/web/word-to-pdf/?uid=1018533&wid=7135&ref=sodapdf.com/online&cmp=olOneLaunch.exefalse
                                              		high
                                              http://www.okdhs.org/services/snap/Pages/default.aspxOneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpfalse
                                                		high
                                                https://sohu.com/OneLaunch.exefalse
                                                  		high
                                                  https://www.dmv.virginia.gov/forms/OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpfalse
                                                    		high
                                                    https://www.mass.gov/lists/rmv-forms-and-applicationsOneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpfalse
                                                      		high
                                                      https://itd.idaho.gov/itddmv/?target=registration-plates#forms-publicationsOneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpfalse
                                                        		high
                                                        https://www.dfa.arkansas.gov/driver-services/forms/OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpfalse
                                                          		high
                                                          https://api.mapbox.com/geocoding/v5/mapbox.places/OneLaunch.exefalse
                                                            		high
                                                            https://des.az.gov/services/basic-needs/food/nutrition-assistance-formerly-food-stamp-programOneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpfalse
                                                              		high
                                                              https://www.usbank.com/index.html/OneLaunch.exefalse
                                                                		high
                                                                https://www.walmart.com/OneLaunch.exefalse
                                                                  		high
                                                                  https://www.nbc.com/shows/all/popularOneLaunch.exefalse
                                                                    		high
                                                                    https://poki.com/OneLaunch.exefalse
                                                                      		high
                                                                      https://www.sodapdf.com/services/web/sign-pdf/?uid=1018533&wid=7135&ref=sodapdf.com/online&cmp=ol&keOneLaunch.exefalse
                                                                        		high
                                                                        https://www.classifiedads.com/search.php?lid=zOneLaunch.exefalse
                                                                          		high
                                                                          https://play.getfungamesnow.com/games?g=sudoku-html5OneLaunch.exefalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          https://www.sodapdf.com/services/web/jpg-to-pdf/?uid=1018533&wid=7135&ref=sodapdf.com/online&cmp=ol&OneLaunch.exefalse
                                                                            		high
                                                                            https://dojmt.gov/driving/vehicle-title-registration-forms/OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                              		high
                                                                              https://www.zillow.com/OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                                		high
                                                                                https://www.sodapdf.com/services/web/password-protect-pdf/?uid=1018533&wid=7135&ref=sodapdf.com%2FonOneLaunch.exefalse
                                                                                  		high
                                                                                  https://dhs.dc.gov/service/supplemental-nutrition-assistance-snapOneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                                    		high
                                                                                    https://play.getfungamesnow.comOneLaunch.exefalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    https://www.sec.state.ma.us/ele/eleifv/howreg.htmOneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    https://www.xe.com/currencyconverter/Ahttps://www.convertworld.com/en/Shttps://www.bankrate.com/calcOneLaunch.exefalse
                                                                                      		high
                                                                                      https://www.sodapdf.com/services/web/resize-pdf/?uid=1018533&wid=7135&ref=sodapdf.com/online&cmp=ol&OneLaunch.exefalse
                                                                                        		high
                                                                                        https://www.maine.gov/sos/cec/elec/voter-info/voterguide.htmlOneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                                          		high
                                                                                          https://login.aol.com/OneLaunch.exefalse
                                                                                            		high
                                                                                            https://www.cyberdriveillinois.com/publications/motorist/home.htmlOneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                                              		high
                                                                                              https://jobs.utah.gov/customereducation/services/foodstamps/index.htmlOneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                                                		high
                                                                                                http://www.dot.nd.gov/dotnet2/view/forms.aspx?category=yes#title&registrationOneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                                                  		high
                                                                                                  https://sos.ga.gov/index.php/Elections/register_to_voteOneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                                                    		high
                                                                                                    https://api.cognitive.microsofttranslator.comOneLaunch.exefalse
                                                                                                      		high
                                                                                                      https://www.hsbc.com/OneLaunch.exefalse
                                                                                                        		high
                                                                                                        https://elections.hawaii.gov/voters/registration/OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                                                          		high
                                                                                                          http://www.dot.state.wy.us/home/titles_plates_registration.htmlOneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          https://www.nh.gov/safety/divisions/dmv/forms/index.htmOneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                                                            		high
                                                                                                            https://www.nytimes.com/OneLaunch.exefalse
                                                                                                              		high
                                                                                                              https://www.dps.texas.gov/internetforms/SectionDetail.aspx?ID=15&SpeclSection=Driver%20LicenseOneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                                                                		high
                                                                                                                https://elections.ri.gov/voting/registration.phpOneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://dmv.vermont.gov/forms-and-informationOneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://www.dot.state.wy.us/home/driver_license_records/formsapplications.htmlOneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                                                                    • Avira URL Cloud: safe
                                                                                                                    		unknown
                                                                                                                    https://www.yahoo.com/news/OneLaunch.exefalse
                                                                                                                      		high
                                                                                                                      https://www.cms.gov/Medicare/CMS-Forms/CMS-Forms/CMS-Forms-ListOneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://www.bnymellon.com/us/en/client-access.html/OneLaunch.exefalse
                                                                                                                          		high
                                                                                                                          https://office.live.com/start/Excel.aspx?omkt=en-USOneLaunch.exefalse
                                                                                                                            		high
                                                                                                                            https://kizi.com/OneLaunch.exefalse
                                                                                                                              		high
                                                                                                                              https://revenue.alabama.gov/forms/?d=motor-vehicleOneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                                                                                		high
                                                                                                                                https://www.astrology.com/horoscope/daily-chinese/monkey.htmlOneLaunch.exefalse
                                                                                                                                  		high
                                                                                                                                  https://www.tmall.com/OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    https://suggestqueries.google.com/complete/search?output=firefox&q=OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      https://www.sodapdf.com/services/web/pdf-to-ppt/?uid=1018533&wid=7135&ref=sodapdf.com/online&cmp=ol&OneLaunch.exefalse
                                                                                                                                        		high
                                                                                                                                        https://travel.state.gov/content/travel/en/us-visas/visa-information-resources/forms.htmlOneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          https://www.sodapdf.com/services/web/pdf-reader/?uid=1018533&wid=7135&ref=sodapdf.com/online&cmp=ol&OneLaunch.exefalse
                                                                                                                                            		high
                                                                                                                                            https://www.dol.wa.gov/forms/formsvehicle.htmlOneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              https://sosmt.gov/elections/vote/OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                                                                                              • Avira URL Cloud: safe
                                                                                                                                              		unknown
                                                                                                                                              https://www.bankrate.com/calculators/index-of-debt-management-calculators.aspxRhttps://www.bankrate.OneLaunch.exefalse
                                                                                                                                                		high
                                                                                                                                                https://www.astrology.com/horoscope/daily/pisces.htmlOneLaunch.exefalse
                                                                                                                                                  		high
                                                                                                                                                  https://www.ohiosos.gov/elections/voters/register/#grefOneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                                                                                                  • Avira URL Cloud: safe
                                                                                                                                                  		unknown
                                                                                                                                                  http://dhr.maryland.gov/food-supplement-program/OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    https://soswy.state.wy.us/Elections/RegisteringToVote.aspxOneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                                                                                                    • Avira URL Cloud: safe
                                                                                                                                                    		unknown
                                                                                                                                                    https://mydss.mo.gov/food-assistance/food-stamp-programOneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      https://www.mdhs.ms.gov/economic-assistance/snap/OneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        https://gmail.comOneLaunch.exefalse
                                                                                                                                                          		high
                                                                                                                                                          https://transportation.ky.gov/Organizational-Resources/Pages/Forms-Library-(TC-94).aspxOneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                                                                                                            		high
                                                                                                                                                            https://www.greetingsisland.com/cards/thoughts-and-feelings/friendshipOneLaunch.exefalse
                                                                                                                                                              		high
                                                                                                                                                              https://www.trustpilot.com/evaluate/onelaunch.comOneLaunch.exefalse
                                                                                                                                                                		high
                                                                                                                                                                https://www.dor.ms.gov/Pages/MotorVehicle-Forms.aspxOneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                                                                                                                  		high
                                                                                                                                                                  https://r.v2i8b.com/api/v1/bid/redirect?campaign_id=01GSZ9YW40ZVTQ8S2EVDWJVPCN&url=https://amazon.coOneLaunch.exefalse
                                                                                                                                                                  • Avira URL Cloud: safe
                                                                                                                                                                  		unknown
                                                                                                                                                                  https://update.onelaunch.com/settingssSomethingOneLaunch.exefalse
                                                                                                                                                                  • Avira URL Cloud: safe
                                                                                                                                                                  		unknown
                                                                                                                                                                  https://www.bankofamerica.com/OneLaunch.exefalse
                                                                                                                                                                    		high
                                                                                                                                                                    https://www.sos.state.tx.us/elections/voter/reqvr.shtmlOneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                                                                                                                    • Avira URL Cloud: safe
                                                                                                                                                                    		unknown
                                                                                                                                                                    https://www.colorado.gov/pacific/cdhs/supplemental-nutrition-assistance-program-snapOneLaunch.exe, 00000000.00000000.258239673.000000000107C000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                                                                                                                      		high
                                                                                                                                                                      https://www.google.com/maps/search/MuseumsOneLaunch.exefalse
                                                                                                                                                                        		high
                                                                                                                                                                        https://www.amc.com/OneLaunch.exefalse
                                                                                                                                                                          		high

                                                                                                                                                                          World Map of Contacted IPs

                                                                                                                                                                          No contacted IP infos

                                                                                                                                                                          General Information

                                                                                                                                                                          Joe Sandbox Version:37.0.0 Beryl
                                                                                                                                                                          Analysis ID:840120
                                                                                                                                                                          Start date and time:2023-04-03 17:38:06 +02:00
                                                                                                                                                                          Joe Sandbox Product:CloudBasic
                                                                                                                                                                          Overall analysis duration:0h 6m 15s
                                                                                                                                                                          Hypervisor based Inspection enabled:false
                                                                                                                                                                          Report type:full
                                                                                                                                                                          Cookbook file name:default.jbs
                                                                                                                                                                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                                                          Number of analysed new started processes analysed:14
                                                                                                                                                                          Number of new started drivers analysed:0
                                                                                                                                                                          Number of existing processes analysed:0
                                                                                                                                                                          Number of existing drivers analysed:0
                                                                                                                                                                          Number of injected processes analysed:0
                                                                                                                                                                          Technologies:
                                                                                                                                                                          • HCA enabled
                                                                                                                                                                          • EGA enabled
                                                                                                                                                                          • HDC enabled
                                                                                                                                                                          • AMSI enabled
                                                                                                                                                                          Analysis Mode:default
                                                                                                                                                                          Analysis stop reason:Timeout
                                                                                                                                                                          Sample file name:OneLaunch.exe
                                                                                                                                                                          Detection:CLEAN
                                                                                                                                                                          Classification:clean1.winEXE@2/6@0/0
                                                                                                                                                                          EGA Information:Failed
                                                                                                                                                                          HDC Information:Failed
                                                                                                                                                                          HCA Information:
                                                                                                                                                                          • Successful, ratio: 100%
                                                                                                                                                                          • Number of executed functions: 4
                                                                                                                                                                          • Number of non-executed functions: 0
                                                                                                                                                                          Cookbook Comments:
                                                                                                                                                                          • Found application associated with file extension: .exe
                                                                                                                                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                                                                                                                                          • Excluded IPs from analysis (whitelisted): 20.189.173.22
                                                                                                                                                                          • Excluded domains from analysis (whitelisted): fs.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus17.westus.cloudapp.azure.com, ctldl.windowsupdate.com, watson.telemetry.microsoft.com
                                                                                                                                                                          • Execution Graph export aborted for target OneLaunch.exe, PID 6408 because it is empty
                                                                                                                                                                          • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                          • Report size getting too big, too many NtSetInformationFile calls found.

                                                                                                                                                                          Simulations

                                                                                                                                                                          Behavior and APIs

                                                                                                                                                                          TimeTypeDescription
                                                                                                                                                                          17:39:18API Interceptor1x Sleep call for process: WerFault.exe modified

                                                                                                                                                                          Joe Sandbox View / Context

                                                                                                                                                                          IPs

                                                                                                                                                                          No context

                                                                                                                                                                          Domains

                                                                                                                                                                          No context

                                                                                                                                                                          ASNs

                                                                                                                                                                          No context

                                                                                                                                                                          JA3 Fingerprints

                                                                                                                                                                          No context

                                                                                                                                                                          Dropped Files

                                                                                                                                                                          No context

                                                                                                                                                                          Created / dropped Files

                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_OneLaunch.exe_59d50513dab8840497ff693d94c33de8cdcaa5e_29ecb7e7_1a76be5e\Report.wer

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):65536
                                                                                                                                                                          Entropy (8bit):1.0139768033418046
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:192:gNKnxOiHHBUZMXyaPWQvlB5/u7sWS274ItUz:uKxO8BUZMXyaJv/u7sWX4ItUz
                                                                                                                                                                          MD5:F6EB6E0FF65ED639FDB81EFEEE60C2E2
                                                                                                                                                                          SHA1:6C2519D7276AA6B399745F950260749C266B105E
                                                                                                                                                                          SHA-256:5CCD188B3E5F71EC10BCF23E8493AD77D96F0AC455C067CC5C0DC34ED050BAE6
                                                                                                                                                                          SHA-512:8556BCCC8A4753C389630464B6BC36600979DB24B5025265CA1C67147C230869C9B71AA096E81DD04C49CC9E50CECCE8A32AE3FEB42B8C71CBDAB9F0AC38C460
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Reputation:low
                                                                                                                                                                          Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.2.5.0.4.2.3.4.8.8.5.3.3.5.3.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.2.5.0.4.2.3.4.9.4.6.2.7.1.2.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.5.6.9.4.a.4.4.-.2.b.d.3.-.4.9.3.0.-.8.9.2.b.-.b.b.0.f.7.c.e.c.a.c.0.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.0.a.6.c.0.1.4.-.1.7.b.3.-.4.e.b.5.-.a.6.6.e.-.2.a.5.9.7.4.f.c.2.4.0.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.O.n.e.L.a.u.n.c.h...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.O.n.e.L.a.u.n.c.h...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.0.8.-.0.0.0.1.-.0.0.1.f.-.d.5.d.4.-.1.0.d.c.8.d.6.6.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.f.9.e.b.4.4.9.6.4.3.d.8.c.a.3.6.d.9.f.3.a.9.6.2.1.d.a.b.d.9.5.0.0.0.0.0.0.0.0.0.!.0.0.0.0.3.d.3.2.3.5.2.e.1.d.4.a.6.9.7.d.e.f.1.d.2.e.8.0.a.7.7.b.8.8.e.e.f.2.2.

                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER9A9A.tmp.dmp

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          File Type:Mini DuMP crash report, 14 streams, Tue Apr 4 00:39:09 2023, 0x1205a4 type
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):221958
                                                                                                                                                                          Entropy (8bit):4.5998496865934575
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:3072:4Z9vfmTFb07jd+p/cbOk93JTZ2PUil0JeCyUCgUk2WI9gIOgF5SIJJM:4TvQ0Ep5U8BTjNWI9RpD
                                                                                                                                                                          MD5:47B6E469C4203AF9B4080BFBA720439D
                                                                                                                                                                          SHA1:6E5B54E4E8CE77C8918E7890E93B59D90A2571B2
                                                                                                                                                                          SHA-256:C8C23D07DDBD03657CDF49C7511EDDA16DDD62E3B6F8B0A2D3B383C3CFB53438
                                                                                                                                                                          SHA-512:C2168A573509EB4354174B1A5394656F740A959EEAA94E74F8D85E53D23761B7A6B4849F5F8064A957E7FBE03FF7BB4B5931B4A426BD525810045E3D0FA9EFAE
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Reputation:low
                                                                                                                                                                          Preview:MDMP....... ........q+d.........................................4..........T.......8...........T................D...........................................................................................U...........B..............GenuineIntelW...........T............q+d.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER9C60.tmp.WERInternalMetadata.xml

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):8312
                                                                                                                                                                          Entropy (8bit):3.696273508180597
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:192:Rrl7r3GLNiaY6q6YqOSUu0gmfJ4x8SeCprH89bycsf+Gm:RrlsNil6q6YTSUu0gmfJ42Suyvfm
                                                                                                                                                                          MD5:959029A1E2CC8DB52DD5AECF0E0A34C8
                                                                                                                                                                          SHA1:5AD61FD2BA24A78E875090E54F1E78A3D80679A1
                                                                                                                                                                          SHA-256:3C1D80199AA44F799BB3C729C029415CD25F20B6260E50DC49C89C88A93983FF
                                                                                                                                                                          SHA-512:F0AD9A1EBD2F613AF97F0533DBD8937A7DDC9F41791308171E5A2B2843341E0638CC7E31999471C449CF37F9A096CE9DE84EEAAF59E91D58927F98FD6C8D9ABC
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Reputation:low
                                                                                                                                                                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.4.0.8.<./.P.i.d.>.......

                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER9CCE.tmp.xml

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):4639
                                                                                                                                                                          Entropy (8bit):4.47511904942995
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:48:cvIwSD8zsltJgtWI9+AWgc8sqYjv8fm8M4JiLjFq+q8SyuoQBCVokd:uITflHp5grsqYYJLPoQBCmkd
                                                                                                                                                                          MD5:BD60B45B7D2091C01A0BCE16C9382A7D
                                                                                                                                                                          SHA1:EEA72F35B5E92E42CC5763C57B0415A2338028BE
                                                                                                                                                                          SHA-256:98703662E41061459FEE9008D99DEBA81D1B6BBF57C1F250CAA52D274A39C971
                                                                                                                                                                          SHA-512:462E5480F42D22F725E80A55B55C8FBC855E81A9AF729B4132486DE0B8B6D906BDF137DF70958B7BF8EAECAC7DD379058E77D04975E09039172880614FA756BA
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Reputation:low
                                                                                                                                                                          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1982029" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

                                                                                                                                                                          C:\Windows\appcompat\Programs\Amcache.hve

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          File Type:MS Windows registry file, NT/2000 or above
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):1572864
                                                                                                                                                                          Entropy (8bit):4.292473171780898
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:12288:1ksJGdH5GA4cA93gBGOoj530cXS1uYUuIZrh1kpXD5hiQQRJJdrshekZ:tJGdH5GA4cA93gQnb+
                                                                                                                                                                          MD5:14467E7BBC43D7395730FB075FB743C7
                                                                                                                                                                          SHA1:9A7D9D96AC269112E14AD8E85803EE89E8681136
                                                                                                                                                                          SHA-256:336E9A335793F3D53BDA659CE73411B14094B1D1FF97F019BE4A3B71A7CC6FF7
                                                                                                                                                                          SHA-512:F0CAD47B90500FFF29B1ECA66FD6CC211C81A5D12B8480F6350C946C8ACF13460C1AA16B28C3605318F5691849EEE81BE92092A4B3BFF3A21CAD680A3EBA54AA
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Reputation:low
                                                                                                                                                                          Preview:regfj...j...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm...f.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                          C:\Windows\appcompat\Programs\Amcache.hve.LOG1

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          File Type:MS Windows registry file, NT/2000 or above
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):40960
                                                                                                                                                                          Entropy (8bit):3.9917817977975663
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:768:P6FRftx15WJ4JaUbFAJtPfq43WoGbfNasE3gMqCrHvUiBpwem7z+BqKpTeqWQe7O:6f+9U0VWhdMasSlrd
                                                                                                                                                                          MD5:79C2667F9EC3A8B5CCBBE13C3482A5A3
                                                                                                                                                                          SHA1:FDA46E76000EFD2FBFED54EDBDFFB041E15BE8ED
                                                                                                                                                                          SHA-256:704812B218F42D7AC81C1C052940E51F89CCF593120A72B2E52952739FA39220
                                                                                                                                                                          SHA-512:A54DCAB5CB0DD3EF4867E9CF4901F84E5A5EEB237CAEB3F81BBDBB6F779D359A01464B4339F81BB60F031B6E7C8AD201483524670E084CAE11F33DA67ACC48E9
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Reputation:low
                                                                                                                                                                          Preview:regfi...i...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm...f.................................................................................................................................................................................................................................................................................................................................................HvLE........i.................G/I......}.........0...........@.......0..hbin................p.\..,..........nk,.n...f.................................. ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk .n...f...... ........................... .......Z.......................Root........lf......Root....nk .n...f...................}.............. ...............*...............DeviceCensus.......................vk..................WritePermissionsCheck...

                                                                                                                                                                          Static File Info

                                                                                                                                                                          General

                                                                                                                                                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                          Entropy (8bit):7.647257258558833
                                                                                                                                                                          TrID:
                                                                                                                                                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.91%
                                                                                                                                                                          • Win32 Executable (generic) a (10002005/4) 49.86%
                                                                                                                                                                          • InstallShield setup (43055/19) 0.21%
                                                                                                                                                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                                                                          • DOS Executable Generic (2002/1) 0.01%
                                                                                                                                                                          File name:OneLaunch.exe
                                                                                                                                                                          File size:12398808
                                                                                                                                                                          MD5:6b50f5cd91f309d9b882a36abc7a5b38
                                                                                                                                                                          SHA1:3d32352e1d4a697def1d2e80a77b88eef22e94ba
                                                                                                                                                                          SHA256:e6fbc6f99c534c974b5188232c951c54388dbe2f62d4ba80382363330d7a14e2
                                                                                                                                                                          SHA512:6c93b982a4f06e845a83d7cd5cd42bea6bb509e634b1dd7e1ed927920638adb3e6a14c5d9a6a868a47a25f0b847b30307c2fa6fb7d9e146b4668991d913ad1ee
                                                                                                                                                                          SSDEEP:196608:dE9ZAP0WAW0f2kkXmuFRKRmaidClaDpl7o8PMjjK9T:e9U0WAW0f2kkWuj6VaDpDPS29T
                                                                                                                                                                          TLSH:40C6F113B78995D6C56307B203B1B1619AB7FC3926A081CF7A4EF33A7876750CC62663
                                                                                                                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..d.........."...0..8...........V... ...`....@.. ....................................`................................

                                                                                                                                                                          File Icon

                                                                                                                                                                          Icon Hash:cc97e96de9f1c7f6

                                                                                                                                                                          Static PE Info

                                                                                                                                                                          General

                                                                                                                                                                          Entrypoint:0xfa56f2
                                                                                                                                                                          Entrypoint Section:.text
                                                                                                                                                                          Digitally signed:true
                                                                                                                                                                          Imagebase:0x400000
                                                                                                                                                                          Subsystem:windows gui
                                                                                                                                                                          Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                                                                                                                          DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                                                                          Time Stamp:0x6410FC3F [Tue Mar 14 22:59:11 2023 UTC]
                                                                                                                                                                          TLS Callbacks:
                                                                                                                                                                          CLR (.Net) Version:v4.0.30319
                                                                                                                                                                          OS Version Major:4
                                                                                                                                                                          OS Version Minor:0
                                                                                                                                                                          File Version Major:4
                                                                                                                                                                          File Version Minor:0
                                                                                                                                                                          Subsystem Version Major:4
                                                                                                                                                                          Subsystem Version Minor:0
                                                                                                                                                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                                                                          Authenticode Signature

                                                                                                                                                                          Signature Valid:true
                                                                                                                                                                          Signature Issuer:CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
                                                                                                                                                                          Signature Validation Error:The operation completed successfully
                                                                                                                                                                          Error Number:0
                                                                                                                                                                          Not Before, Not After
                                                                                                                                                                          • 7/11/2021 5:00:00 PM 7/16/2023 4:59:59 PM
                                                                                                                                                                          Subject Chain
                                                                                                                                                                          • CN=ONELAUNCH TECHNOLOGIES INC., O=ONELAUNCH TECHNOLOGIES INC., L=Victoria, S=British Columbia, C=CA
                                                                                                                                                                          Version:3
                                                                                                                                                                          Thumbprint MD5:9DE00FD2B1A8652F5AA537982B132D46
                                                                                                                                                                          Thumbprint SHA-1:1A2578549C554ABA5C79637D735B4786957FA719
                                                                                                                                                                          Thumbprint SHA-256:AAAFC9ECFDF5E0BF4C8D6263AA3BACC4800EADBF2272D542C19794DA279F306E
                                                                                                                                                                          Serial:0A118F49AB8E6B2FF7EDA31ADD5B43C8
                                                                                                                                                                          Instruction
                                                                                                                                                                          jmp dword ptr [00402000h]
                                                                                                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xba56a00x4f.text
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xba60000x2e238.rsrc
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0xbd20000x10d8.rsrc
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xbd60000xc.reloc
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                          Sections

                                                                                                                                                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                          .text0x20000xba37b00xba3800unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                          .rsrc0xba60000x2e2380x2e400False0.5347445101351351data6.440749934176237IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                          .reloc0xbd60000xc0x200False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                                                                          NameRVASizeTypeLanguageCountry
                                                                                                                                                                          RT_ICON0xba61e00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2835 x 2835 px/m
                                                                                                                                                                          RT_ICON0xba66580x988Device independent bitmap graphic, 24 x 48 x 32, image size 2304, resolution 2835 x 2835 px/m
                                                                                                                                                                          RT_ICON0xba6ff00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2835 x 2835 px/m
                                                                                                                                                                          RT_ICON0xba80a80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2835 x 2835 px/m
                                                                                                                                                                          RT_ICON0xbaa6600x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 2835 x 2835 px/m
                                                                                                                                                                          RT_ICON0xbae8980x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 36864, resolution 2835 x 2835 px/m
                                                                                                                                                                          RT_ICON0xbb7d500x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 2835 x 2835 px/m
                                                                                                                                                                          RT_ICON0xbc85880xac67PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                          RT_GROUP_ICON0xbd32000x76data
                                                                                                                                                                          RT_VERSION0xbd32880x2f6data
                                                                                                                                                                          RT_MANIFEST0xbd35900xca4XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                          DLLImport
                                                                                                                                                                          mscoree.dll_CorExeMain

                                                                                                                                                                          Network Behavior

                                                                                                                                                                          Report size exceeds maximum size, please checkout the PCAP download to see all network behavior

                                                                                                                                                                          Statistics

                                                                                                                                                                          CPU Usage

                                                                                                                                                                          050100s020406080100

                                                                                                                                                                          Click to jump to process

                                                                                                                                                                          Memory Usage

                                                                                                                                                                          050100s0.001020MB

                                                                                                                                                                          Click to jump to process

                                                                                                                                                                          High Level Behavior Distribution

                                                                                                                                                                          • File
                                                                                                                                                                          • Registry

                                                                                                                                                                          Click to dive into process behavior distribution

                                                                                                                                                                          Behavior

                                                                                                                                                                          Click to jump to process

                                                                                                                                                                          System Behavior

                                                                                                                                                                          General

                                                                                                                                                                          Target ID:0
                                                                                                                                                                          Start time:17:39:05
                                                                                                                                                                          Start date:03/04/2023
                                                                                                                                                                          Path:C:\Users\user\Desktop\OneLaunch.exe
                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                          Commandline:C:\Users\user\Desktop\OneLaunch.exe
                                                                                                                                                                          Imagebase:0x570000
                                                                                                                                                                          File size:12398808 bytes
                                                                                                                                                                          MD5 hash:6B50F5CD91F309D9B882A36ABC7A5B38
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                          Programmed in:.Net C# or VB.NET
                                                                                                                                                                          Reputation:low
                                                                                                                                                                          Show Windows behavior

                                                                                                                                                                          File Activities

                                                                                                                                                                          Show Windows behavior

                                                                                                                                                                          Section Activities

                                                                                                                                                                          Show Windows behavior

                                                                                                                                                                          Registry Activities

                                                                                                                                                                          Show Windows behavior

                                                                                                                                                                          Mutex Activities

                                                                                                                                                                          Show Windows behavior

                                                                                                                                                                          Process Activities

                                                                                                                                                                          Show Windows behavior

                                                                                                                                                                          Thread Activities

                                                                                                                                                                          Show Windows behavior

                                                                                                                                                                          Memory Activities

                                                                                                                                                                          Show Windows behavior

                                                                                                                                                                          System Activities

                                                                                                                                                                          Show Windows behavior

                                                                                                                                                                          Windows UI Activities

                                                                                                                                                                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                                                                                                                                          General

                                                                                                                                                                          Target ID:2
                                                                                                                                                                          Start time:17:39:08
                                                                                                                                                                          Start date:03/04/2023
                                                                                                                                                                          Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6408 -s 784
                                                                                                                                                                          Imagebase:0x2c0000
                                                                                                                                                                          File size:434592 bytes
                                                                                                                                                                          MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                          Programmed in:.Net C# or VB.NET
                                                                                                                                                                          Reputation:high
                                                                                                                                                                          Show Windows behavior

                                                                                                                                                                          File Activities

                                                                                                                                                                          Show Windows behavior

                                                                                                                                                                          Section Activities

                                                                                                                                                                          Show Windows behavior

                                                                                                                                                                          Registry Activities

                                                                                                                                                                          Show Windows behavior

                                                                                                                                                                          Mutex Activities

                                                                                                                                                                          Show Windows behavior

                                                                                                                                                                          Process Activities

                                                                                                                                                                          Show Windows behavior

                                                                                                                                                                          Thread Activities

                                                                                                                                                                          Show Windows behavior

                                                                                                                                                                          Memory Activities

                                                                                                                                                                          Show Windows behavior

                                                                                                                                                                          System Activities

                                                                                                                                                                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                                                                          Show Windows behavior

                                                                                                                                                                          Windows UI Activities

                                                                                                                                                                          Show Windows behavior

                                                                                                                                                                          Process Token Activities

                                                                                                                                                                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                                                                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                                                                                                                                          Disassembly

                                                                                                                                                                          Executed Functions

                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.285871331.0000000001AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01AE0000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_1ae0000_OneLaunch.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: 6c43e7793fb4470c6852f8231093a8a7f875ada6f34f4b1e43c331d32add5be5
                                                                                                                                                                          • Instruction ID: b3eabfce6c558f3bba88801f09515a0ee8d77ee4bbf38b2070b9f854a06fcb47
                                                                                                                                                                          • Opcode Fuzzy Hash: 6c43e7793fb4470c6852f8231093a8a7f875ada6f34f4b1e43c331d32add5be5
                                                                                                                                                                          • Instruction Fuzzy Hash: 48F0A7317083405FD7118B68D809A957FF2DF86310F1980DAE588CB363CB67AC15C751
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.285871331.0000000001AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01AE0000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_1ae0000_OneLaunch.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: f0e4d38ce36b3964d169a2ca2cbbcbadfb81ee93c88ad2dd3710995b6d077c45
                                                                                                                                                                          • Instruction ID: 488fa37b3458fb40dd7409ee75222528992b9cee111c9172adcec2cdb050613b
                                                                                                                                                                          • Opcode Fuzzy Hash: f0e4d38ce36b3964d169a2ca2cbbcbadfb81ee93c88ad2dd3710995b6d077c45
                                                                                                                                                                          • Instruction Fuzzy Hash: 1AE086357042146FD310575DD804F967BDADBCA720F1540A5F6448B3A7CFA3AC418795
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.285871331.0000000001AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01AE0000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_1ae0000_OneLaunch.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: 842d5e99f2cab5cf6a3be19df7abf8f9177450a787649fd9b71f36bb2205525f
                                                                                                                                                                          • Instruction ID: 88b8cac90b946ccfebc1e3db63bd5621095cebb9a65826097b0ed77dfa5133fb
                                                                                                                                                                          • Opcode Fuzzy Hash: 842d5e99f2cab5cf6a3be19df7abf8f9177450a787649fd9b71f36bb2205525f
                                                                                                                                                                          • Instruction Fuzzy Hash: 44E04FB1846304BFC792CAF0DC02AE97FB4DB41320F0180A7E900D6451E2B24D51CB61
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.285871331.0000000001AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01AE0000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_1ae0000_OneLaunch.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: d7071e9ea87e77e10e021a8f37b001ecc08dd0fafa056293da97fa4e9b1a7ae0
                                                                                                                                                                          • Instruction ID: 2f974f12127daa1c0c73182117275f687558a588dac8661543a727527a81746e
                                                                                                                                                                          • Opcode Fuzzy Hash: d7071e9ea87e77e10e021a8f37b001ecc08dd0fafa056293da97fa4e9b1a7ae0
                                                                                                                                                                          • Instruction Fuzzy Hash: ECD0C97694020CBBDB10CEE09C05F9ABBACD714700F108062BE04D6180E6729A209795
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%