6208acc0f0333a79efcb375e127926116cc771d6d6585098206b6f99c79609e0

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	chromium.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	chromium.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	Onelaunch Software.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	OneLaunch Setup_.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	chromium.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	onelaunch.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	Onelaunch Software.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	chromium.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	chromium.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	chromium.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	chromium.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	chromium.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	chromium.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	chromium.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	chromium.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	chromium.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	chromium.exe

Drops startup file 6 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneLaunchUpdater.lnk	OneLaunch Setup_.tmp
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneLaunch.lnk	onelaunch.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneLaunchChromium.lnk	onelaunch.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneLaunchUpdater.lnk	onelaunch.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneLaunch.lnk	OneLaunch Setup_.tmp
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneLaunchChromium.lnk	OneLaunch Setup_.tmp

Executes dropped EXE 52 IoCs

pid	Process
2948	Onelaunch Software.tmp
5452	Onelaunch Software.tmp
628	OneLaunch Setup_.exe
2308	OneLaunch Setup_.tmp
4156	onelaunch.exe
1604	chromium.exe
4740	chromium.exe
5640	chromium.exe
6112	chromium.exe
5104	chromium.exe
5612	chromium.exe
312	chromium.exe
2328	chromium.exe
5172	chromium.exe
1556	onelaunchtray.exe
3836	chromium.exe
3776	chromium.exe
5044	chromium.exe
5600	chromium.exe
2932	chromium.exe
3320	chromium.exe
1824	chromium.exe
3760	chromium.exe
532	chromium.exe
3688	chromium.exe
1340	chromium.exe
5016	chromium.exe
5444	chromium.exe
1712	chromium.exe
5188	chromium.exe
5512	chromium.exe
3240	chromium.exe
184	chromium.exe
4388	chromium.exe
860	chromium.exe
3556	chromium.exe
5096	chromium.exe
1280	chromium.exe
4332	chromium.exe
4900	chromium.exe
5724	chromium.exe
628	chromium.exe
4184	chromium.exe
3624	chromium.exe
2732	chromium.exe
3968	chromium.exe
4576	chromium.exe
1156	chromium.exe
5320	chromium.exe
5372	chromium.exe
2960	chromium.exe
5488	chromium.exe

Loads dropped DLL 64 IoCs

pid	Process
2948	Onelaunch Software.tmp
2948	Onelaunch Software.tmp
2948	Onelaunch Software.tmp
5452	Onelaunch Software.tmp
2308	OneLaunch Setup_.tmp
2308	OneLaunch Setup_.tmp
2308	OneLaunch Setup_.tmp
1604	chromium.exe
4740	chromium.exe
5640	chromium.exe
1604	chromium.exe
6112	chromium.exe
6112	chromium.exe
5104	chromium.exe
5104	chromium.exe
5612	chromium.exe
5612	chromium.exe
6112	chromium.exe
6112	chromium.exe
6112	chromium.exe
312	chromium.exe
312	chromium.exe
6112	chromium.exe
2328	chromium.exe
2328	chromium.exe
5172	chromium.exe
5172	chromium.exe
3836	chromium.exe
3836	chromium.exe
3776	chromium.exe
3776	chromium.exe
5044	chromium.exe
5600	chromium.exe
5044	chromium.exe
5600	chromium.exe
2932	chromium.exe
2932	chromium.exe
3320	chromium.exe
3320	chromium.exe
1824	chromium.exe
1824	chromium.exe
3760	chromium.exe
3760	chromium.exe
532	chromium.exe
532	chromium.exe
3688	chromium.exe
3688	chromium.exe
1340	chromium.exe
1340	chromium.exe
5016	chromium.exe
5016	chromium.exe
5444	chromium.exe
5444	chromium.exe
1712	chromium.exe
1712	chromium.exe
4156	onelaunch.exe
5188	chromium.exe
5188	chromium.exe
5188	chromium.exe
5512	chromium.exe
5512	chromium.exe
5512	chromium.exe
5512	chromium.exe
5512	chromium.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Registers COM server for autorun 1 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\CLSID\{99b9f71c-c1a0-6069-463a-4e668ae065ac}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\OneLaunch\\5.26.0\\onelaunch.exe\" -ToastActivated"	onelaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99b9f71c-c1a0-6069-463a-4e668ae065ac}\LocalServer32	onelaunch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99b9f71c-c1a0-6069-463a-4e668ae065ac}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\OneLaunch\\5.26.0\\onelaunch.exe\" -ToastActivated"	onelaunch.exe
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\CLSID\{99b9f71c-c1a0-6069-463a-4e668ae065ac}\LocalServer32	onelaunch.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneLaunchChromium = "C:\\Users\\Admin\\AppData\\Local\\OneLaunch\\5.26.0\\ChromiumStartupProxy.exe --tab-trigger=SystemStart"	onelaunch.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GoogleChromeAutoLaunch_822E9BCF957816ED0183A9A1E348BDB1 = "\"C:\\Users\\Admin\\AppData\\Local\\OneLaunch\\5.26.0\\chromium\\chromium.exe\" --no-startup-window /prefetch:5"	chromium.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneLaunch = "C:\\Users\\Admin\\AppData\\Local\\OneLaunch\\5.26.0\\onelaunch.exe"	OneLaunch Setup_.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneLaunchChromium = "C:\\Users\\Admin\\AppData\\Local\\OneLaunch\\5.26.0\\ChromiumStartupProxy.exe"	OneLaunch Setup_.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneLaunch = "C:\\Users\\Admin\\AppData\\Local\\OneLaunch\\5.26.0\\onelaunch.exe /startedFrom=registry"	onelaunch.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\X:	onelaunch.exe
File opened (read-only)	\??\Z:	onelaunch.exe
File opened (read-only)	\??\A:	onelaunch.exe
File opened (read-only)	\??\B:	onelaunch.exe
File opened (read-only)	\??\N:	onelaunch.exe
File opened (read-only)	\??\R:	onelaunch.exe
File opened (read-only)	\??\W:	onelaunch.exe
File opened (read-only)	\??\G:	onelaunch.exe
File opened (read-only)	\??\P:	onelaunch.exe
File opened (read-only)	\??\Q:	onelaunch.exe
File opened (read-only)	\??\S:	onelaunch.exe
File opened (read-only)	\??\E:	onelaunch.exe
File opened (read-only)	\??\I:	onelaunch.exe
File opened (read-only)	\??\J:	onelaunch.exe
File opened (read-only)	\??\L:	onelaunch.exe
File opened (read-only)	\??\M:	onelaunch.exe
File opened (read-only)	\??\U:	onelaunch.exe
File opened (read-only)	\??\Y:	onelaunch.exe
File opened (read-only)	\??\H:	onelaunch.exe
File opened (read-only)	\??\K:	onelaunch.exe
File opened (read-only)	\??\O:	onelaunch.exe
File opened (read-only)	\??\T:	onelaunch.exe
File opened (read-only)	\??\V:	onelaunch.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 21 IoCs

Web Service

T1102

flow	ioc
269	api.keen.io
272	api.keen.io
470	dropbox.com
822	api.keen.io
558	api.keen.io
53	api.keen.io
54	api.keen.io
86	api.keen.io
113	api.keen.io
559	api.keen.io
660	api.keen.io
775	api.keen.io
777	api.keen.io
13	api.keen.io
87	api.keen.io
273	api.keen.io
475	dropbox.com
14	api.keen.io
469	dropbox.com
573	api.keen.io
791	api.keen.io

Detected potential entity reuse from brand google.
phishing google

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chromium.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\display.PNF	chromium.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1968	2308	WerFault.exe	100
2036	2308	WerFault.exe	100

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chromium.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chromium.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chromium.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chromium.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chromium.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chromium.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chromium.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chromium.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chromium.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
4820	taskkill.exe
1844	taskkill.exe
4652	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chromium.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133507267994347166"	chromium.exe

Modifies registry class 31 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\OneLaunchHTML\Application	OneLaunch Setup_.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\OneLaunchHTML\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\OneLaunch\\5.26.0\\chromium\\chromium.exe,0"	OneLaunch Setup_.tmp
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\OneLaunchHTML\Shell\open	OneLaunch Setup_.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\OneLaunchHTML\Application\AppUserModelId = "OneLaunchHTML"	OneLaunch Setup_.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99b9f71c-c1a0-6069-463a-4e668ae065ac}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\OneLaunch\\5.26.0\\onelaunch.exe\" -ToastActivated"	onelaunch.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\AppUserModelId\Microsoft.AutoGenerated.{CE49BE7E-DFA6-F866-E9C0-551C5C7A3829}\DisplayName = "OneLaunch"	onelaunch.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\AppUserModelId\Microsoft.AutoGenerated.{CE49BE7E-DFA6-F866-E9C0-551C5C7A3829}\Has7.0.1Fix = "1"	onelaunch.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\AppUserModelId\Microsoft.AutoGenerated.{CE49BE7E-DFA6-F866-E9C0-551C5C7A3829}\CustomActivator = "{99b9f71c-c1a0-6069-463a-4e668ae065ac}"	onelaunch.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\OneLaunchHTML\Application\ApplicationDescription = "Access the Internet"	OneLaunch Setup_.tmp
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\CLSID\{99b9f71c-c1a0-6069-463a-4e668ae065ac}\LocalServer32	onelaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99b9f71c-c1a0-6069-463a-4e668ae065ac}	onelaunch.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\AppUserModelId\Microsoft.AutoGenerated.{CE49BE7E-DFA6-F866-E9C0-551C5C7A3829}\IconUri = "C:\\Users\\Admin\\AppData\\Local\\ToastNotificationManagerCompat\\Apps\\Microsoft.AutoGenerated.{CE49BE7E-DFA6-F866-E9C0-551C5C7A3829}\\Icon.png"	onelaunch.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\OneLaunchHTML\Shell\open\Command\ = "\"C:\\Users\\Admin\\AppData\\Local\\OneLaunch\\5.26.0\\chromium\\chromium.exe\" -- \"%1\""	OneLaunch Setup_.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\CLSID\{99b9f71c-c1a0-6069-463a-4e668ae065ac}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\OneLaunch\\5.26.0\\onelaunch.exe\" -ToastActivated"	onelaunch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{99b9f71c-c1a0-6069-463a-4e668ae065ac}\RunAs = "Interactive User"	onelaunch.exe
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\wbappbar	OneLaunch Setup_.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\OneLaunchHTML\Application\ApplicationIcon = "C:\\Users\\Admin\\AppData\\Local\\OneLaunch\\5.26.0\\chromium\\chromium.exe,0"	OneLaunch Setup_.tmp
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\OneLaunchHTML\Shell\open\Command	OneLaunch Setup_.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{99b9f71c-c1a0-6069-463a-4e668ae065ac}	onelaunch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99b9f71c-c1a0-6069-463a-4e668ae065ac}\AppId = "{99b9f71c-c1a0-6069-463a-4e668ae065ac}"	onelaunch.exe
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\AppUserModelId	onelaunch.exe
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\OneLaunchHTML	OneLaunch Setup_.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\OneLaunchHTML\Application\ApplicationCompany = "OneLaunch"	OneLaunch Setup_.tmp
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\CLSID\{99b9f71c-c1a0-6069-463a-4e668ae065ac}	onelaunch.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\AppUserModelId\Microsoft.AutoGenerated.{CE49BE7E-DFA6-F866-E9C0-551C5C7A3829}\IconBackgroundColor = "FFDDDDDD"	onelaunch.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\OneLaunchHTML\Application\ApplicationName = "OneLaunch"	OneLaunch Setup_.tmp
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\OneLaunchHTML\DefaultIcon	OneLaunch Setup_.tmp
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\OneLaunchHTML\Shell	OneLaunch Setup_.tmp
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\CLSID	onelaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99b9f71c-c1a0-6069-463a-4e668ae065ac}\LocalServer32	onelaunch.exe
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\AppUserModelId\Microsoft.AutoGenerated.{CE49BE7E-DFA6-F866-E9C0-551C5C7A3829}	onelaunch.exe

Script User-Agent 9 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	269	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	14	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	18	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	51	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	54	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	56	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	7	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	55	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	270	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4156	onelaunch.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4156	onelaunch.exe
4156	onelaunch.exe
4156	onelaunch.exe
4156	onelaunch.exe
4156	onelaunch.exe
1604	chromium.exe
1604	chromium.exe
4156	onelaunch.exe
1556	onelaunchtray.exe
1556	onelaunchtray.exe
4156	onelaunch.exe
4156	onelaunch.exe
4156	onelaunch.exe
4156	onelaunch.exe
4156	onelaunch.exe
4156	onelaunch.exe
4156	onelaunch.exe
4156	onelaunch.exe
4156	onelaunch.exe
4156	onelaunch.exe
4156	onelaunch.exe
4156	onelaunch.exe
4156	onelaunch.exe
4156	onelaunch.exe
4156	onelaunch.exe
4156	onelaunch.exe
4156	onelaunch.exe
4156	onelaunch.exe
4156	onelaunch.exe
4156	onelaunch.exe
4156	onelaunch.exe
4156	onelaunch.exe
4156	onelaunch.exe
4156	onelaunch.exe
4156	onelaunch.exe
4156	onelaunch.exe
4156	onelaunch.exe
4156	onelaunch.exe
4156	onelaunch.exe
4156	onelaunch.exe
4156	onelaunch.exe
4156	onelaunch.exe
4156	onelaunch.exe
4156	onelaunch.exe
4156	onelaunch.exe
4156	onelaunch.exe
4156	onelaunch.exe
4156	onelaunch.exe
4156	onelaunch.exe
4156	onelaunch.exe
4156	onelaunch.exe
4156	onelaunch.exe
4156	onelaunch.exe
4156	onelaunch.exe
5188	chromium.exe
5188	chromium.exe
4156	onelaunch.exe
4156	onelaunch.exe
4156	onelaunch.exe
4156	onelaunch.exe
4156	onelaunch.exe
4156	onelaunch.exe
4156	onelaunch.exe
4156	onelaunch.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4156	onelaunch.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4820	taskkill.exe
Token: SeDebugPrivilege	1844	taskkill.exe
Token: SeDebugPrivilege	4652	taskkill.exe
Token: SeDebugPrivilege	4156	onelaunch.exe
Token: SeShutdownPrivilege	1604	chromium.exe
Token: SeCreatePagefilePrivilege	1604	chromium.exe
Token: SeShutdownPrivilege	1604	chromium.exe
Token: SeCreatePagefilePrivilege	1604	chromium.exe
Token: SeShutdownPrivilege	1604	chromium.exe
Token: SeCreatePagefilePrivilege	1604	chromium.exe
Token: SeShutdownPrivilege	1604	chromium.exe
Token: SeCreatePagefilePrivilege	1604	chromium.exe
Token: SeShutdownPrivilege	1604	chromium.exe
Token: SeCreatePagefilePrivilege	1604	chromium.exe
Token: SeShutdownPrivilege	1604	chromium.exe
Token: SeCreatePagefilePrivilege	1604	chromium.exe
Token: SeShutdownPrivilege	1604	chromium.exe
Token: SeCreatePagefilePrivilege	1604	chromium.exe
Token: SeShutdownPrivilege	1604	chromium.exe
Token: SeCreatePagefilePrivilege	1604	chromium.exe
Token: SeShutdownPrivilege	1604	chromium.exe
Token: SeCreatePagefilePrivilege	1604	chromium.exe
Token: SeShutdownPrivilege	1604	chromium.exe
Token: SeCreatePagefilePrivilege	1604	chromium.exe
Token: SeShutdownPrivilege	1604	chromium.exe
Token: SeCreatePagefilePrivilege	1604	chromium.exe
Token: SeDebugPrivilege	1556	onelaunchtray.exe
Token: SeShutdownPrivilege	1604	chromium.exe
Token: SeCreatePagefilePrivilege	1604	chromium.exe
Token: SeShutdownPrivilege	1604	chromium.exe
Token: SeCreatePagefilePrivilege	1604	chromium.exe
Token: SeShutdownPrivilege	1604	chromium.exe
Token: SeCreatePagefilePrivilege	1604	chromium.exe
Token: SeShutdownPrivilege	1604	chromium.exe
Token: SeCreatePagefilePrivilege	1604	chromium.exe
Token: SeShutdownPrivilege	1604	chromium.exe
Token: SeCreatePagefilePrivilege	1604	chromium.exe
Token: SeShutdownPrivilege	1604	chromium.exe
Token: SeCreatePagefilePrivilege	1604	chromium.exe
Token: SeShutdownPrivilege	1604	chromium.exe
Token: SeCreatePagefilePrivilege	1604	chromium.exe
Token: SeShutdownPrivilege	1604	chromium.exe
Token: SeCreatePagefilePrivilege	1604	chromium.exe
Token: SeShutdownPrivilege	1604	chromium.exe
Token: SeCreatePagefilePrivilege	1604	chromium.exe
Token: SeShutdownPrivilege	1604	chromium.exe
Token: SeCreatePagefilePrivilege	1604	chromium.exe
Token: SeShutdownPrivilege	1604	chromium.exe
Token: SeCreatePagefilePrivilege	1604	chromium.exe
Token: SeShutdownPrivilege	1604	chromium.exe
Token: SeCreatePagefilePrivilege	1604	chromium.exe
Token: SeShutdownPrivilege	1604	chromium.exe
Token: SeCreatePagefilePrivilege	1604	chromium.exe
Token: SeShutdownPrivilege	1604	chromium.exe
Token: SeCreatePagefilePrivilege	1604	chromium.exe
Token: SeShutdownPrivilege	4156	onelaunch.exe
Token: SeCreatePagefilePrivilege	4156	onelaunch.exe
Token: SeShutdownPrivilege	1604	chromium.exe
Token: SeCreatePagefilePrivilege	1604	chromium.exe
Token: SeShutdownPrivilege	1604	chromium.exe
Token: SeCreatePagefilePrivilege	1604	chromium.exe
Token: SeShutdownPrivilege	1604	chromium.exe
Token: SeCreatePagefilePrivilege	1604	chromium.exe
Token: SeShutdownPrivilege	1604	chromium.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2948	Onelaunch Software.tmp
2308	OneLaunch Setup_.tmp
1604	chromium.exe
1604	chromium.exe
1604	chromium.exe
1604	chromium.exe
1604	chromium.exe
1604	chromium.exe
1604	chromium.exe
1604	chromium.exe
1604	chromium.exe
1604	chromium.exe
1604	chromium.exe
1604	chromium.exe
1604	chromium.exe
1604	chromium.exe
1604	chromium.exe
1604	chromium.exe
1604	chromium.exe
1604	chromium.exe
1604	chromium.exe
1604	chromium.exe
1604	chromium.exe
1604	chromium.exe
1604	chromium.exe
1604	chromium.exe
1604	chromium.exe
1604	chromium.exe
1556	onelaunchtray.exe
1556	onelaunchtray.exe
1556	onelaunchtray.exe
1556	onelaunchtray.exe
4156	onelaunch.exe
4156	onelaunch.exe
4156	onelaunch.exe
4156	onelaunch.exe
4156	onelaunch.exe
1604	chromium.exe
1604	chromium.exe
1604	chromium.exe
1604	chromium.exe
1604	chromium.exe
1604	chromium.exe
1604	chromium.exe
1604	chromium.exe
1604	chromium.exe
1604	chromium.exe
1604	chromium.exe
1604	chromium.exe
1604	chromium.exe
1604	chromium.exe
1604	chromium.exe
1604	chromium.exe
4156	onelaunch.exe
4156	onelaunch.exe
4156	onelaunch.exe
4156	onelaunch.exe
4156	onelaunch.exe
4156	onelaunch.exe
4156	onelaunch.exe
4156	onelaunch.exe
4156	onelaunch.exe
4156	onelaunch.exe
4156	onelaunch.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1604	chromium.exe
1604	chromium.exe
1604	chromium.exe
1604	chromium.exe
1604	chromium.exe
1604	chromium.exe
1604	chromium.exe
1604	chromium.exe
1604	chromium.exe
1604	chromium.exe
1604	chromium.exe
1604	chromium.exe
1604	chromium.exe
1604	chromium.exe
1604	chromium.exe
1604	chromium.exe
1604	chromium.exe
1604	chromium.exe
1604	chromium.exe
1604	chromium.exe
1604	chromium.exe
1604	chromium.exe
1604	chromium.exe
1604	chromium.exe
1556	onelaunchtray.exe
1556	onelaunchtray.exe
1556	onelaunchtray.exe
1556	onelaunchtray.exe
4156	onelaunch.exe
4156	onelaunch.exe
4156	onelaunch.exe
4156	onelaunch.exe
4156	onelaunch.exe
1604	chromium.exe
1604	chromium.exe
1604	chromium.exe
1604	chromium.exe
1604	chromium.exe
1604	chromium.exe
1604	chromium.exe
1604	chromium.exe
1604	chromium.exe
1604	chromium.exe
1604	chromium.exe
1604	chromium.exe
1604	chromium.exe
1604	chromium.exe
1604	chromium.exe
1604	chromium.exe
4156	onelaunch.exe
4156	onelaunch.exe
4156	onelaunch.exe
4156	onelaunch.exe
4156	onelaunch.exe
4156	onelaunch.exe
4156	onelaunch.exe
4156	onelaunch.exe
4156	onelaunch.exe
4156	onelaunch.exe
4156	onelaunch.exe
4156	onelaunch.exe
4156	onelaunch.exe
4156	onelaunch.exe
4156	onelaunch.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4156	onelaunch.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4972 wrote to memory of 2948	4972	Onelaunch Software.exe	87
PID 4972 wrote to memory of 2948	4972	Onelaunch Software.exe	87
PID 4972 wrote to memory of 2948	4972	Onelaunch Software.exe	87
PID 2948 wrote to memory of 112	2948	Onelaunch Software.tmp	97
PID 2948 wrote to memory of 112	2948	Onelaunch Software.tmp	97
PID 2948 wrote to memory of 112	2948	Onelaunch Software.tmp	97
PID 112 wrote to memory of 5452	112	Onelaunch Software.exe	98
PID 112 wrote to memory of 5452	112	Onelaunch Software.exe	98
PID 112 wrote to memory of 5452	112	Onelaunch Software.exe	98
PID 5452 wrote to memory of 628	5452	Onelaunch Software.tmp	99
PID 5452 wrote to memory of 628	5452	Onelaunch Software.tmp	99
PID 5452 wrote to memory of 628	5452	Onelaunch Software.tmp	99
PID 628 wrote to memory of 2308	628	OneLaunch Setup_.exe	100
PID 628 wrote to memory of 2308	628	OneLaunch Setup_.exe	100
PID 628 wrote to memory of 2308	628	OneLaunch Setup_.exe	100
PID 2308 wrote to memory of 4820	2308	OneLaunch Setup_.tmp	101
PID 2308 wrote to memory of 4820	2308	OneLaunch Setup_.tmp	101
PID 2308 wrote to memory of 4820	2308	OneLaunch Setup_.tmp	101
PID 2308 wrote to memory of 1844	2308	OneLaunch Setup_.tmp	103
PID 2308 wrote to memory of 1844	2308	OneLaunch Setup_.tmp	103
PID 2308 wrote to memory of 1844	2308	OneLaunch Setup_.tmp	103
PID 2308 wrote to memory of 4652	2308	OneLaunch Setup_.tmp	105
PID 2308 wrote to memory of 4652	2308	OneLaunch Setup_.tmp	105
PID 2308 wrote to memory of 4652	2308	OneLaunch Setup_.tmp	105
PID 2308 wrote to memory of 4680	2308	OneLaunch Setup_.tmp	108
PID 2308 wrote to memory of 4680	2308	OneLaunch Setup_.tmp	108
PID 2308 wrote to memory of 5816	2308	OneLaunch Setup_.tmp	110
PID 2308 wrote to memory of 5816	2308	OneLaunch Setup_.tmp	110
PID 2308 wrote to memory of 516	2308	OneLaunch Setup_.tmp	112
PID 2308 wrote to memory of 516	2308	OneLaunch Setup_.tmp	112
PID 2308 wrote to memory of 5668	2308	OneLaunch Setup_.tmp	114
PID 2308 wrote to memory of 5668	2308	OneLaunch Setup_.tmp	114
PID 2308 wrote to memory of 3412	2308	OneLaunch Setup_.tmp	116
PID 2308 wrote to memory of 3412	2308	OneLaunch Setup_.tmp	116
PID 2308 wrote to memory of 212	2308	OneLaunch Setup_.tmp	118
PID 2308 wrote to memory of 212	2308	OneLaunch Setup_.tmp	118
PID 2308 wrote to memory of 4156	2308	OneLaunch Setup_.tmp	120
PID 2308 wrote to memory of 4156	2308	OneLaunch Setup_.tmp	120
PID 2308 wrote to memory of 1604	2308	OneLaunch Setup_.tmp	122
PID 2308 wrote to memory of 1604	2308	OneLaunch Setup_.tmp	122
PID 2308 wrote to memory of 1604	2308	OneLaunch Setup_.tmp	122
PID 1604 wrote to memory of 4740	1604	chromium.exe	123
PID 1604 wrote to memory of 4740	1604	chromium.exe	123
PID 1604 wrote to memory of 4740	1604	chromium.exe	123
PID 4740 wrote to memory of 5640	4740	chromium.exe	124
PID 4740 wrote to memory of 5640	4740	chromium.exe	124
PID 4740 wrote to memory of 5640	4740	chromium.exe	124
PID 1604 wrote to memory of 6112	1604	chromium.exe	128
PID 1604 wrote to memory of 6112	1604	chromium.exe	128
PID 1604 wrote to memory of 6112	1604	chromium.exe	128
PID 1604 wrote to memory of 6112	1604	chromium.exe	128
PID 1604 wrote to memory of 6112	1604	chromium.exe	128
PID 1604 wrote to memory of 6112	1604	chromium.exe	128
PID 1604 wrote to memory of 6112	1604	chromium.exe	128
PID 1604 wrote to memory of 6112	1604	chromium.exe	128
PID 1604 wrote to memory of 6112	1604	chromium.exe	128
PID 1604 wrote to memory of 6112	1604	chromium.exe	128
PID 1604 wrote to memory of 6112	1604	chromium.exe	128
PID 1604 wrote to memory of 6112	1604	chromium.exe	128
PID 1604 wrote to memory of 6112	1604	chromium.exe	128
PID 1604 wrote to memory of 6112	1604	chromium.exe	128
PID 1604 wrote to memory of 6112	1604	chromium.exe	128
PID 1604 wrote to memory of 6112	1604	chromium.exe	128
PID 1604 wrote to memory of 6112	1604	chromium.exe	128

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Onelaunch Software.exe
"C:\Users\Admin\AppData\Local\Temp\Onelaunch Software.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4972
- C:\Users\Admin\AppData\Local\Temp\is-QI2J5.tmp\Onelaunch Software.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-QI2J5.tmp\Onelaunch Software.tmp" /SL5="$110050,2484193,893952,C:\Users\Admin\AppData\Local\Temp\Onelaunch Software.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2948
- - C:\Users\Admin\AppData\Local\Temp\Onelaunch Software.exe
    "C:\Users\Admin\AppData\Local\Temp\Onelaunch Software.exe" /PDATA=eyJpbnN0YWxsX3RpbWUiOjE3MDYyNTMwNTMsImRpc3RpbmN0X2lkIjoiMUY0MjlDN0QtOUQ0NS00M0FELTgxNzctNzRBNzZBQTUzOEE0IiwiZGVmYXVsdF9icm93c2VyIjoiTVNFZGdlSFRNIiwiaW5pdGluYWxfdmVyc2lvbiI6IjUuMjYuMC4wIiwicGFja2FnZWRfYnJvd3NlciI6Ik5vbmUiLCJzcGxpdCI6ImIiLCJub19zcGxpdCI6ZmFsc2UsInNwbGl0MiI6ImEiLCJzZXJ2ZXJfc2lkZV9zcGxpdF8yOF8xMV9udHBfZGlzdHJpYnV0aW9uIjoiY29udHJvbCIsInNlcnZlcl9zaWRlX3NwbGl0XzIzXzA2X3JvdW5kZWRfc2VhcmNoYmFyIjoidmFyaWF0aW9uIiwic2VydmVyX3NpZGVfc3BsaXRfMjNfMTBfZW5oYW5jZWRfc2VhcmNoX2Fzc2lzdCI6InZhcmlhdGlvbiIsInNwbGl0XzIyXzEyX21vcmVfZWR1Y2F0aW9uYWxfbWluaXByb21wdHMiOiJ2YXJpYXRpb24iLCJlbmNvZGVkX3NwbGl0cyI6IjAwMCJ9 /LAUNCHER /VERYSILENT
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:112
  - - C:\Users\Admin\AppData\Local\Temp\is-QRTOL.tmp\Onelaunch Software.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-QRTOL.tmp\Onelaunch Software.tmp" /SL5="$3022E,2484193,893952,C:\Users\Admin\AppData\Local\Temp\Onelaunch Software.exe" /PDATA=eyJpbnN0YWxsX3RpbWUiOjE3MDYyNTMwNTMsImRpc3RpbmN0X2lkIjoiMUY0MjlDN0QtOUQ0NS00M0FELTgxNzctNzRBNzZBQTUzOEE0IiwiZGVmYXVsdF9icm93c2VyIjoiTVNFZGdlSFRNIiwiaW5pdGluYWxfdmVyc2lvbiI6IjUuMjYuMC4wIiwicGFja2FnZWRfYnJvd3NlciI6Ik5vbmUiLCJzcGxpdCI6ImIiLCJub19zcGxpdCI6ZmFsc2UsInNwbGl0MiI6ImEiLCJzZXJ2ZXJfc2lkZV9zcGxpdF8yOF8xMV9udHBfZGlzdHJpYnV0aW9uIjoiY29udHJvbCIsInNlcnZlcl9zaWRlX3NwbGl0XzIzXzA2X3JvdW5kZWRfc2VhcmNoYmFyIjoidmFyaWF0aW9uIiwic2VydmVyX3NpZGVfc3BsaXRfMjNfMTBfZW5oYW5jZWRfc2VhcmNoX2Fzc2lzdCI6InZhcmlhdGlvbiIsInNwbGl0XzIyXzEyX21vcmVfZWR1Y2F0aW9uYWxfbWluaXByb21wdHMiOiJ2YXJpYXRpb24iLCJlbmNvZGVkX3NwbGl0cyI6IjAwMCJ9 /LAUNCHER /VERYSILENT
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:5452
    - - C:\Users\Admin\AppData\Local\Temp\OneLaunch Setup_.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OneLaunch Setup_.exe" /PDATA=eyJpbnN0YWxsX3RpbWUiOjE3MDYyNTMwNTMsImRpc3RpbmN0X2lkIjoiMUY0MjlDN0QtOUQ0NS00M0FELTgxNzctNzRBNzZBQTUzOEE0IiwiZGVmYXVsdF9icm93c2VyIjoiTVNFZGdlSFRNIiwiaW5pdGluYWxfdmVyc2lvbiI6IjUuMjYuMC4wIiwicGFja2FnZWRfYnJvd3NlciI6Ik5vbmUiLCJzcGxpdCI6ImIiLCJub19zcGxpdCI6ZmFsc2UsInNwbGl0MiI6ImEiLCJzZXJ2ZXJfc2lkZV9zcGxpdF8yOF8xMV9udHBfZGlzdHJpYnV0aW9uIjoiY29udHJvbCIsInNlcnZlcl9zaWRlX3NwbGl0XzIzXzA2X3JvdW5kZWRfc2VhcmNoYmFyIjoidmFyaWF0aW9uIiwic2VydmVyX3NpZGVfc3BsaXRfMjNfMTBfZW5oYW5jZWRfc2VhcmNoX2Fzc2lzdCI6InZhcmlhdGlvbiIsInNwbGl0XzIyXzEyX21vcmVfZWR1Y2F0aW9uYWxfbWluaXByb21wdHMiOiJ2YXJpYXRpb24iLCJlbmNvZGVkX3NwbGl0cyI6IjAwMCJ9
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:628
      - C:\Users\Admin\AppData\Local\Temp\is-4QUS8.tmp\OneLaunch Setup_.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-4QUS8.tmp\OneLaunch Setup_.tmp" /SL5="$80228,104703795,893952,C:\Users\Admin\AppData\Local\Temp\OneLaunch Setup_.exe" /PDATA=eyJpbnN0YWxsX3RpbWUiOjE3MDYyNTMwNTMsImRpc3RpbmN0X2lkIjoiMUY0MjlDN0QtOUQ0NS00M0FELTgxNzctNzRBNzZBQTUzOEE0IiwiZGVmYXVsdF9icm93c2VyIjoiTVNFZGdlSFRNIiwiaW5pdGluYWxfdmVyc2lvbiI6IjUuMjYuMC4wIiwicGFja2FnZWRfYnJvd3NlciI6Ik5vbmUiLCJzcGxpdCI6ImIiLCJub19zcGxpdCI6ZmFsc2UsInNwbGl0MiI6ImEiLCJzZXJ2ZXJfc2lkZV9zcGxpdF8yOF8xMV9udHBfZGlzdHJpYnV0aW9uIjoiY29udHJvbCIsInNlcnZlcl9zaWRlX3NwbGl0XzIzXzA2X3JvdW5kZWRfc2VhcmNoYmFyIjoidmFyaWF0aW9uIiwic2VydmVyX3NpZGVfc3BsaXRfMjNfMTBfZW5oYW5jZWRfc2VhcmNoX2Fzc2lzdCI6InZhcmlhdGlvbiIsInNwbGl0XzIyXzEyX21vcmVfZWR1Y2F0aW9uYWxfbWluaXByb21wdHMiOiJ2YXJpYXRpb24iLCJlbmNvZGVkX3NwbGl0cyI6IjAwMCJ9
        6⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:2308
        
        C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im onelaunch.exe
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4820
        
        C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im chromium.exe
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1844
        
        C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im onelaunchtray.exe
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4652
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /Delete /TN "OneLaunchLaunchTask" /F
        7⤵
        
        PID:4680
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /Delete /TN "ChromiumLaunchTask" /F
        7⤵
        
        PID:5816
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /Delete /TN "OneLaunchUpdateTask" /F
        7⤵
        
        PID:516
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /delete /tn OneLaunchLaunchTask /f
        7⤵
        
        PID:5668
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /delete /tn ChromiumLaunchTask /f
        7⤵
        
        PID:3412
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /delete /tn OneLaunchUpdateTask /f
        7⤵
        
        PID:212
        
        C:\Users\Admin\AppData\Local\OneLaunch\5.26.0\onelaunch.exe
        
        "C:\Users\Admin\AppData\Local\OneLaunch\5.26.0\onelaunch.exe" /l /startedFrom=installer
        7⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Registers COM server for autorun
        Adds Run key to start application
        Enumerates connected drives
        Modifies registry class
        Suspicious behavior: AddClipboardFormatListener
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:4156
        
        C:\Users\Admin\AppData\Local\OneLaunch\5.26.0\onelaunchtray.exe
        
        "C:\Users\Admin\AppData\Local\OneLaunch\5.26.0\onelaunchtray.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1556
        
        C:\Users\Admin\AppData\Local\OneLaunch\5.26.0\chromium\chromium.exe
        
        "C:\Users\Admin\AppData\Local\OneLaunch\5.26.0\chromium\chromium.exe" https://onenews.com/combo/a/nc/?s=https%3A%2F%2Fsearch.yahoo.com%2Fyhs%2Fsearch%3Fhspart%3Dreb%26hsimp%3Dyhs-ext_onelaunch%26p%3D%7BsearchTerms%7D%26type%3D0_1000_100_1000_100_240126&native=ob --tab-trigger=app
        8⤵
        Executes dropped EXE
        Enumerates system info in registry
        
        PID:184
        
        C:\Users\Admin\AppData\Local\OneLaunch\5.26.0\chromium\chromium.exe
        
        C:\Users\Admin\AppData\Local\OneLaunch\5.26.0\chromium\chromium.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\OneLaunch\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\OneLaunch\User Data\Crashpad" --annotation=plat=Win32 --annotation=prod=OneLaunch --annotation=ver=118.0.0.0 --initial-client-data=0x290,0x294,0x298,0x26c,0x29c,0x6ef02d80,0x6ef02d90,0x6ef02d9c
        9⤵
        Executes dropped EXE
        
        PID:4388
        
        C:\Users\Admin\AppData\Local\OneLaunch\5.26.0\chromium\chromium.exe
        
        "C:\Users\Admin\AppData\Local\OneLaunch\5.26.0\chromium\chromium.exe" --type=gpu-process --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2028 --field-trial-handle=2032,i,4018434213589765505,17610954759970520767,262144 /prefetch:2
        9⤵
        Executes dropped EXE
        
        PID:860
        
        C:\Users\Admin\AppData\Local\OneLaunch\5.26.0\chromium\chromium.exe
        
        "C:\Users\Admin\AppData\Local\OneLaunch\5.26.0\chromium\chromium.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=de --service-sandbox-type=none --network-service-scheduler --mojo-platform-channel-handle=2068 --field-trial-handle=2032,i,4018434213589765505,17610954759970520767,262144 /prefetch:8
        9⤵
        Executes dropped EXE
        
        PID:3556
        
        C:\Users\Admin\AppData\Local\OneLaunch\5.26.0\chromium\chromium.exe
        
        "C:\Users\Admin\AppData\Local\OneLaunch\5.26.0\chromium\chromium.exe" https://onenews.com/combo/a/nc/?s=https%3A%2F%2Fsearch.yahoo.com%2Fyhs%2Fsearch%3Fhspart%3Dreb%26hsimp%3Dyhs-ext_onelaunch%26p%3D%7BsearchTerms%7D%26type%3D0_1000_100_1000_100_240126&native=ob --tab-trigger=app
        8⤵
        Executes dropped EXE
        Enumerates system info in registry
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\OneLaunch\5.26.0\chromium\chromium.exe
        
        C:\Users\Admin\AppData\Local\OneLaunch\5.26.0\chromium\chromium.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\OneLaunch\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\OneLaunch\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\OneLaunch\User Data\Crashpad" --annotation=plat=Win32 --annotation=prod=OneLaunch --annotation=ver=118.0.0.0 --initial-client-data=0x290,0x294,0x298,0x26c,0x29c,0x6ef02d80,0x6ef02d90,0x6ef02d9c
        9⤵
        Executes dropped EXE
        
        PID:1280
        
        C:\Users\Admin\AppData\Local\OneLaunch\5.26.0\chromium\chromium.exe
        
        C:\Users\Admin\AppData\Local\OneLaunch\5.26.0\chromium\chromium.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\OneLaunch\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\OneLaunch\User Data\Crashpad" --annotation=plat=Win32 --annotation=prod=OneLaunch --annotation=ver=118.0.0.0 --initial-client-data=0x2d4,0x2d8,0x2dc,0x2b0,0x2e8,0xf36660,0xf36670,0xf3667c
        10⤵
        Executes dropped EXE
        
        PID:4332
        
        C:\Users\Admin\AppData\Local\OneLaunch\5.26.0\chromium\chromium.exe
        
        "C:\Users\Admin\AppData\Local\OneLaunch\5.26.0\chromium\chromium.exe" --type=gpu-process --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2004 --field-trial-handle=2008,i,7197891357565188562,9651494972479959134,262144 /prefetch:2
        9⤵
        Executes dropped EXE
        
        PID:4900
        
        C:\Users\Admin\AppData\Local\OneLaunch\5.26.0\chromium\chromium.exe
        
        "C:\Users\Admin\AppData\Local\OneLaunch\5.26.0\chromium\chromium.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=de --service-sandbox-type=none --network-service-scheduler --mojo-platform-channel-handle=2088 --field-trial-handle=2008,i,7197891357565188562,9651494972479959134,262144 /prefetch:8
        9⤵
        Executes dropped EXE
        
        PID:5724
        
        C:\Users\Admin\AppData\Local\OneLaunch\5.26.0\chromium\chromium.exe
        
        "C:\Users\Admin\AppData\Local\OneLaunch\5.26.0\chromium\chromium.exe" https://search.yahoo.com/yhs/search?hspart=reb&hsimp=yhs-ext_onelaunch&p=anleitung%20waschmaschine&type=0_1000_100_1000_100_240126 --tab-trigger=app
        8⤵
        Executes dropped EXE
        Enumerates system info in registry
        
        PID:3624
        
        C:\Users\Admin\AppData\Local\OneLaunch\5.26.0\chromium\chromium.exe
        
        C:\Users\Admin\AppData\Local\OneLaunch\5.26.0\chromium\chromium.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\OneLaunch\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\OneLaunch\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\OneLaunch\User Data\Crashpad" --annotation=plat=Win32 --annotation=prod=OneLaunch --annotation=ver=118.0.0.0 --initial-client-data=0x290,0x294,0x298,0x26c,0x29c,0x6ef02d80,0x6ef02d90,0x6ef02d9c
        9⤵
        Executes dropped EXE
        
        PID:2732
        
        C:\Users\Admin\AppData\Local\OneLaunch\5.26.0\chromium\chromium.exe
        
        C:\Users\Admin\AppData\Local\OneLaunch\5.26.0\chromium\chromium.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\OneLaunch\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\OneLaunch\User Data\Crashpad" --annotation=plat=Win32 --annotation=prod=OneLaunch --annotation=ver=118.0.0.0 --initial-client-data=0x2c4,0x2c8,0x2cc,0x2a0,0x2d0,0xf36660,0xf36670,0xf3667c
        10⤵
        Executes dropped EXE
        
        PID:3968
        
        C:\Users\Admin\AppData\Local\OneLaunch\5.26.0\chromium\chromium.exe
        
        "C:\Users\Admin\AppData\Local\OneLaunch\5.26.0\chromium\chromium.exe" --type=gpu-process --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1996 --field-trial-handle=2000,i,16064860287692657612,16435232760538703898,262144 /prefetch:2
        9⤵
        Executes dropped EXE
        
        PID:4576
        
        C:\Users\Admin\AppData\Local\OneLaunch\5.26.0\chromium\chromium.exe
        
        "C:\Users\Admin\AppData\Local\OneLaunch\5.26.0\chromium\chromium.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=de --service-sandbox-type=none --network-service-scheduler --mojo-platform-channel-handle=2032 --field-trial-handle=2000,i,16064860287692657612,16435232760538703898,262144 /prefetch:8
        9⤵
        Executes dropped EXE
        
        PID:1156
        
        C:\Users\Admin\AppData\Local\OneLaunch\5.26.0\chromium\chromium.exe
        
        "C:\Users\Admin\AppData\Local\OneLaunch\5.26.0\chromium\chromium.exe" --start-maximized --tab-trigger=Launch
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Enumerates system info in registry
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\OneLaunch\5.26.0\chromium\chromium.exe
        
        C:\Users\Admin\AppData\Local\OneLaunch\5.26.0\chromium\chromium.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\OneLaunch\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\OneLaunch\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\OneLaunch\User Data\Crashpad" --annotation=plat=Win32 --annotation=prod=OneLaunch --annotation=ver=118.0.0.0 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x6ef02d80,0x6ef02d90,0x6ef02d9c
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:4740
        
        C:\Users\Admin\AppData\Local\OneLaunch\5.26.0\chromium\chromium.exe
        
        C:\Users\Admin\AppData\Local\OneLaunch\5.26.0\chromium\chromium.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\OneLaunch\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\OneLaunch\User Data\Crashpad" --annotation=plat=Win32 --annotation=prod=OneLaunch --annotation=ver=118.0.0.0 --initial-client-data=0x2c4,0x2c8,0x2cc,0x2a0,0x2d0,0xf36660,0xf36670,0xf3667c
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5640
        
        C:\Users\Admin\AppData\Local\OneLaunch\5.26.0\chromium\chromium.exe
        
        "C:\Users\Admin\AppData\Local\OneLaunch\5.26.0\chromium\chromium.exe" --type=gpu-process --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2072 --field-trial-handle=2084,i,4837280742235979809,16445226066659610788,262144 /prefetch:2
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:6112
        
        C:\Users\Admin\AppData\Local\OneLaunch\5.26.0\chromium\chromium.exe
        
        "C:\Users\Admin\AppData\Local\OneLaunch\5.26.0\chromium\chromium.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=de --service-sandbox-type=none --network-service-scheduler --mojo-platform-channel-handle=2588 --field-trial-handle=2084,i,4837280742235979809,16445226066659610788,262144 /prefetch:8
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5104
        
        C:\Users\Admin\AppData\Local\OneLaunch\5.26.0\chromium\chromium.exe
        
        "C:\Users\Admin\AppData\Local\OneLaunch\5.26.0\chromium\chromium.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=de --service-sandbox-type=service --mojo-platform-channel-handle=2596 --field-trial-handle=2084,i,4837280742235979809,16445226066659610788,262144 /prefetch:8
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5612
        
        C:\Users\Admin\AppData\Local\OneLaunch\5.26.0\chromium\chromium.exe
        
        "C:\Users\Admin\AppData\Local\OneLaunch\5.26.0\chromium\chromium.exe" --type=utility --utility-sub-type=chrome.mojom.ProfileImport --lang=de --service-sandbox-type=none --mojo-platform-channel-handle=3332 --field-trial-handle=2084,i,4837280742235979809,16445226066659610788,262144 /prefetch:8
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:312
        
        C:\Users\Admin\AppData\Local\OneLaunch\5.26.0\chromium\chromium.exe
        
        "C:\Users\Admin\AppData\Local\OneLaunch\5.26.0\chromium\chromium.exe" --type=renderer --disable-nacl --first-renderer-process --video-capture-use-gpu-memory-buffer --lang=de --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3984 --field-trial-handle=2084,i,4837280742235979809,16445226066659610788,262144 /prefetch:1
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2328
        
        C:\Users\Admin\AppData\Local\OneLaunch\5.26.0\chromium\chromium.exe
        
        "C:\Users\Admin\AppData\Local\OneLaunch\5.26.0\chromium\chromium.exe" --type=renderer --instant-process --disable-nacl --video-capture-use-gpu-memory-buffer --lang=de --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3620 --field-trial-handle=2084,i,4837280742235979809,16445226066659610788,262144 /prefetch:1
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5172
        
        C:\Users\Admin\AppData\Local\OneLaunch\5.26.0\chromium\chromium.exe
        
        "C:\Users\Admin\AppData\Local\OneLaunch\5.26.0\chromium\chromium.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=de --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --mojo-platform-channel-handle=4988 --field-trial-handle=2084,i,4837280742235979809,16445226066659610788,262144 /prefetch:8
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3836
        
        C:\Users\Admin\AppData\Local\OneLaunch\5.26.0\chromium\chromium.exe
        
        "C:\Users\Admin\AppData\Local\OneLaunch\5.26.0\chromium\chromium.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=de --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --mojo-platform-channel-handle=4920 --field-trial-handle=2084,i,4837280742235979809,16445226066659610788,262144 /prefetch:8
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3776
        
        C:\Users\Admin\AppData\Local\OneLaunch\5.26.0\chromium\chromium.exe
        
        "C:\Users\Admin\AppData\Local\OneLaunch\5.26.0\chromium\chromium.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=de --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --mojo-platform-channel-handle=5464 --field-trial-handle=2084,i,4837280742235979809,16445226066659610788,262144 /prefetch:8
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5044
        
        C:\Users\Admin\AppData\Local\OneLaunch\5.26.0\chromium\chromium.exe
        
        "C:\Users\Admin\AppData\Local\OneLaunch\5.26.0\chromium\chromium.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=de --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --mojo-platform-channel-handle=5572 --field-trial-handle=2084,i,4837280742235979809,16445226066659610788,262144 /prefetch:8
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5600
        
        C:\Users\Admin\AppData\Local\OneLaunch\5.26.0\chromium\chromium.exe
        
        "C:\Users\Admin\AppData\Local\OneLaunch\5.26.0\chromium\chromium.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=de --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --mojo-platform-channel-handle=5088 --field-trial-handle=2084,i,4837280742235979809,16445226066659610788,262144 /prefetch:8
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2932
        
        C:\Users\Admin\AppData\Local\OneLaunch\5.26.0\chromium\chromium.exe
        
        "C:\Users\Admin\AppData\Local\OneLaunch\5.26.0\chromium\chromium.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=de --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --mojo-platform-channel-handle=5092 --field-trial-handle=2084,i,4837280742235979809,16445226066659610788,262144 /prefetch:8
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3320
        
        C:\Users\Admin\AppData\Local\OneLaunch\5.26.0\chromium\chromium.exe
        
        "C:\Users\Admin\AppData\Local\OneLaunch\5.26.0\chromium\chromium.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=de --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --mojo-platform-channel-handle=5864 --field-trial-handle=2084,i,4837280742235979809,16445226066659610788,262144 /prefetch:8
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1824
        
        C:\Users\Admin\AppData\Local\OneLaunch\5.26.0\chromium\chromium.exe
        
        "C:\Users\Admin\AppData\Local\OneLaunch\5.26.0\chromium\chromium.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=de --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --mojo-platform-channel-handle=5928 --field-trial-handle=2084,i,4837280742235979809,16445226066659610788,262144 /prefetch:8
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3760
        
        C:\Users\Admin\AppData\Local\OneLaunch\5.26.0\chromium\chromium.exe
        
        "C:\Users\Admin\AppData\Local\OneLaunch\5.26.0\chromium\chromium.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=de --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --mojo-platform-channel-handle=5512 --field-trial-handle=2084,i,4837280742235979809,16445226066659610788,262144 /prefetch:8
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:532
        
        C:\Users\Admin\AppData\Local\OneLaunch\5.26.0\chromium\chromium.exe
        
        "C:\Users\Admin\AppData\Local\OneLaunch\5.26.0\chromium\chromium.exe" --type=renderer --extension-process --disable-nacl --video-capture-use-gpu-memory-buffer --lang=de --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=5724 --field-trial-handle=2084,i,4837280742235979809,16445226066659610788,262144 /prefetch:1
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3688
        
        C:\Users\Admin\AppData\Local\OneLaunch\5.26.0\chromium\chromium.exe
        
        "C:\Users\Admin\AppData\Local\OneLaunch\5.26.0\chromium\chromium.exe" --type=renderer --disable-nacl --video-capture-use-gpu-memory-buffer --lang=de --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=5424 --field-trial-handle=2084,i,4837280742235979809,16445226066659610788,262144 /prefetch:1
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1340
        
        C:\Users\Admin\AppData\Local\OneLaunch\5.26.0\chromium\chromium.exe
        
        "C:\Users\Admin\AppData\Local\OneLaunch\5.26.0\chromium\chromium.exe" --type=renderer --extension-process --disable-nacl --video-capture-use-gpu-memory-buffer --lang=de --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=5532 --field-trial-handle=2084,i,4837280742235979809,16445226066659610788,262144 /prefetch:1
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5016
        
        C:\Users\Admin\AppData\Local\OneLaunch\5.26.0\chromium\chromium.exe
        
        "C:\Users\Admin\AppData\Local\OneLaunch\5.26.0\chromium\chromium.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=de --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --mojo-platform-channel-handle=6240 --field-trial-handle=2084,i,4837280742235979809,16445226066659610788,262144 /prefetch:8
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5444
        
        C:\Users\Admin\AppData\Local\OneLaunch\5.26.0\chromium\chromium.exe
        
        "C:\Users\Admin\AppData\Local\OneLaunch\5.26.0\chromium\chromium.exe" --type=renderer --disable-nacl --video-capture-use-gpu-memory-buffer --lang=de --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=6460 --field-trial-handle=2084,i,4837280742235979809,16445226066659610788,262144 /prefetch:1
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\OneLaunch\5.26.0\chromium\chromium.exe
        
        "C:\Users\Admin\AppData\Local\OneLaunch\5.26.0\chromium\chromium.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAABEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=4608 --field-trial-handle=2084,i,4837280742235979809,16445226066659610788,262144 /prefetch:8
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:5188
        
        C:\Users\Admin\AppData\Local\OneLaunch\5.26.0\chromium\chromium.exe
        
        "C:\Users\Admin\AppData\Local\OneLaunch\5.26.0\chromium\chromium.exe" --type=gpu-process --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=4620 --field-trial-handle=2084,i,4837280742235979809,16445226066659610788,262144 /prefetch:2
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5512
        
        C:\Users\Admin\AppData\Local\OneLaunch\5.26.0\chromium\chromium.exe
        
        "C:\Users\Admin\AppData\Local\OneLaunch\5.26.0\chromium\chromium.exe" --type=renderer --extension-process --disable-nacl --video-capture-use-gpu-memory-buffer --lang=de --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=4648 --field-trial-handle=2084,i,4837280742235979809,16445226066659610788,262144 /prefetch:1
        8⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3240
        
        C:\Users\Admin\AppData\Local\OneLaunch\5.26.0\chromium\chromium.exe
        
        "C:\Users\Admin\AppData\Local\OneLaunch\5.26.0\chromium\chromium.exe" --type=renderer --disable-nacl --video-capture-use-gpu-memory-buffer --lang=de --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=6844 --field-trial-handle=2084,i,4837280742235979809,16445226066659610788,262144 /prefetch:1
        8⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:628
        
        C:\Users\Admin\AppData\Local\OneLaunch\5.26.0\chromium\chromium.exe
        
        "C:\Users\Admin\AppData\Local\OneLaunch\5.26.0\chromium\chromium.exe" --type=renderer --extension-process --disable-nacl --video-capture-use-gpu-memory-buffer --lang=de --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=5824 --field-trial-handle=2084,i,4837280742235979809,16445226066659610788,262144 /prefetch:1
        8⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4184
        
        C:\Users\Admin\AppData\Local\OneLaunch\5.26.0\chromium\chromium.exe
        
        "C:\Users\Admin\AppData\Local\OneLaunch\5.26.0\chromium\chromium.exe" --type=renderer --disable-nacl --video-capture-use-gpu-memory-buffer --lang=de --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --mojo-platform-channel-handle=5276 --field-trial-handle=2084,i,4837280742235979809,16445226066659610788,262144 /prefetch:1
        8⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5320
        
        C:\Users\Admin\AppData\Local\OneLaunch\5.26.0\chromium\chromium.exe
        
        "C:\Users\Admin\AppData\Local\OneLaunch\5.26.0\chromium\chromium.exe" --type=renderer --extension-process --disable-nacl --video-capture-use-gpu-memory-buffer --lang=de --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --mojo-platform-channel-handle=1200 --field-trial-handle=2084,i,4837280742235979809,16445226066659610788,262144 /prefetch:1
        8⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5372
        
        C:\Users\Admin\AppData\Local\OneLaunch\5.26.0\chromium\chromium.exe
        
        "C:\Users\Admin\AppData\Local\OneLaunch\5.26.0\chromium\chromium.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=de --service-sandbox-type=audio --video-capture-use-gpu-memory-buffer --mojo-platform-channel-handle=5308 --field-trial-handle=2084,i,4837280742235979809,16445226066659610788,262144 /prefetch:8
        8⤵
        Executes dropped EXE
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\OneLaunch\5.26.0\chromium\chromium.exe
        
        "C:\Users\Admin\AppData\Local\OneLaunch\5.26.0\chromium\chromium.exe" --type=renderer --extension-process --disable-nacl --video-capture-use-gpu-memory-buffer --lang=de --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --mojo-platform-channel-handle=5488 --field-trial-handle=2084,i,4837280742235979809,16445226066659610788,262144 /prefetch:1
        8⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5488
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2308 -s 2600
        7⤵
        Program crash
        
        PID:1968
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2308 -s 2600
        7⤵
        Program crash
        
        PID:2036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2308 -ip 2308
1⤵
PID:4668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2308 -ip 2308
1⤵
PID:3820

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2c8 0x504
1⤵
PID:4928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery