hxxps://pdf[.]onestart[.]ai/

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/09/2024, 16:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://pdf.onestart.ai/

Score

8^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	onestart.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	onestart.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	onestart.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	onestart.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 19 IoCs

pid	Process
1828	onestart_installer.exe
2620	setup.exe
3476	setup.exe
2904	setup.exe
4080	setup.exe
2796	onestart.exe
3136	onestart.exe
4772	onestart.exe
2968	onestart.exe
2044	onestart.exe
1200	onestart.exe
5604	onestart.exe
5616	onestart.exe
6096	onestart.exe
6108	onestart.exe
6012	onestart.exe
5304	onestart.exe
5560	onestart.exe
556	MSI59D4.tmp

Loads dropped DLL 46 IoCs

pid	Process
2652	MsiExec.exe
2652	MsiExec.exe
2652	MsiExec.exe
2652	MsiExec.exe
2652	MsiExec.exe
2652	MsiExec.exe
2652	MsiExec.exe
2652	MsiExec.exe
2652	MsiExec.exe
1628	MsiExec.exe
1628	MsiExec.exe
1628	MsiExec.exe
1628	MsiExec.exe
1628	MsiExec.exe
2796	onestart.exe
3136	onestart.exe
2796	onestart.exe
4772	onestart.exe
2968	onestart.exe
4772	onestart.exe
2968	onestart.exe
4772	onestart.exe
4772	onestart.exe
4772	onestart.exe
4772	onestart.exe
4772	onestart.exe
4772	onestart.exe
2044	onestart.exe
2044	onestart.exe
1200	onestart.exe
5604	onestart.exe
5616	onestart.exe
5616	onestart.exe
5604	onestart.exe
6096	onestart.exe
6096	onestart.exe
6108	onestart.exe
6108	onestart.exe
6012	onestart.exe
6012	onestart.exe
5304	onestart.exe
5304	onestart.exe
5560	onestart.exe
5560	onestart.exe
2652	MsiExec.exe
2652	MsiExec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneStartUpdate = "\"C:\\Users\\Admin\\AppData\\Local\\OneStart.ai\\OneStart\\Application\\onestart.exe\" --update"	onestart.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneStartAutoLaunch_E782F387E217800A520B08130778A3F6 = "\"C:\\Users\\Admin\\AppData\\Local\\OneStart.ai\\OneStart\\Application\\onestart.exe\" --no-startup-window --existing-window /prefetch:5"	onestart.exe

Blocklisted process makes network request 4 IoCs

flow	pid	Process
72	2900	msiexec.exe
74	2900	msiexec.exe
76	2900	msiexec.exe
89	1628	MsiExec.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe

Checks system information in the registry 2 TTPs 2 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	onestart.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	onestart.exe

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2796_757681933\manifest.json	onestart.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2796_757681933\_metadata\verified_contents.json	onestart.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2796_757681933\manifest.fingerprint	onestart.exe
File created	C:\Program Files\chrome_url_fetcher_2796_1542708678\oimompecagnajdejgnnjijobebaeigek_4.10.2830.0_win64_dldxogwi36sxwpr57ta4lg57z4.crx3	onestart.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2796_757681933\_platform_specific\win_x64\widevinecdm.dll.sig	onestart.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2796_757681933\_platform_specific\win_x64\widevinecdm.dll	onestart.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2796_757681933\LICENSE	onestart.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e588410.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI848D.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI875E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI59D4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8925.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e588410.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8588.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI85F6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\SourceHash{2089CA4D-74DD-42DB-B790-E43938A090BF}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8898.tmp	msiexec.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSI59D4.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000532ba7f3274a467a0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000532ba7f30000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900532ba7f3000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d532ba7f3000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000532ba7f300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	onestart.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	onestart.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	onestart.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	onestart.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133717538320100629"	chrome.exe

Modifies registry class 44 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\.xhtml\OpenWithProgids	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\CLSID\{A2C6CB58-C076-425C-ACB7-6D19D64428CD}	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\OSBHTML.LMFDYGSWDT5N3K2BCGAHJQFRXE\shell\open\command	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\.htm\OpenWithProgids	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\.shtml	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\.xht	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\.xhtml\OpenWithProgids\OSBHTML.LMFDYGSWDT5N3K2BCGAHJQFRXE	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\OSBHTML.LMFDYGSWDT5N3K2BCGAHJQFRXE	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\OSBHTML.LMFDYGSWDT5N3K2BCGAHJQFRXE\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\OneStart.ai\\OneStart\\Application\\onestart.exe,0"	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\.htm\OpenWithProgids\OSBHTML.LMFDYGSWDT5N3K2BCGAHJQFRXE	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\.svg\OpenWithProgids	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\.svg\OpenWithProgids\OSBHTML.LMFDYGSWDT5N3K2BCGAHJQFRXE	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\.webp	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\.webp\OpenWithProgids\OSBHTML.LMFDYGSWDT5N3K2BCGAHJQFRXE	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\OSBHTML.LMFDYGSWDT5N3K2BCGAHJQFRXE\ = "OneStart HTML Document"	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\OSBHTML.LMFDYGSWDT5N3K2BCGAHJQFRXE\Application\ApplicationIcon = "C:\\Users\\Admin\\AppData\\Local\\OneStart.ai\\OneStart\\Application\\onestart.exe,0"	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\OSBHTML.LMFDYGSWDT5N3K2BCGAHJQFRXE\Application\ApplicationName = "OneStart"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\.html	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\.pdf	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\.shtml\OpenWithProgids	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\.shtml\OpenWithProgids\OSBHTML.LMFDYGSWDT5N3K2BCGAHJQFRXE	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\.svg	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\CLSID\{A2C6CB58-C076-425C-ACB7-6D19D64428CD}\LocalServer32	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\CLSID\{A2C6CB58-C076-425C-ACB7-6D19D64428CD}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\OneStart.ai\\OneStart\\Application\\126.0.6478.130\\notification_helper.exe\""	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\.xht\OpenWithProgids\OSBHTML.LMFDYGSWDT5N3K2BCGAHJQFRXE	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\.webp\OpenWithProgids	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\OSBHTML.LMFDYGSWDT5N3K2BCGAHJQFRXE\AppUserModelId = "OneStart.LMFDYGSWDT5N3K2BCGAHJQFRXE"	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\OSBHTML.LMFDYGSWDT5N3K2BCGAHJQFRXE\Application\ApplicationDescription = "Access the Internet"	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\.html\OpenWithProgids\OSBHTML.LMFDYGSWDT5N3K2BCGAHJQFRXE	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\.pdf\OpenWithProgids	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\CLSID	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\OSBHTML.LMFDYGSWDT5N3K2BCGAHJQFRXE\shell	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\OSBHTML.LMFDYGSWDT5N3K2BCGAHJQFRXE\shell\open	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\OSBHTML.LMFDYGSWDT5N3K2BCGAHJQFRXE\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\OneStart.ai\\OneStart\\Application\\onestart.exe\" --single-argument %1"	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\OSBHTML.LMFDYGSWDT5N3K2BCGAHJQFRXE\Application\ApplicationCompany = "OneStart.ai"	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\.pdf\OpenWithProgids\OSBHTML.LMFDYGSWDT5N3K2BCGAHJQFRXE	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\CLSID\{A2C6CB58-C076-425C-ACB7-6D19D64428CD}\LocalServer32\ServerExecutable = "C:\\Users\\Admin\\AppData\\Local\\OneStart.ai\\OneStart\\Application\\126.0.6478.130\\notification_helper.exe"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\OSBHTML.LMFDYGSWDT5N3K2BCGAHJQFRXE\DefaultIcon	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\.xhtml	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\OSBHTML.LMFDYGSWDT5N3K2BCGAHJQFRXE\Application	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\.htm	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\.xht\OpenWithProgids	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\OSBHTML.LMFDYGSWDT5N3K2BCGAHJQFRXE\Application\AppUserModelId = "OneStart.LMFDYGSWDT5N3K2BCGAHJQFRXE"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\.html\OpenWithProgids	setup.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4796	chrome.exe
4796	chrome.exe
2316	msiexec.exe
2316	msiexec.exe
556	MSI59D4.tmp
556	MSI59D4.tmp
5436	chrome.exe
5436	chrome.exe
5436	chrome.exe
5436	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
4796	chrome.exe
4796	chrome.exe
2796	onestart.exe
2796	onestart.exe
2796	onestart.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4796	chrome.exe
Token: SeCreatePagefilePrivilege	4796	chrome.exe
Token: SeShutdownPrivilege	4796	chrome.exe
Token: SeCreatePagefilePrivilege	4796	chrome.exe
Token: SeShutdownPrivilege	4796	chrome.exe
Token: SeCreatePagefilePrivilege	4796	chrome.exe
Token: SeShutdownPrivilege	4796	chrome.exe
Token: SeCreatePagefilePrivilege	4796	chrome.exe
Token: SeShutdownPrivilege	4796	chrome.exe
Token: SeCreatePagefilePrivilege	4796	chrome.exe
Token: SeShutdownPrivilege	4796	chrome.exe
Token: SeCreatePagefilePrivilege	4796	chrome.exe
Token: SeShutdownPrivilege	4796	chrome.exe
Token: SeCreatePagefilePrivilege	4796	chrome.exe
Token: SeShutdownPrivilege	4796	chrome.exe
Token: SeCreatePagefilePrivilege	4796	chrome.exe
Token: SeShutdownPrivilege	4796	chrome.exe
Token: SeCreatePagefilePrivilege	4796	chrome.exe
Token: SeShutdownPrivilege	4796	chrome.exe
Token: SeCreatePagefilePrivilege	4796	chrome.exe
Token: SeShutdownPrivilege	4796	chrome.exe
Token: SeCreatePagefilePrivilege	4796	chrome.exe
Token: SeShutdownPrivilege	4796	chrome.exe
Token: SeCreatePagefilePrivilege	4796	chrome.exe
Token: SeShutdownPrivilege	4796	chrome.exe
Token: SeCreatePagefilePrivilege	4796	chrome.exe
Token: SeShutdownPrivilege	4796	chrome.exe
Token: SeCreatePagefilePrivilege	4796	chrome.exe
Token: SeShutdownPrivilege	4796	chrome.exe
Token: SeCreatePagefilePrivilege	4796	chrome.exe
Token: SeShutdownPrivilege	4796	chrome.exe
Token: SeCreatePagefilePrivilege	4796	chrome.exe
Token: SeShutdownPrivilege	4796	chrome.exe
Token: SeCreatePagefilePrivilege	4796	chrome.exe
Token: SeShutdownPrivilege	4796	chrome.exe
Token: SeCreatePagefilePrivilege	4796	chrome.exe
Token: SeShutdownPrivilege	4796	chrome.exe
Token: SeCreatePagefilePrivilege	4796	chrome.exe
Token: SeShutdownPrivilege	4796	chrome.exe
Token: SeCreatePagefilePrivilege	4796	chrome.exe
Token: SeShutdownPrivilege	4796	chrome.exe
Token: SeCreatePagefilePrivilege	4796	chrome.exe
Token: SeShutdownPrivilege	4796	chrome.exe
Token: SeCreatePagefilePrivilege	4796	chrome.exe
Token: SeShutdownPrivilege	4796	chrome.exe
Token: SeCreatePagefilePrivilege	4796	chrome.exe
Token: SeShutdownPrivilege	4796	chrome.exe
Token: SeCreatePagefilePrivilege	4796	chrome.exe
Token: SeShutdownPrivilege	4796	chrome.exe
Token: SeCreatePagefilePrivilege	4796	chrome.exe
Token: SeShutdownPrivilege	4796	chrome.exe
Token: SeCreatePagefilePrivilege	4796	chrome.exe
Token: SeShutdownPrivilege	4796	chrome.exe
Token: SeCreatePagefilePrivilege	4796	chrome.exe
Token: SeShutdownPrivilege	4796	chrome.exe
Token: SeCreatePagefilePrivilege	4796	chrome.exe
Token: SeShutdownPrivilege	4796	chrome.exe
Token: SeCreatePagefilePrivilege	4796	chrome.exe
Token: SeShutdownPrivilege	4796	chrome.exe
Token: SeCreatePagefilePrivilege	4796	chrome.exe
Token: SeShutdownPrivilege	4796	chrome.exe
Token: SeCreatePagefilePrivilege	4796	chrome.exe
Token: SeShutdownPrivilege	4796	chrome.exe
Token: SeCreatePagefilePrivilege	4796	chrome.exe

Suspicious use of FindShellTrayWindow 52 IoCs

pid	Process
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
2900	msiexec.exe
2796	onestart.exe
2796	onestart.exe
2796	onestart.exe
2796	onestart.exe
2796	onestart.exe
2796	onestart.exe
2796	onestart.exe
2796	onestart.exe
2796	onestart.exe
2796	onestart.exe
2796	onestart.exe
2796	onestart.exe
2796	onestart.exe
2900	msiexec.exe

Suspicious use of SendNotifyMessage 35 IoCs

pid	Process
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
2796	onestart.exe
2796	onestart.exe
2796	onestart.exe
2796	onestart.exe
2796	onestart.exe
2796	onestart.exe
2796	onestart.exe
2796	onestart.exe
2796	onestart.exe
2796	onestart.exe
2796	onestart.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4796 wrote to memory of 5092	4796	chrome.exe	82
PID 4796 wrote to memory of 5092	4796	chrome.exe	82
PID 4796 wrote to memory of 5000	4796	chrome.exe	83
PID 4796 wrote to memory of 5000	4796	chrome.exe	83
PID 4796 wrote to memory of 5000	4796	chrome.exe	83
PID 4796 wrote to memory of 5000	4796	chrome.exe	83
PID 4796 wrote to memory of 5000	4796	chrome.exe	83
PID 4796 wrote to memory of 5000	4796	chrome.exe	83
PID 4796 wrote to memory of 5000	4796	chrome.exe	83
PID 4796 wrote to memory of 5000	4796	chrome.exe	83
PID 4796 wrote to memory of 5000	4796	chrome.exe	83
PID 4796 wrote to memory of 5000	4796	chrome.exe	83
PID 4796 wrote to memory of 5000	4796	chrome.exe	83
PID 4796 wrote to memory of 5000	4796	chrome.exe	83
PID 4796 wrote to memory of 5000	4796	chrome.exe	83
PID 4796 wrote to memory of 5000	4796	chrome.exe	83
PID 4796 wrote to memory of 5000	4796	chrome.exe	83
PID 4796 wrote to memory of 5000	4796	chrome.exe	83
PID 4796 wrote to memory of 5000	4796	chrome.exe	83
PID 4796 wrote to memory of 5000	4796	chrome.exe	83
PID 4796 wrote to memory of 5000	4796	chrome.exe	83
PID 4796 wrote to memory of 5000	4796	chrome.exe	83
PID 4796 wrote to memory of 5000	4796	chrome.exe	83
PID 4796 wrote to memory of 5000	4796	chrome.exe	83
PID 4796 wrote to memory of 5000	4796	chrome.exe	83
PID 4796 wrote to memory of 5000	4796	chrome.exe	83
PID 4796 wrote to memory of 5000	4796	chrome.exe	83
PID 4796 wrote to memory of 5000	4796	chrome.exe	83
PID 4796 wrote to memory of 5000	4796	chrome.exe	83
PID 4796 wrote to memory of 5000	4796	chrome.exe	83
PID 4796 wrote to memory of 5000	4796	chrome.exe	83
PID 4796 wrote to memory of 5000	4796	chrome.exe	83
PID 4796 wrote to memory of 4824	4796	chrome.exe	84
PID 4796 wrote to memory of 4824	4796	chrome.exe	84
PID 4796 wrote to memory of 1856	4796	chrome.exe	85
PID 4796 wrote to memory of 1856	4796	chrome.exe	85
PID 4796 wrote to memory of 1856	4796	chrome.exe	85
PID 4796 wrote to memory of 1856	4796	chrome.exe	85
PID 4796 wrote to memory of 1856	4796	chrome.exe	85
PID 4796 wrote to memory of 1856	4796	chrome.exe	85
PID 4796 wrote to memory of 1856	4796	chrome.exe	85
PID 4796 wrote to memory of 1856	4796	chrome.exe	85
PID 4796 wrote to memory of 1856	4796	chrome.exe	85
PID 4796 wrote to memory of 1856	4796	chrome.exe	85
PID 4796 wrote to memory of 1856	4796	chrome.exe	85
PID 4796 wrote to memory of 1856	4796	chrome.exe	85
PID 4796 wrote to memory of 1856	4796	chrome.exe	85
PID 4796 wrote to memory of 1856	4796	chrome.exe	85
PID 4796 wrote to memory of 1856	4796	chrome.exe	85
PID 4796 wrote to memory of 1856	4796	chrome.exe	85
PID 4796 wrote to memory of 1856	4796	chrome.exe	85
PID 4796 wrote to memory of 1856	4796	chrome.exe	85
PID 4796 wrote to memory of 1856	4796	chrome.exe	85
PID 4796 wrote to memory of 1856	4796	chrome.exe	85
PID 4796 wrote to memory of 1856	4796	chrome.exe	85
PID 4796 wrote to memory of 1856	4796	chrome.exe	85
PID 4796 wrote to memory of 1856	4796	chrome.exe	85
PID 4796 wrote to memory of 1856	4796	chrome.exe	85
PID 4796 wrote to memory of 1856	4796	chrome.exe	85
PID 4796 wrote to memory of 1856	4796	chrome.exe	85
PID 4796 wrote to memory of 1856	4796	chrome.exe	85
PID 4796 wrote to memory of 1856	4796	chrome.exe	85
PID 4796 wrote to memory of 1856	4796	chrome.exe	85
PID 4796 wrote to memory of 1856	4796	chrome.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://pdf.onestart.ai/
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffa2e8fcc40,0x7ffa2e8fcc4c,0x7ffa2e8fcc58
  2⤵
  PID:5092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1904,i,5166092008587619568,15788455533307949698,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1896 /prefetch:2
  2⤵
  PID:5000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1596,i,5166092008587619568,15788455533307949698,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2176 /prefetch:3
  2⤵
  PID:4824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2236,i,5166092008587619568,15788455533307949698,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2232 /prefetch:8
  2⤵
  PID:1856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3124,i,5166092008587619568,15788455533307949698,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3160 /prefetch:1
  2⤵
  PID:1540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3128,i,5166092008587619568,15788455533307949698,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3180 /prefetch:1
  2⤵
  PID:3780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4584,i,5166092008587619568,15788455533307949698,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4596 /prefetch:8
  2⤵
  PID:4372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5100,i,5166092008587619568,15788455533307949698,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5080 /prefetch:8
  2⤵
  PID:3948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3528,i,5166092008587619568,15788455533307949698,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3308 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5436

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4136

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4312

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:428

C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\OneStartInstaller-v5.5.240.0.msi"
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
PID:2900

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2316
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 92E4A5401CCB7FABCF245815EE89FCA3 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2652
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:992
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 0FF138D790DE8AB543506F006BF02AD2
  2⤵
  - Loads dropped DLL
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:1628
- C:\Users\Admin\AppData\Local\OneStart.ai\OneStart Installer\onestart_installer.exe
  "C:\Users\Admin\AppData\Local\OneStart.ai\OneStart Installer\onestart_installer.exe" "install" "0" "0" "1" "0"
  2⤵
  - Executes dropped EXE
  PID:1828
- - C:\Users\Admin\AppData\Local\OneStart.ai\OneStart Installer\CR_642F8.tmp\setup.exe
    "C:\Users\Admin\AppData\Local\OneStart.ai\OneStart Installer\CR_642F8.tmp\setup.exe" --install-archive="C:\Users\Admin\AppData\Local\OneStart.ai\OneStart Installer\CR_642F8.tmp\ONESTART.PACKED.7Z" "install" "0" "0" "1" "0"
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    PID:2620
  - - C:\Users\Admin\AppData\Local\OneStart.ai\OneStart Installer\CR_642F8.tmp\setup.exe
      "C:\Users\Admin\AppData\Local\OneStart.ai\OneStart Installer\CR_642F8.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\OneStart.ai\OneStart\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=OneStart --annotation=ver=126.0.6478.130 --initial-client-data=0x264,0x268,0x26c,0x240,0x270,0x7ff77c65dab0,0x7ff77c65dabc,0x7ff77c65dac8
      4⤵
      Executes dropped EXE
      PID:3476
  - - C:\Users\Admin\AppData\Local\OneStart.ai\OneStart Installer\CR_642F8.tmp\setup.exe
      "C:\Users\Admin\AppData\Local\OneStart.ai\OneStart Installer\CR_642F8.tmp\setup.exe" --verbose-logging --create-shortcuts=0 --install-level=0
      4⤵
      Executes dropped EXE
      PID:2904
    - - C:\Users\Admin\AppData\Local\OneStart.ai\OneStart Installer\CR_642F8.tmp\setup.exe
        
        "C:\Users\Admin\AppData\Local\OneStart.ai\OneStart Installer\CR_642F8.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\OneStart.ai\OneStart\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=OneStart --annotation=ver=126.0.6478.130 --initial-client-data=0x264,0x268,0x26c,0x240,0x270,0x7ff77c65dab0,0x7ff77c65dabc,0x7ff77c65dac8
        5⤵
        Executes dropped EXE
        
        PID:4080
  - - C:\Users\Admin\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
      "C:\Users\Admin\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe" --from-installer
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Checks system information in the registry
      Drops file in Program Files directory
      Enumerates system info in registry
      Modifies data under HKEY_USERS
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:2796
    - - C:\Users\Admin\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
        
        C:\Users\Admin\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\OneStart.ai\OneStart\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\OneStart.ai\OneStart\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=OneStart --annotation=ver=126.0.6478.130 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa1c7e1c70,0x7ffa1c7e1c7c,0x7ffa1c7e1c88
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3136
    - - C:\Users\Admin\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
        
        "C:\Users\Admin\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe" --type=gpu-process --start-stack-profiler --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1996,i,9077308629323277443,14310336086986683415,262144 --variations-seed-version --mojo-platform-channel-handle=1992 /prefetch:2
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4772
    - - C:\Users\Admin\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
        
        "C:\Users\Admin\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --start-stack-profiler --field-trial-handle=1908,i,9077308629323277443,14310336086986683415,262144 --variations-seed-version --mojo-platform-channel-handle=2136 /prefetch:3
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2968
    - - C:\Users\Admin\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
        
        "C:\Users\Admin\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --field-trial-handle=2344,i,9077308629323277443,14310336086986683415,262144 --variations-seed-version --mojo-platform-channel-handle=2492 /prefetch:8
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2044
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c ""%LOCALAPPDATA%\OneStart.ai\OneStart\Application\onestart.exe" --update"
        5⤵
        
        PID:1552
      - C:\Users\Admin\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
        
        "C:\Users\Admin\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe" --update
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1200
    - - C:\Users\Admin\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
        
        "C:\Users\Admin\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3920,i,9077308629323277443,14310336086986683415,262144 --variations-seed-version --mojo-platform-channel-handle=3936 /prefetch:1
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5604
    - - C:\Users\Admin\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
        
        "C:\Users\Admin\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3944,i,9077308629323277443,14310336086986683415,262144 --variations-seed-version --mojo-platform-channel-handle=3976 /prefetch:1
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5616
    - - C:\Users\Admin\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
        
        "C:\Users\Admin\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4972,i,9077308629323277443,14310336086986683415,262144 --variations-seed-version --mojo-platform-channel-handle=4948 /prefetch:1
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        
        PID:6012
    - - C:\Users\Admin\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
        
        "C:\Users\Admin\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=5112,i,9077308629323277443,14310336086986683415,262144 --variations-seed-version --mojo-platform-channel-handle=5100 /prefetch:8
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:6096
    - - C:\Users\Admin\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
        
        "C:\Users\Admin\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=5244,i,9077308629323277443,14310336086986683415,262144 --variations-seed-version --mojo-platform-channel-handle=5256 /prefetch:8
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:6108
    - - C:\Users\Admin\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
        
        "C:\Users\Admin\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --field-trial-handle=5228,i,9077308629323277443,14310336086986683415,262144 --variations-seed-version --mojo-platform-channel-handle=5312 /prefetch:8
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5304
    - - C:\Users\Admin\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
        
        "C:\Users\Admin\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --field-trial-handle=5272,i,9077308629323277443,14310336086986683415,262144 --variations-seed-version --mojo-platform-channel-handle=5444 /prefetch:8
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5560
- C:\Windows\Installer\MSI59D4.tmp
  "C:\Windows\Installer\MSI59D4.tmp" /HideWindow cmd.exe /c "rmdir /s /q "C:\Users\Admin\AppData\Local\OneStart.ai\OneStart Installer\""
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:556

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:1592

C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe" -Embedding
1⤵
PID:4128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x1cc,0x1d0,0x1d4,0x1a8,0x1d8,0x7ff60d703600,0x7ff60d70360c,0x7ff60d703618
  2⤵
  PID:1696

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c "rmdir /s /q "C:\Users\Admin\AppData\Local\OneStart.ai\OneStart Installer\""
1⤵
PID:3536

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /c
1⤵
- System Location Discovery: System Language Discovery
PID:5340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e588411.rbs

Filesize
762KB

MD5
2232312080a09aa0a0a6435625c6f9cd

SHA1
9798ebcb73cf5b0567e122b238281786a2acc3ad

SHA256
b033f4d67d06c439541140cc7198a870eeb8e2a40bae0cf67e606c178d12eebe

SHA512
450b63da6ee161b0f8326546fe11b2b9d74bdf0ca2e12d75488a575f0d1a6a5a1c3875006e05e77ef37d6a2a2a02f66a875228a2ef54e1bd2774df9c476eca98

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping2796_757681933\LICENSE

Filesize
473B

MD5
f6719687bed7403612eaed0b191eb4a9

SHA1
dd03919750e45507743bd089a659e8efcefa7af1

SHA256
afb514e4269594234b32c873ba2cd3cc8892e836861137b531a40a1232820c59

SHA512
dd14a7eae05d90f35a055a5098d09cd2233d784f6ac228b5927925241689bff828e573b7a90a5196bfdd7aaeecf00f5c94486ad9e3910cfb07475fcfbb7f0d56

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping2796_757681933\manifest.json

Filesize
1001B

MD5
2ff237adbc218a4934a8b361bcd3428e

SHA1
efad279269d9372dcf9c65b8527792e2e9e6ca7d

SHA256
25a702dd5389cc7b077c6b4e06c1fad9bdea74a9c37453388986d093c277d827

SHA512
bafd91699019ab756adf13633b825d9d9bae374ca146e8c05abc70c931d491d421268a6e6549a8d284782898bc6eb99e3017fbe3a98e09cd3dfecad19f95e542

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\357F04AD41BCF5FE18FCB69F60C6680F_92EDC502ED2DCA77FBA738595B424D4A

Filesize
1KB

MD5
4f9160eed66ad006465a09072dae1170

SHA1
f2bd65d1481a6bdca9c03f87edecff6c10c4b5c9

SHA256
39c236b5518f2f5c03803a263e500f0c44ff28529c9d12f6c97e9716a3867d4e

SHA512
605e4226d1ce1aab50702c87695fc071c47b18417e70201a32880b5406600a05799833befcc804fd931e0b22587ce00ea2912ca8ef8c45a634d9fdf76890e9cd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E

Filesize
1KB

MD5
8e2ed4fb075ef7ea79b9a8b18b46b6ec

SHA1
26d02c078ce57c03633c48eb85477d5a57b9625e

SHA256
897a4636ada6a6493ce97227fa08e4ab37df0ea9ee8aeb0b6e3da17cc3da74cd

SHA512
4b8723639c71298a32312e3568a2394c7e66d09cd09ab450ed6285ee40a9ed42dd9564a5a6ce519981f50a54ab6e5d448ab22de9180759936cbc7fd4153ba20e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\357F04AD41BCF5FE18FCB69F60C6680F_92EDC502ED2DCA77FBA738595B424D4A

Filesize
540B

MD5
bf258b455f79cc1773a79f9080eeafc3

SHA1
982bd5f3e05e7561aba34ec38dfe1102f2dd9efe

SHA256
c7297ea1d5ad44283d067027022ba0e2f21f177da301d89b295c64e0ae6759f6

SHA512
975ba93108eec05533515b0a38219a29a10b986f0975fa62f607984e7b0d21fc5b244cd45fd05b2b4e8506ef9ad2da4284605a50b172a068c76631fe72008842

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E

Filesize
536B

MD5
e98451e190e7b1657b8e063e83cd112e

SHA1
dc2c4180cdd8890fb27e88c4e95a3edc62b50716

SHA256
2058ec9244fb75188862ca32cbc2482b4145f50cc612ff9dee3cacbd91d4e783

SHA512
f92f2b69c6288521e502f3d4253ef03e62ba8c44a68e2b315fc42559005b9a9ec18ab95b3e796e4714e4dc9a89b21cadee4c30f8a08a74c7a93a36d4246c5b10

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
ebd1e0c475994371b3998462615f0d05

SHA1
14e355cb59a4e518018b776164c6d0217aca50e8

SHA256
6982055c717bbdaed4aeec95fd9209e1f933093cf5419bc09194366ee80b0541

SHA512
7aa0bc09e0f291418fe3b6683c2e6e83781a2d96af1d36fd47162a132cfb1fe0051135fe401c6f953c85948974aa79343fb88a0d40ed31be7c60249ae21a3a32

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
7c33683e405297548442431ef42c9b9c

SHA1
bede434d7df157e8eff246115c7b2648bcdfa237

SHA256
908ee0c6ba67cfed41301e69c85ccb22f09037686cad9c2f609f6850d92ce1d3

SHA512
009a82323d3c95f0cc42805ea8ee523552b56b28baaefcafcf0ecd209b4d7bec5178e61bdd1ffaa243d6fd2ac5d6f15a2745ad889a9182dbf1c09a95f54690e6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
bcda8ccfa6e468d7295290a78549766e

SHA1
ae1f666d034af00043643a8a12d268c39d144a89

SHA256
b89f4229b605eec8bb45a1669da4a4cb1202f5ac3bc12fea69ac61927d94a339

SHA512
900fe1dcb2d73ebc8d332a5953ce71d97909c418dcd1ef832dee313ab964a99dcf828a0d08023b4491774267423f3f9b9e71ccb549c5f90bd3d3fc95532af523

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
e01f302a03a91d8d327e3f88e5617b71

SHA1
bf1ff0e934d4367441c850c24a1a170e080d67e6

SHA256
f49ec9f8148ab2fa74b21621e624436bdc2cad6514b58bc711c7364cbe9b54c7

SHA512
ed7bb71dda9ce13fb51231ca580adbf6233512980197aa5391d504b97f47c471f9ffd041451628349abc5290829c665093bfdea46a571a492d56a468672fd2d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
7e19326420c775046da9222f1a63c40f

SHA1
f837dc80f0a80fd9413b28c6c7fa6716b1e5e7ae

SHA256
a4fcce2dd254820516ac7cb31bd69aea6421e49c5ed714c362ee14b6d71ef19b

SHA512
a35d5b5bfee9e69f96bdf22616341541824e3294809f0a437f0b73929d5aee72dee570a899a573885bded3d5b0fbe5230b3fc97b5675c791722ce4c13b7e5879

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e831ddecceab52ccde54e55f9875183c

SHA1
1f2e34e4732bc41ef41f9363319edde5f2d35801

SHA256
a561cd0ff374c22d7c640acf22c72ea912dfc6b61c8ddf571a88d8eaa8ba1c91

SHA512
e961ddf8e2ddc2a5b5e276dc872856e4460eb10be64f51ce205688ecda2efbb228627941cce29871ed4d5ee92bbd9d7c3e175fd4e9b3c2094b03364d1836c87e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d23c0337060e884f6ba0bb2e17b19a91

SHA1
23fa18d4a80e0fa28201e04de63ce73f8e56a348

SHA256
98143d4350b11c2a07a24086b56e75e15ca2b0c076d34768edc6cb9796148a70

SHA512
f0faa546cb048aec11a5077993dad8a7893bf433a2545550f53e3c21bd462ce16c388d429756631ca6340fcc5f12565c37e94a527683ec509735ca82cebffee7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d2bb398715273eab853a931e80e14bdb

SHA1
e999cece43b8e74a51ba5356d111527532f733b3

SHA256
c157ccad198c1d08a44d0a987c4c6a604be0ba84612673fb531d06ee9d5dbac2

SHA512
d8e0ab05eacdfd8d0f1017dac5739c1f388a75c254c1b5de2b6c027d35956ef14ae98c05936e3efb3c4e10ca0858802fb18222b87099be10e1a5d3c67bde0dfa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6fc342ff04553f90df73a278da7617a1

SHA1
a58054308308ae13484dcc24f80c1920b9607051

SHA256
6b15cf5d0c1c7ee09839dbbce4db99a93fb23ed4bf0ea9bb30955cb591274295

SHA512
66e9e3483235c1345eac27c281d645cfbd58622bc455efc0e470f6a47c3982918b27cc622a35485f979da02ec41ee83c187e1c9a20d12c8bbb14406e5f5ad296

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4619ac6bee3e48a357511f2c2801807e

SHA1
0776d6bad9b5899a892e38f8d0cbdd7a12b78351

SHA256
b332c374a197513e023ec0c67ba9a523ae11a1ead1c8e5ecefcad9bc222d663a

SHA512
005385038850f71a0a852d8fd098d89c060ea6265c8d4751b000127629e28f35e49dcb2699b9bf17ece038a37fb2aa29e2eff50e8db8e86435a9b13251b5849e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9ebe374b1b77079add9501a903438244

SHA1
058b3ede9cbc06d5cc34f75ceff1b7d6fad871cf

SHA256
58aaeffe3d8dabeff461870091804078b844741bd901651882fca58de3be8314

SHA512
79b5031a5d9cd0cf09550ab35d85cbb3f9935557905aaf66dd1693f2334357b6799c7ebf5e5b26cb4c7f2eb6e557c32f608c3cd0e5d71ff752cc3a19876db90c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b97d23127f6009041d68cd313e95e258

SHA1
b3b49dcc660062e6f803ce31ab943264c7a7bab8

SHA256
287901ada34bae844d51fac4a525b761c9cd9df6616389ad6dc1c7652ac831a8

SHA512
bf947162ff511137a41a36fa858aed1ed243596aa0f4db8aeb2c7a85abbc2232caeaaf3e3e70a7d867fd7d974b80d88f38d3fa6b5a54e8080d270bf1f5bf9ae1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8bae6787c30d37bac5ece5b935f534b6

SHA1
84fe8221d12042a3a943fe910b1c60f515953fff

SHA256
37116303038a91190a50ad55b15003d68ef1c5918f1ca94ec3cde12dcd60f40b

SHA512
a24f30f83ad358da4db7aa282714873f4d471aabdc8aa234f3d71eb13212f4b237088122965c73e66f28616ae47526489338b708137aae55c27ea04ac3726bcb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8b9cb7de1b5dd490e8b29eca0a8e7e73

SHA1
b0f09fd7ecedff3bbdba321c1521d5e6c0b775d3

SHA256
c048b9e2415302ed583ac0322a28eb656b4b1f3077f167136dd87648159e4780

SHA512
f67294c7151b4fdf675d34ec7161d8ec6fedaf6fa4b44137821c9546bc1d25b397a1fc810b3036e6ce0e34fbe2e984537aaef72ca8275eda4497f8d1694822d1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
fc76329bc259133e29f83f77daffd509

SHA1
d38b8f9a18cbde19ed709429d5196f17b7d6087f

SHA256
bfd3731452a674ccae54295c67dc1e472227f98e5ea048ba0cdbd2528867f61a

SHA512
f1b4c9321c9fa45eb40706d41c61803d1d4c3ab1346fb7c55ddde1fa11f40c74d16681c9a423136af070e45dbab2135d4d8acc8c22177cf4348657932086671d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
d0cd46797aba3f2cbf3e130b2fb64306

SHA1
cbb12d2d53476cddf7006e4da62163106ee3aaf5

SHA256
0edff3eb1b692aec142c582a313d43f5fd132a05e6bf3bd08bd423beb9ade4a4

SHA512
d1707e0b5989d49523b13bb77aabb1bea8b28853b57a66f2f637c72e407145403963f1410ad7e74e6f64a63789f7066cb01905883c1d74de259f14480adb1841

Download Submit
C:\Users\Admin\AppData\Local\OneStart.ai\OneStart Installer\CR_642F8.tmp\setup.exe

Filesize
3.1MB

MD5
05306e3b96ce2b9fd23d76e2dd9f89dc

SHA1
03813388e14e86765eb2f889d3d119545e5e7e63

SHA256
b486f2283d8940caef719eb4af921d8e6d958c0434351559d1eb95828f58847a

SHA512
a6ac0ca3aa6a690ce6550e9e0c4783c541e706a8996063a273316090a3ea4a2d5616a8a4a4e793867ed335f36c1eb011c7cd6ac0cac99ae966112e78bd0f2036

Download Submit
C:\Users\Admin\AppData\Local\OneStart.ai\OneStart\.data\OneStart.json

Filesize
195B

MD5
dc502aae62a37ab4dd70756cc75ae29e

SHA1
97ba3da0cb66fbb8670b99a2efcc435e4c48652b

SHA256
1488f3426c54041e2c63fc985a00376e24a24ceb21e6ae2b54926f6d50048187

SHA512
ac9aa2ee6b50b76fc4ca9cd93eb207454395fc2a3ed01951b42984f43245adbcff990f77023cf216b23b093d147a8c2062ae275d5bd9d3882ff58304508dcaac

Download Submit
C:\Users\Admin\AppData\Local\OneStart.ai\OneStart\.data\OneStart.json

Filesize
241B

MD5
27257c87d4fe2ceb0221f81eabb28309

SHA1
3d18e8e948179266c6d1dcc1afba322ecd8dcd54

SHA256
505f92365bedc53e075799052051eb5fbd02b7efe054eead54876fa1372e138a

SHA512
d5c0555d5c87ad7dabad3c28c43eafd35ef5bc8f90a59b5cd96ea167e14716d4f187fb03b3eca7f5a04d9c22f810e38f4d6b3ce8d9ef69e17ef03a121f5af302

Download Submit
C:\Users\Admin\AppData\Local\OneStart.ai\OneStart\.data\updates.dat

Filesize
544B

MD5
093ca212ef12accd000d95c7bbe4f703

SHA1
ec3df040fc4f4963516c6fbb6e13d63cfab8a556

SHA256
64f1c64d53f25391daf108af01bd4f9e91da80f9d0eff984a9ddfb0400244d92

SHA512
0b32bf79fc7050cd41ecab04204e7d89e016b1c43b45dcb486d6ffcc2b9a92c2ffc7a9efc54503f1c45665831db580531993942276387ba6bcfa91e56b3fa1e3

Download Submit
C:\Users\Admin\AppData\Local\OneStart.ai\OneStart\Application\126.0.6478.130\chrome_elf.dll

Filesize
1.2MB

MD5
1feea7ef29675c3e3c62256122cb239b

SHA1
910b5b1621201b2cfe81b1e0c29e63e7c7313fa9

SHA256
300305c7fe1b458f8916a9c8b7b462322a88ff7eb3e0ff42ff1d47df74422f88

SHA512
39b8d88622e7241ced011bc104098fe28e54c00be36d86622120480e6016b05cc3eb8b1b3fafbdfdd20b08c074af40c1aaa1cb28d06b565dfc4b68e63ccb5934

Download Submit
C:\Users\Admin\AppData\Local\OneStart.ai\OneStart\Application\master_preferences

Filesize
159B

MD5
746e45d4be2d95012aff9a0716e811f6

SHA1
3af1bef7086d7512f800084fc7c95fe994c6a459

SHA256
5269f6e042e298253d298cbe4a10efece8276bf8058a679dd81a9fa6fe91c060

SHA512
33a491d07d6360655d2df4191458cbb57e6fef8c583b7b049ec016ca43e5436711dceefdaf10335a90df5fe1c7328a51530bcc87fd1268352b385532d11c2412

Download Submit
C:\Users\Admin\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe

Filesize
3.1MB

MD5
70cd5234ef5b6cb9e501eb980b920dce

SHA1
6ee318c439ace73c75b6dff3fcdff4dbe7e2cc33

SHA256
d61031344b3fd422596ea2687b5c640551b1d5dee0e90a26e6568b26b6025991

SHA512
3fa02d349a0b8906724c6a4042b6f3fec394dab451f567733e12dbceaaab533c22a10b30e4473b3ec0f2648278ba71dd8cb699b36eecb43c5bbca5ade7892be0

Download Submit
C:\Users\Admin\AppData\Local\OneStart.ai\OneStart\User Data\Crashpad\settings.dat

Filesize
40B

MD5
f628e09e38fa1b2105f32664fff3ca30

SHA1
02431a3c5f06bef8a159f59813edca77c93c6210

SHA256
75bb58348fd7cb67b9e807c5cbf54e021e52ffab759a8b2804960caeb28747a3

SHA512
ebb02cb9c916b0cee3b8992dd934d70437a7b8cb735ce7afeb7d1872beac12cd8c5823465d6decb12b23450e19c06e5c44b4da1493b59d074c9d7e29b87486f1

Download Submit
C:\Users\Admin\AppData\Local\OneStart.ai\OneStart\User Data\Default\DawnWebGPUCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\OneStart.ai\OneStart\User Data\Default\DawnWebGPUCache\data_1

Filesize
264KB

MD5
d0d388f3865d0523e451d6ba0be34cc4

SHA1
8571c6a52aacc2747c048e3419e5657b74612995

SHA256
902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b

SHA512
376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

Download Submit
C:\Users\Admin\AppData\Local\OneStart.ai\OneStart\User Data\Default\DawnWebGPUCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\OneStart.ai\OneStart\User Data\Default\DawnWebGPUCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\OneStart.ai\OneStart\User Data\Default\Local Storage\leveldb\000001.dbtmp

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\OneStart.ai\OneStart\User Data\Default\Preferences

Filesize
9KB

MD5
6817146a37938e03ad62f8fa68ea3ee0

SHA1
d458c9e11ce74867f2351dedd3b99bb8665a76bd

SHA256
23e1d581b7257c42d24890895f2a3e6abca5dadfbf672660125db554d3011180

SHA512
8f451e9ddb806f73bc24faf5d40194fae6b301eb25e57decf0a9d43b624fc849f3b8b30d018e5a2e166bbee1163074164800caa3d737221e99ea594bf7828adb

Download Submit
C:\Users\Admin\AppData\Local\OneStart.ai\OneStart\User Data\Default\Preferences

Filesize
9KB

MD5
99cab44b70d10eef813346e64ab7fa15

SHA1
122c5953f445e008a27e879a23576efff2dc95c5

SHA256
ce51de55ae0ba391112b70db8611d96460b046f5d42f824fddb91b21572da7f5

SHA512
e2ed7d50927a1a74c6370eb542d8e5bed1c7cb8e6f2cd4fce30437c53dc5f1eafbde4506f05fd8ef4bf2a1b4578a3e25484220b7487b02a5aa78b3a6603d3d21

Download Submit
C:\Users\Admin\AppData\Local\OneStart.ai\OneStart\User Data\Default\Preferences

Filesize
9KB

MD5
65a3165938353f6c2a703f16d59e99b6

SHA1
f10fd394e980d6451d74660e2827f0303f04aa92

SHA256
9f2528d30a28059828ef32b41a348b21012977cc41f5b65bef5298da297719b6

SHA512
0ccc583d853f8ca365f16e9a6a84bee3e6d0f548c38bc875ffe80c76da7a1b58e9c3d0eb5e08abea7271b11bfa4c241aea453917235e3d7cf875ac8446f0da97

Download Submit
C:\Users\Admin\AppData\Local\OneStart.ai\OneStart\User Data\Default\Preferences~RFe592f73.TMP

Filesize
2KB

MD5
48b73ad61c1c7861f9105665fbf6d0fe

SHA1
8bcac21d6c5d7213c65226544a4290995aa6ac29

SHA256
9cbf140c9ca24877129120c564a1cc30fc8b62ce8ab4379d00a7318dcff1a020

SHA512
dd38ba9ffecfb7bd13bef2489e5aa78a871cfc80baa01f75bad53308c035bb21533a8f5ccbadde4392050a549b4b4f0b54e522430c5c6218d5f7952d6e1d013d

Download Submit
C:\Users\Admin\AppData\Local\OneStart.ai\OneStart\User Data\Default\Sync Data\LevelDB\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\OneStart.ai\OneStart\User Data\Default\d4d40537-7f21-4843-9289-59ad07f0a0a6.tmp

Filesize
165KB

MD5
517e603878399058e35f246781ec0030

SHA1
0c47e5d2b7c6c18b59280cc4d04438939369e7d7

SHA256
47d4b8d8d6a3794bccc7cd796090c796a6be3019bb34f66aa88f85ed4109a251

SHA512
b26a62ae7efb6f071d87ae928f434bd9d2389bd4585c55991dc979588546ac40f77e4ca7eec64224dbee25ce3d7aabdbd93f58dc248e9b7a3aa644c1e1b0d879

Download Submit
C:\Users\Admin\AppData\Local\OneStart.ai\OneStart\User Data\Local State

Filesize
1KB

MD5
6de9a8e42f6a2e18eb64ca35a5faa4bb

SHA1
30794b80b72e8761744076e66007284e5f1bd0d6

SHA256
f412ce65265e7f103fc6cde3d5ca6c9d1918827800013e4c2e772ca77c2cb8d5

SHA512
784419743b6873381f24c810bd4775020de06367d5a6a988cc1c705bec63f6963d22d4436392174b5089c436d8be13337a4aa0eb47f8b81fbaba85a49511d56b

Download Submit
C:\Users\Admin\AppData\Local\OneStart.ai\OneStart\User Data\Local State

Filesize
3KB

MD5
2e08d7af9a941c5e388784e2ef90ded0

SHA1
acd11be844b5eba0b52c64fddd443ea678854c24

SHA256
c8354e1a8984fb8bc2b87fc5c181b1ee301e29f2fb6180e3c725b7be1584d222

SHA512
92abb9fb807f46fb35286786234f425dc29955fd25ccce5b2a3798f90955af69e5ac8ab792d51579264a7226549ec5b71f8f859b9caf4f1809b24fc575775a04

Download Submit
C:\Users\Admin\AppData\Local\OneStart.ai\OneStart\User Data\Local State~RFe59070b.TMP

Filesize
847B

MD5
dc4469ea754c780f4e7834cce0e124f9

SHA1
c42c80bd1f286461fd399782c01c3f5ce6a4955c

SHA256
3a362283a589480481e4b7dec95e5a93757862f2192ca8cd53ed2cd7ffcfe29b

SHA512
cc338a63793566270d041255d16b4bf35242dc46198cdd2bd0272461d8a1179608915e4e3d18ce96f47920e363e27d5492b3e587ac5aea675ee1cb6f70e148fc

Download Submit
C:\Users\Admin\AppData\Local\OneStart.ai\OneStart\User Data\component_crx_cache\oimompecagnajdejgnnjijobebaeigek_1.567f5df81ea0c9bdcfb7221f0ea091893150f8c16e3012e4f0314ba3d43f1632

Filesize
13.8MB

MD5
3db950b4014a955d2142621aaeecd826

SHA1
c2b728b05bc34b43d82379ac4ce6bdae77d27c51

SHA256
567f5df81ea0c9bdcfb7221f0ea091893150f8c16e3012e4f0314ba3d43f1632

SHA512
03105dcf804e4713b6ed7c281ad0343ac6d6eb2aed57a897c6a09515a8c7f3e06b344563e224365dc9159cfd8ed3ef665d6aec18cc07aaad66eed0dc4957dde3

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI2C3B.tmp

Filesize
936KB

MD5
13056f6fc48a93c1268d690e554f4571

SHA1
b83de3638e8551a315bb51703762a9820a7e0688

SHA256
aeda49baf2d79da2f7a9266f1fb7884111c2620e187090321f5278af5131c996

SHA512
ca828b4248e399178a8614f941332d159a30bad0156df0d5f4c4ca9d74d0ccb61fac59f34c945f5f914e22ec639bd97718f76d21b452825b07fe4041d1a44824

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI2EF0.tmp

Filesize
1.1MB

MD5
834b14d594a4e5d32b2c6a8a2b9c9e9d

SHA1
e23f0522085d11eaa9f7de30dd87508f9a15e777

SHA256
e5aff7492b86b6461591e93213b33c639db991b04ac63b5d07240d1777e554ff

SHA512
b054bb31911557461d7f86eeddd2028d1326d43826f95da958478640fc667b8389de61606e9f3b431baa20c27fed0fd54d93fc3534a19b81e5a6f1634b82d7d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\chromium_installer.log

Filesize
439B

MD5
d1c8576b039218c4e049481d973deebf

SHA1
8d1b6437da795490a9538b609cfb6a6d12d845f1

SHA256
00ee723429b7bb7416e7e8e77daba78f58b2f90a64aeed10b38467f1633e7e7a

SHA512
805b62579d695040f3c3993911f6900b326ca4f48c960de345c30382b8904e1ea1cf2957a28d195bffca6a2884347957e77eb86b829ca362542026e5fb1e5156

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 558679.crdownload

Filesize
3.6MB

MD5
9c9cbb750974b96f3b3ef8b3ed2991b2

SHA1
027f613018863d32a39159a376ee1dde6da65f89

SHA256
a78f5d276692376d49f6473777ac40adf8f0d0f454f29711d524c675407d940f

SHA512
17d2276e817b8f71e878a196e33c7873e7d142fcaa997b1ae00b9899ad9d82bd4dcc56cdd3354b49db3abc964e8fe969d00c968e34276ea971306f0cf0bd11d6

Download Submit
C:\Windows\Installer\MSI8898.tmp

Filesize
761KB

MD5
c2d4d4ca490483cfa00bd7256dbb98ee

SHA1
4e85c6fa681823db5da52f2d7673c1a786109e5c

SHA256
3762ef6191dac92f663e865c5616e2d2524ce6ad6b87f364af4812aab9714a06

SHA512
34e7dcd2e6626761bf71ba4a48f48848a2c14e9f27697cc1ff45557cbc6ab748cb00996c055f612af9f6c4c8f51b727b3b201c4611b1ebacff4a9e382ae522d5

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.7MB

MD5
4ee6ca434a95af0fdb84ee10ab090622

SHA1
a40c8d0a9344ac953de27ca676ed86e0af9b6597

SHA256
a0563eb85aaaa3f2419ced33729fa521023ed164676ae373478a1c64268fd691

SHA512
9392a8e4e2422946ad6cdf3138147cfc31fea6a64cb43f3f19b102e09369bd8f80269c73c0ae462e8a9bf5aa925a67663752efe985657fb367388d4a750c5f52

Download Submit
\??\Volume{f3a72b53-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{9bf13913-0da2-41e9-b8bd-6f5b770c0fb5}_OnDiskSnapshotProp

Filesize
6KB

MD5
55aba154b0a9e71b5b000cc7b5e00837

SHA1
8dfa7531f93099dddbb5b55daffacae73e5d8ce6

SHA256
e0a5767142d38f0250b300f2c27cf0c49cf1a3b01d7f63ebb245f507e8551fd2

SHA512
2a7a59c67063c3f71ae58ccf407f5676418d5d13f7a87ef0be12d1914a0be7e336c6a4488c8c00157bf17cf74977573ff202ac07b63f5ee7d6a1301b7804aeb4

Download Submit
memory/2044-341-0x00007FFA3B960000-0x00007FFA3B961000-memory.dmp

Filesize
4KB

Download
memory/2044-342-0x00007FFA3C2A0000-0x00007FFA3C2A1000-memory.dmp

Filesize
4KB

Download