56b7183db8ba4cb6580415f8905ae2d29cf2d6fbe0e6bc1fc9521c43d4cf1eed

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
02/01/2025, 13:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

onestart_installer.exe
Size

99.0MB
MD5

1d599092628613f06912ec455ca61f96
SHA1

9dfcd7bc88f597f199e336f262e52195ee2514e4
SHA256

fdb0caaae3aef5b7db2f8ae96424ad0c2a3faa5fe7dc4db35a5a85bb6935eb5d
SHA512

deaeca59ee40e280d49290283b6e8220b47554f9d9c904e7e238dc7bc4ebe8fb13833a11291e9ac10c32b8e471f1c370a993ff8e926d17b9fb05bf8443fe277b
SSDEEP

3145728:qBN+aIcDxwL22tMy//zUJk3arfSuR34g/blWi1A:ghxoPz36fSng/blWAA

Score

7^/10

discovery persistence phishing privilege_escalation

Malware Config

Signatures

A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	onestart.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 12 IoCs

pid	Process
1092	setup.exe
3996	setup.exe
1108	setup.exe
3052	setup.exe
3060	onestart.exe
4844	onestart.exe
8	onestart.exe
3860	onestart.exe
2900	onestart.exe
452	onestart.exe
4880	onestart.exe
5296	onestart.exe

Loads dropped DLL 24 IoCs

pid	Process
3060	onestart.exe
4844	onestart.exe
3060	onestart.exe
8	onestart.exe
8	onestart.exe
3860	onestart.exe
8	onestart.exe
8	onestart.exe
8	onestart.exe
3860	onestart.exe
8	onestart.exe
8	onestart.exe
8	onestart.exe
2900	onestart.exe
2900	onestart.exe
452	onestart.exe
452	onestart.exe
4880	onestart.exe
4880	onestart.exe
5296	onestart.exe
5296	onestart.exe
5296	onestart.exe
5296	onestart.exe
5296	onestart.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneStartChromium = "\"C:\\Users\\Admin\\AppData\\Local\\OneStart.ai\\OneStart\\Application\\onestart.exe\" --existing-window"	onestart.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneStartUpdate = "\"C:\\Users\\Admin\\AppData\\Local\\OneStart.ai\\OneStart\\Application\\onestart.exe\" --update"	onestart.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks system information in the registry 2 TTPs 2 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	onestart.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	onestart.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\chromium_installer.log	setup.exe
File opened for modification	C:\Program Files\chromium_installer.log	setup.exe
File opened for modification	C:\Program Files\Crashpad\metadata	setup.exe
File opened for modification	C:\Program Files\Crashpad\settings.dat	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	onestart.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	onestart.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	onestart.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133802970199112541"	chrome.exe

Modifies registry class 62 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\OSBHTML.V7UCG3NSZVD447JAIOWFWLOG4E\ = "OneStart HTML Document"	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\OSBHTML.V7UCG3NSZVD447JAIOWFWLOG4E\AppUserModelId = "OneStart.V7UCG3NSZVD447JAIOWFWLOG4E"	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\OSBHTML.V7UCG3NSZVD447JAIOWFWLOG4E\Application\ApplicationIcon = "C:\\Users\\Admin\\AppData\\Local\\OneStart.ai\\OneStart\\Application\\onestart.exe,0"	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\OSBPDF.V7UCG3NSZVD447JAIOWFWLOG4E\Application\ApplicationDescription = "Access the Internet"	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\.shtml\OpenWithProgids\OSBHTML.V7UCG3NSZVD447JAIOWFWLOG4E	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\.xhtml\OpenWithProgids	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\OSBPDF.V7UCG3NSZVD447JAIOWFWLOG4E\shell	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\.xht	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\CLSID\{A2C6CB58-C076-425C-ACB7-6D19D64428CD}\LocalServer32	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\OSBPDF.V7UCG3NSZVD447JAIOWFWLOG4E	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\OSBPDF.V7UCG3NSZVD447JAIOWFWLOG4E\shell\open	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\.htm\OpenWithProgids	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\.pdf\OpenWithProgids\OSBHTML.V7UCG3NSZVD447JAIOWFWLOG4E	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\.svg	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\OSBHTML.V7UCG3NSZVD447JAIOWFWLOG4E\Application	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\OSBPDF.V7UCG3NSZVD447JAIOWFWLOG4E\Application\ApplicationIcon = "C:\\Users\\Admin\\AppData\\Local\\OneStart.ai\\OneStart\\Application\\onestart.exe,0"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\.pdf	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\CLSID\{A2C6CB58-C076-425C-ACB7-6D19D64428CD}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\OneStart.ai\\OneStart\\Application\\130.0.6723.134\\notification_helper.exe\""	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\OSBPDF.V7UCG3NSZVD447JAIOWFWLOG4E\DefaultIcon	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\OSBPDF.V7UCG3NSZVD447JAIOWFWLOG4E\Application\ApplicationName = "OneStart"	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\OSBPDF.V7UCG3NSZVD447JAIOWFWLOG4E\Application\ApplicationCompany = "OneStart.ai"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\.mhtml\OpenWithProgids	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\OSBPDF.V7UCG3NSZVD447JAIOWFWLOG4E\Application	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\.html	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\OSBHTML.V7UCG3NSZVD447JAIOWFWLOG4E\shell	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\.html\OpenWithProgids	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\.shtml\OpenWithProgids	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\.svg\OpenWithProgids	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\.xht\OpenWithProgids	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\CLSID	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\CLSID\{A2C6CB58-C076-425C-ACB7-6D19D64428CD}	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\OSBHTML.V7UCG3NSZVD447JAIOWFWLOG4E\DefaultIcon	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\OSBPDF.V7UCG3NSZVD447JAIOWFWLOG4E\shell\open\command	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\.mhtml	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\.xht\OpenWithProgids\OSBHTML.V7UCG3NSZVD447JAIOWFWLOG4E	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\.xhtml	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\OSBHTML.V7UCG3NSZVD447JAIOWFWLOG4E\Application\ApplicationDescription = "Access the Internet"	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\.html\OpenWithProgids\OSBHTML.V7UCG3NSZVD447JAIOWFWLOG4E	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\.shtml	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\OSBHTML.V7UCG3NSZVD447JAIOWFWLOG4E\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\OneStart.ai\\OneStart\\Application\\onestart.exe,10"	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\OSBHTML.V7UCG3NSZVD447JAIOWFWLOG4E\Application\ApplicationName = "OneStart"	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\OSBPDF.V7UCG3NSZVD447JAIOWFWLOG4E\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\OneStart.ai\\OneStart\\Application\\onestart.exe\" --single-argument %1"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\.htm	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\.mhtml\OpenWithProgids\OSBHTML.V7UCG3NSZVD447JAIOWFWLOG4E	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\.webp	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\CLSID\{A2C6CB58-C076-425C-ACB7-6D19D64428CD}\LocalServer32\ServerExecutable = "C:\\Users\\Admin\\AppData\\Local\\OneStart.ai\\OneStart\\Application\\130.0.6723.134\\notification_helper.exe"	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\OSBPDF.V7UCG3NSZVD447JAIOWFWLOG4E\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\OneStart.ai\\OneStart\\Application\\onestart.exe,11"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\.webp\OpenWithProgids	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\OSBHTML.V7UCG3NSZVD447JAIOWFWLOG4E\Application\AppUserModelId = "OneStart.V7UCG3NSZVD447JAIOWFWLOG4E"	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\OSBPDF.V7UCG3NSZVD447JAIOWFWLOG4E\ = "OneStart PDF Document"	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\OSBPDF.V7UCG3NSZVD447JAIOWFWLOG4E\AppUserModelId = "OneStart.V7UCG3NSZVD447JAIOWFWLOG4E"	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\.xhtml\OpenWithProgids\OSBHTML.V7UCG3NSZVD447JAIOWFWLOG4E	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\.htm\OpenWithProgids\OSBHTML.V7UCG3NSZVD447JAIOWFWLOG4E	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\.svg\OpenWithProgids\OSBHTML.V7UCG3NSZVD447JAIOWFWLOG4E	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\OSBHTML.V7UCG3NSZVD447JAIOWFWLOG4E\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\OneStart.ai\\OneStart\\Application\\onestart.exe\" --single-argument %1"	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\OSBPDF.V7UCG3NSZVD447JAIOWFWLOG4E\Application\AppUserModelId = "OneStart.V7UCG3NSZVD447JAIOWFWLOG4E"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\.pdf\OpenWithProgids	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\OSBHTML.V7UCG3NSZVD447JAIOWFWLOG4E	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\OSBHTML.V7UCG3NSZVD447JAIOWFWLOG4E\shell\open	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\OSBHTML.V7UCG3NSZVD447JAIOWFWLOG4E\shell\open\command	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\OSBHTML.V7UCG3NSZVD447JAIOWFWLOG4E\Application\ApplicationCompany = "OneStart.ai"	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\.webp\OpenWithProgids\OSBHTML.V7UCG3NSZVD447JAIOWFWLOG4E	setup.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2888	chrome.exe
2888	chrome.exe
408	chrome.exe
408	chrome.exe
5296	onestart.exe
5296	onestart.exe
408	chrome.exe
408	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: 33	2432	onestart_installer.exe
Token: SeIncBasePriorityPrivilege	2432	onestart_installer.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeCreatePagefilePrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeCreatePagefilePrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	3060	onestart.exe
Token: SeCreatePagefilePrivilege	3060	onestart.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeCreatePagefilePrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeCreatePagefilePrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	3060	onestart.exe
Token: SeCreatePagefilePrivilege	3060	onestart.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeCreatePagefilePrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	3060	onestart.exe
Token: SeCreatePagefilePrivilege	3060	onestart.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeCreatePagefilePrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	3060	onestart.exe
Token: SeCreatePagefilePrivilege	3060	onestart.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeCreatePagefilePrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	3060	onestart.exe
Token: SeCreatePagefilePrivilege	3060	onestart.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeCreatePagefilePrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	3060	onestart.exe
Token: SeCreatePagefilePrivilege	3060	onestart.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeCreatePagefilePrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	3060	onestart.exe
Token: SeCreatePagefilePrivilege	3060	onestart.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeCreatePagefilePrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	3060	onestart.exe
Token: SeCreatePagefilePrivilege	3060	onestart.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeCreatePagefilePrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	3060	onestart.exe
Token: SeCreatePagefilePrivilege	3060	onestart.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeCreatePagefilePrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	3060	onestart.exe
Token: SeCreatePagefilePrivilege	3060	onestart.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeCreatePagefilePrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	3060	onestart.exe
Token: SeCreatePagefilePrivilege	3060	onestart.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeCreatePagefilePrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	3060	onestart.exe
Token: SeCreatePagefilePrivilege	3060	onestart.exe
Token: SeShutdownPrivilege	3060	onestart.exe
Token: SeCreatePagefilePrivilege	3060	onestart.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeCreatePagefilePrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeCreatePagefilePrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	3060	onestart.exe
Token: SeCreatePagefilePrivilege	3060	onestart.exe
Token: SeShutdownPrivilege	3060	onestart.exe
Token: SeCreatePagefilePrivilege	3060	onestart.exe

Suspicious use of FindShellTrayWindow 47 IoCs

pid	Process
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
3060	onestart.exe
3060	onestart.exe
3060	onestart.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe

Suspicious use of SendNotifyMessage 27 IoCs

pid	Process
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
3060	onestart.exe
3060	onestart.exe
3060	onestart.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2432 wrote to memory of 1092	2432	onestart_installer.exe	83
PID 2432 wrote to memory of 1092	2432	onestart_installer.exe	83
PID 1092 wrote to memory of 3996	1092	setup.exe	84
PID 1092 wrote to memory of 3996	1092	setup.exe	84
PID 2632 wrote to memory of 1668	2632	notification_helper.exe	86
PID 2632 wrote to memory of 1668	2632	notification_helper.exe	86
PID 1092 wrote to memory of 1108	1092	setup.exe	87
PID 1092 wrote to memory of 1108	1092	setup.exe	87
PID 1108 wrote to memory of 3052	1108	setup.exe	88
PID 1108 wrote to memory of 3052	1108	setup.exe	88
PID 1092 wrote to memory of 3060	1092	setup.exe	90
PID 1092 wrote to memory of 3060	1092	setup.exe	90
PID 3060 wrote to memory of 4844	3060	onestart.exe	91
PID 3060 wrote to memory of 4844	3060	onestart.exe	91
PID 2432 wrote to memory of 3912	2432	onestart_installer.exe	92
PID 2432 wrote to memory of 3912	2432	onestart_installer.exe	92
PID 3912 wrote to memory of 2888	3912	cmd.exe	93
PID 3912 wrote to memory of 2888	3912	cmd.exe	93
PID 2888 wrote to memory of 776	2888	chrome.exe	94
PID 2888 wrote to memory of 776	2888	chrome.exe	94
PID 2888 wrote to memory of 3976	2888	chrome.exe	95
PID 2888 wrote to memory of 3976	2888	chrome.exe	95
PID 2888 wrote to memory of 3976	2888	chrome.exe	95
PID 2888 wrote to memory of 3976	2888	chrome.exe	95
PID 2888 wrote to memory of 3976	2888	chrome.exe	95
PID 2888 wrote to memory of 3976	2888	chrome.exe	95
PID 2888 wrote to memory of 3976	2888	chrome.exe	95
PID 2888 wrote to memory of 3976	2888	chrome.exe	95
PID 2888 wrote to memory of 3976	2888	chrome.exe	95
PID 2888 wrote to memory of 3976	2888	chrome.exe	95
PID 2888 wrote to memory of 3976	2888	chrome.exe	95
PID 2888 wrote to memory of 3976	2888	chrome.exe	95
PID 2888 wrote to memory of 3976	2888	chrome.exe	95
PID 2888 wrote to memory of 3976	2888	chrome.exe	95
PID 2888 wrote to memory of 3976	2888	chrome.exe	95
PID 2888 wrote to memory of 3976	2888	chrome.exe	95
PID 2888 wrote to memory of 3976	2888	chrome.exe	95
PID 2888 wrote to memory of 3976	2888	chrome.exe	95
PID 2888 wrote to memory of 3976	2888	chrome.exe	95
PID 2888 wrote to memory of 3976	2888	chrome.exe	95
PID 2888 wrote to memory of 3976	2888	chrome.exe	95
PID 2888 wrote to memory of 3976	2888	chrome.exe	95
PID 2888 wrote to memory of 3976	2888	chrome.exe	95
PID 2888 wrote to memory of 3976	2888	chrome.exe	95
PID 2888 wrote to memory of 3976	2888	chrome.exe	95
PID 2888 wrote to memory of 3976	2888	chrome.exe	95
PID 2888 wrote to memory of 3976	2888	chrome.exe	95
PID 2888 wrote to memory of 3976	2888	chrome.exe	95
PID 2888 wrote to memory of 3976	2888	chrome.exe	95
PID 2888 wrote to memory of 3976	2888	chrome.exe	95
PID 2888 wrote to memory of 2996	2888	chrome.exe	96
PID 2888 wrote to memory of 2996	2888	chrome.exe	96
PID 2888 wrote to memory of 3268	2888	chrome.exe	97
PID 2888 wrote to memory of 3268	2888	chrome.exe	97
PID 2888 wrote to memory of 3268	2888	chrome.exe	97
PID 2888 wrote to memory of 3268	2888	chrome.exe	97
PID 2888 wrote to memory of 3268	2888	chrome.exe	97
PID 2888 wrote to memory of 3268	2888	chrome.exe	97
PID 2888 wrote to memory of 3268	2888	chrome.exe	97
PID 2888 wrote to memory of 3268	2888	chrome.exe	97
PID 2888 wrote to memory of 3268	2888	chrome.exe	97
PID 2888 wrote to memory of 3268	2888	chrome.exe	97
PID 2888 wrote to memory of 3268	2888	chrome.exe	97
PID 2888 wrote to memory of 3268	2888	chrome.exe	97

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\onestart_installer.exe
"C:\Users\Admin\AppData\Local\Temp\onestart_installer.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2432
- C:\Users\Admin\AppData\Local\Temp\CR_124DB.tmp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\CR_124DB.tmp\setup.exe" --install-archive="C:\Users\Admin\AppData\Local\Temp\CR_124DB.tmp\ONESTART.PACKED.7Z"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1092
- - C:\Users\Admin\AppData\Local\Temp\CR_124DB.tmp\setup.exe
    C:\Users\Admin\AppData\Local\Temp\CR_124DB.tmp\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\OneStart.ai\OneStart\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=OneStart --annotation=ver=130.0.6723.134 --initial-client-data=0x268,0x26c,0x270,0x244,0x274,0x7ff75a378148,0x7ff75a378154,0x7ff75a378160
    3⤵
    - Executes dropped EXE
    PID:3996
- - C:\Users\Admin\AppData\Local\Temp\CR_124DB.tmp\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\CR_124DB.tmp\setup.exe" --verbose-logging --create-shortcuts=0 --install-level=0
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:1108
  - - C:\Users\Admin\AppData\Local\Temp\CR_124DB.tmp\setup.exe
      C:\Users\Admin\AppData\Local\Temp\CR_124DB.tmp\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\OneStart.ai\OneStart\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=OneStart --annotation=ver=130.0.6723.134 --initial-client-data=0x268,0x26c,0x270,0x244,0x274,0x7ff75a378148,0x7ff75a378154,0x7ff75a378160
      4⤵
      Executes dropped EXE
      PID:3052
- - C:\Users\Admin\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
    "C:\Users\Admin\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe" --from-installer --no-startup-window
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Checks system information in the registry
    - Enumerates system info in registry
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:3060
  - - C:\Users\Admin\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
      C:\Users\Admin\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\OneStart.ai\OneStart\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\OneStart.ai\OneStart\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=OneStart --annotation=ver=130.0.6723.134 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9cfe77c38,0x7ff9cfe77c44,0x7ff9cfe77c50
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4844
  - - C:\Users\Admin\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
      "C:\Users\Admin\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe" --type=gpu-process --string-annotations=is-enterprise-managed=no --start-stack-profiler --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1980,i,12509687204256304767,6736084485480651849,262144 --variations-seed-version --mojo-platform-channel-handle=1976 /prefetch:2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:8
  - - C:\Users\Admin\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
      "C:\Users\Admin\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations=is-enterprise-managed=no --start-stack-profiler --field-trial-handle=2216,i,12509687204256304767,6736084485480651849,262144 --variations-seed-version --mojo-platform-channel-handle=2260 /prefetch:3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3860
  - - C:\Users\Admin\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
      "C:\Users\Admin\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations=is-enterprise-managed=no --field-trial-handle=2400,i,12509687204256304767,6736084485480651849,262144 --variations-seed-version --mojo-platform-channel-handle=2576 /prefetch:8
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2900
  - - C:\Users\Admin\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
      "C:\Users\Admin\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=4004,i,12509687204256304767,6736084485480651849,262144 --variations-seed-version --mojo-platform-channel-handle=4008 /prefetch:8
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:452
  - - C:\Users\Admin\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
      "C:\Users\Admin\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=4152,i,12509687204256304767,6736084485480651849,262144 --variations-seed-version --mojo-platform-channel-handle=4164 /prefetch:8
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4880
  - - C:\Users\Admin\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
      "C:\Users\Admin\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --string-annotations=is-enterprise-managed=no --start-stack-profiler --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=4236,i,12509687204256304767,6736084485480651849,262144 --variations-seed-version --mojo-platform-channel-handle=764 /prefetch:8
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      PID:5296
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c ""C:\Program Files\Google\Chrome\Application\chrome.exe" https://onestart.ai/chr/startup?fhnid=61071026"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3912
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" https://onestart.ai/chr/startup?fhnid=61071026
    3⤵
    - Enumerates system info in registry
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2888
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff9cffccc40,0x7ff9cffccc4c,0x7ff9cffccc58
      4⤵
      PID:776
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1884,i,15891857267833813228,3469045416069833079,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1880 /prefetch:2
      4⤵
      PID:3976
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2164,i,15891857267833813228,3469045416069833079,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2128 /prefetch:3
      4⤵
      PID:2996
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2232,i,15891857267833813228,3469045416069833079,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2640 /prefetch:8
      4⤵
      PID:3268
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3112,i,15891857267833813228,3469045416069833079,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3176 /prefetch:1
      4⤵
      PID:4448
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3120,i,15891857267833813228,3469045416069833079,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3200 /prefetch:1
      4⤵
      PID:1540
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4468,i,15891857267833813228,3469045416069833079,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4488 /prefetch:1
      4⤵
      PID:4336
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4020,i,15891857267833813228,3469045416069833079,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4636 /prefetch:1
      4⤵
      PID:404
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4664,i,15891857267833813228,3469045416069833079,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4784 /prefetch:1
      4⤵
      PID:2480
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5012,i,15891857267833813228,3469045416069833079,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4996 /prefetch:8
      4⤵
      PID:4808
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3232,i,15891857267833813228,3469045416069833079,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3404 /prefetch:8
      4⤵
      PID:4016
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4908,i,15891857267833813228,3469045416069833079,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3184 /prefetch:8
      4⤵
      PID:3568
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5172,i,15891857267833813228,3469045416069833079,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3164 /prefetch:8
      4⤵
      PID:408
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4928,i,15891857267833813228,3469045416069833079,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5008 /prefetch:8
      4⤵
      PID:4016
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5192,i,15891857267833813228,3469045416069833079,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4924 /prefetch:8
      4⤵
      PID:3568
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5248,i,15891857267833813228,3469045416069833079,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4360 /prefetch:2
      4⤵
      PID:5680
  - - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
      "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --reenable-autoupdates --system-level
      4⤵
      Drops file in Program Files directory
      PID:5428
    - - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
        
        "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x268,0x26c,0x270,0x244,0x274,0x7ff71e4a4698,0x7ff71e4a46a4,0x7ff71e4a46b0
        5⤵
        Drops file in Program Files directory
        
        PID:5452
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3292,i,15891857267833813228,3469045416069833079,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3168 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:408

C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe" -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:2632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x1cc,0x1d0,0x1d4,0x1a8,0x1d8,0x7ff712323600,0x7ff71232360c,0x7ff712323618
  2⤵
  PID:1668

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4228

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\chromium_installer.log

Filesize
413B

MD5
63af15b72015e999c3dbaa14e5891c3d

SHA1
7c8d8b9ee96a3d91a1d76c9f3990a620b612c765

SHA256
a57c362716d132aa7609d5daf3a0873a756a56bfa058ebe11359c350cef08a03

SHA512
9a0da802a0a09a1f572fe456754e1627d0d3c6894f98288359fef37e3093139ef9d8f6fe739f8ed71de62d8665574facd9d40ff2eaf2bdfc5c2d8f9e6349bc79

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
6adcd808d1a2a6f9ebac5f805cd220cf

SHA1
0f0e1fea371ce8cbc6cf270c6863f9dcd546e4e5

SHA256
3bed64a9bfe94bc32d7519e6ab1132f4bba27029407c0d710aea073b92b4eb26

SHA512
bb11c7df6fcd3f7a66c3a5c9445084e386e0db6579c5d2b4480f6381e8f41b945279e4c9b2753c134834e5c25663ad6368b3af41ca9a018d7713fd184cafc48d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
7773080404388b86b54bc6a709b6443d

SHA1
3a58d084e8a2964608f34b3bad5db16e62606b8d

SHA256
bcfcdaf016f6e01668ad94c925e2fbfeffd8c7c18a886d69b71da73187ad964f

SHA512
9af45560378b22135ad7b381716eadb0cd05aaba80e44bb5c2609c369e8b927bcc9f0cbc4d8969cc898faab8c40d0ce78349a0cbe9899101a07afc9212cb5b09

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
504B

MD5
f4b19628f954b26a4ac2920f22ddef54

SHA1
7ef912d4b2470df9a098956694b66d4c80d8f111

SHA256
350b10bc20d4f127de561a3a0f76afd6108b04b5f41e625783d054fe51e0c293

SHA512
8da6fcf1a13be9e82d3aa304828c4be1734aa0e76ea141c59f94e5135c9bcbfd67b4366a522bdc362683f8ed657f71adb708d6d8603bf7faa3d279bf3b8ca69d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\_locales\en\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
cf89dd8e8b42344842caae0d0d213330

SHA1
7a36ff9afdb030c54aac6a1d8c5a9457884d9519

SHA256
e6b0a8ad9bb40af4c9f0f6471c8284252e5d6b2f69143601055cd796fa94f1f8

SHA512
9711edfede809151f59bcb61a54c93a233842f8507eb11d498948552d37c81c2eb6d9c5f1dceb6b71e3b1df65bc80dd81b96d156ae0fd914450478105b15e87d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
ad7574c720081b88422015cc9be70c1e

SHA1
c6080b3e5941e6637aef638eef970883150a9e8f

SHA256
b6c413533d787e6915be4de6277552a4ea72be40ba396dae2c8005409aacc88d

SHA512
651f09ce284cacdc08bc9886842d1587be918f3a58dbea8ca73dba7616c793e792c81b995d1dd17647415687d3e027aa2f2f81d9129e0586b717731b482422f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
39a6eb60d4a63d6abb1667776748d813

SHA1
f1471fea155881f53b29dfd976302bbb427535f0

SHA256
57c5a000cd83e6054743c9f1522f9e61e498e434d3f6d49531ebbf32222e258a

SHA512
91bd4e777d2631b8658fe58a3bc432fc32d11f07f679051f30dbab55fcf88659ac90330d86bed23168766d658853b3cdcbe8774a46f6e43cb771604fdca624cc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
29324638fdfc7f2b8a57efd756874f31

SHA1
a89a94886166b8ac16b896c8cc47dbc2d3dca9ea

SHA256
08550572934b666aa8dadc7bc0d7e3db9628b4ff37b5061e0b81af2975fbdb9f

SHA512
1e128fbc4d9bd2975e9b8ddaa9c2dc0dc3e746a13aae334a2ae243dad92377b318e222729f2efa4a10079e537a2d17e92213752fd09b1c97988457c048febaaa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
ea8eda2bd607a7fa7cb3397cc1578664

SHA1
4e6372e32382a50c3b797c1731a6d70c3bda3a6f

SHA256
12757dd2e7c92e1d27855f10076c0f733a85ec78c0ff399f898eddc46bc1d900

SHA512
92bd7daebb15307ea5002635debf3fc21633ab18a16bea7150bb34156063f777de10e0e36dd35635b182073ee5ee3fe7f94a74c027a6deff3d377bd0ae0c39ad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
63e556bd66425184d59a955546d1990c

SHA1
08ba15ed26072967344eae9f2ec95cae0d5a5255

SHA256
fd344ddbb14d7503fdd97b77bdcdc8de58d8743e4cc03213d9e670461c7c509c

SHA512
df2969ed7b7e7474116f56f6eefd726fe0da282792e819efb3ffccb421eeedf5b8e61254033d6510eb034c7dd52c4056da59ca9ca4024551365c394e69881f3f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
11c5f50ef7a8ef3f28e03a5c6b4aea20

SHA1
922c9f0bf548628d3bdf69312aa7be18750632d9

SHA256
6ac0f3c97f1a082006f2394acbd1cb38262e983994bfe53d68405db9baa4f869

SHA512
c0c949882563b562005b747ebe0225cb53992bbb4915bb6b68259d07faf4085496811960d53b5b76ce050697492dd237b664899ca868583c508407ecd4983635

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
20d87915f5a4825e33207758526ee3e4

SHA1
4a6cc98521d980cb909fa2d7109949fe1c90871b

SHA256
3827dd5562051b319ad4fd86ab9e47cd6a5b365ea06618ad5538bb70ad336ec8

SHA512
80172ff9ae005fe0be0b5250baa9bed3bedd5101b82cf81bdea83cae3a26310c1686de0856800671479dce3147bf61e45197a1155ab8971de643a37bec200565

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
b2061e8e1145f8693b4b673356c03d33

SHA1
3ef32c071a8e9f27771b2e790d841395807e94f1

SHA256
5a0327dbbf4d9898d4dcd62acf90e4b43c9bc50092db00cdee7dbcb60c842275

SHA512
5ed0311dde3b5ffde2c7f44bc17a2ecabfb050ffb0133dcf667a9e0f0e395b8365c5f6a3aef5064322913f988993d147a1bdb7d7b9b7a94f950325286d4d79fa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9136d165ea913ecd71af15a2b7f8647a

SHA1
143269a3c38dc9a383a21a1f01f9a598d60ee864

SHA256
03dc7bed14dde89b11285c755c2648fef9101cadb73b7d97ad42b64fa47521b9

SHA512
d4893ac0478d3bf62fb8c9422fcc56c9b527a71646d061f13082e3ad0ce2591d8d55673c2f7a02b77f9f840613e024117ef3554a41eacdd327cc8747e6b43279

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
b331cee7d08c2cf4ec2338b3ed0ced83

SHA1
b7c0981975ff6713bf94a926d7f46239494adb51

SHA256
3280fdd5815919b2520601488a28e9ffbd6444ec9a4c2b31d175d169465910db

SHA512
d9d949e0069881aed2ca1955ae1a109797cfb49e0b21a3081fa4e1a6cf4620fe4884eb74b64f8b3c5e95aa8d2d900b4fc9e50b3d66567762be3ab69d2294ea56

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
417a5f18164a1719aa6c99a73708dfde

SHA1
7c3b5c5a5b5e6a7c07ac479de6882fc01bd0fde2

SHA256
a1ba29c618bcf3f17029f23fe3ce0646ed9ce24c3bea3309333a5626d623abb5

SHA512
161d72588e8e6cbbe478f33d83d2aeca9f7e320800f31497ff289d7fdfbf2e993493bc331934445769dd8315c0b2b4c3b89d568d6bb3ea7a3d84d9cca858b52f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
18247b44002ef4ff85001a2a91beda6a

SHA1
916b1188da58baabbef54b2d0a944c3324f364f8

SHA256
ea7b479a796f2d22fa325ac8ecb7bf29ce282d3ae5ae2b526bf23398fbd72ce6

SHA512
eacf100f93b943cf8cbf3d947ba437523250028e8714380d2247cbf01c5b0a5f36a5569ce0cf7e57cafc766b18db721dff3aa8de103f8aa4bc81cb99e85ea5bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
ea558ec00c47b7231327b48414478edf

SHA1
cfb4492ff1f0da61df1f23d97cc9d5a63766b1d3

SHA256
95976b94572eede55a1956ed306124689898d044687c64ebaf8e3eef937b391e

SHA512
043f8efe378fff3023e3f2af90ae5edfb2e8f4d84725844aee8eceb3bce9ac078a3754bea0296ec325278505acdd9e9907d47c85f24efcbae3d594f9848423c0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
2c83f941b6a1d5d13d9227873ec23552

SHA1
aec37279ad4d8def6edba305488ec6ad5196e4ff

SHA256
866aea0cd79a4336b9b993fc25e7d0f21b2e88d075d272c4d6cfadfe3aed8875

SHA512
28352eef629edd6b0b53050d5f15c815cfdb570af3a400af161746546bf13d20229162bfc55c3effcb8a66165ea7e676d1a439ad7bda708279b0c3b02c69ceef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\NotificationHelperMetrics\20250102131011.pma

Filesize
1KB

MD5
c477b01f180588aeb403b320f1e6f731

SHA1
d181858e5c8e6e5ae81ddd56a92b8b31cead363a

SHA256
4b9c56ce788e8a46e59195cad48fa85a4360af7f4407d4bd3ea63fb7d903b183

SHA512
d8655522c015e44824523980ed1ec7aa80e634648b6723aa528e99f25ae9b85b410850835b98e753954f6d768eea72da2949ea915986c27611a3acb265785956

Download Submit
C:\Users\Admin\AppData\Local\OneStart.ai\OneStart\.data\OneStart.json

Filesize
864B

MD5
00d8f8e818a835dcf6a822a2865a0336

SHA1
7ec1d8a94a2b5b76fbb2216ed00c06ea26520fcd

SHA256
c9d72b02d59cb5ea0f358549f9dc0a4631a2285f8b626c47c31a49844b420136

SHA512
f2c4a6dff0d0203e590e5a9dc7c53692b56eec4642024f9e665cc3ad5ca5d9bdc6ecd634d45cbe34fa732f98573da1ebccf4ff3369acea6c6cdeb0bdc15efd6b

Download Submit
C:\Users\Admin\AppData\Local\OneStart.ai\OneStart\.data\OneStart.json

Filesize
266B

MD5
ee1c35b1642250ebf2b2d2e4cc0ef073

SHA1
09471f74b7d6bfa8aedf52fb9038d0473d24bbdf

SHA256
911ba9823b8ded5ac1d6496e532df538005f229031c9c0dfb73f3ba4acbc3019

SHA512
e337eaeceb064d30771ba36760f6df3224ad0b97781f6874263a5337f49b3aa46917f88b418d371501a0655a9f1e0810f830d4b2f0c8e96a0e5897a9a48c0b8a

Download Submit
C:\Users\Admin\AppData\Local\OneStart.ai\OneStart\Application\130.0.6723.134\chrome_elf.dll

Filesize
1.3MB

MD5
f180f2d6595001ca794ef25906b45b46

SHA1
544e6df80c75d340feeb9abb9d8a44fcfc16406d

SHA256
1784cf6a367f2cbb5853e007492c7ac222fd354b36aa6180eb7fa36f7930138d

SHA512
313e535883eaaacb48eda2ecdebc49baf7d5a6e9a601c2b81594176c47fce5b8bd05da458744f39dc967966d571987a7c8642a08e6a1ff5c8f5af6edb0fd7334

Download Submit
C:\Users\Admin\AppData\Local\OneStart.ai\OneStart\Application\130.0.6723.134\d3dcompiler_47.dll

Filesize
4.7MB

MD5
a7b7470c347f84365ffe1b2072b4f95c

SHA1
57a96f6fb326ba65b7f7016242132b3f9464c7a3

SHA256
af7b99be1b8770c0e4d18e43b04e81d11bdeb667fa6b07ade7a88f4c5676bf9a

SHA512
83391a219631f750499fd9642d59ec80fb377c378997b302d10762e83325551bb97c1086b181fff0521b1ca933e518eab71a44a3578a23691f215ebb1dce463d

Download Submit
C:\Users\Admin\AppData\Local\OneStart.ai\OneStart\Application\130.0.6723.134\dxcompiler.dll

Filesize
24.6MB

MD5
8b447362b09e4b6df8e7b4619f568c72

SHA1
9f347b4315f9ee0bcc49fa4455a67fd95716cabe

SHA256
fd44e5b1877383f0cff0b2b3c13c800998cf0474325145ce5f163d38ff9e98f9

SHA512
8ca90d4412a2e692dfc0cf8798298fcb393b7f8d58a27df97a0109a50aa6510ee5796d0d3d2dca2e91b7db63ae00223344c235f3e85f415154942d06a3b416ec

Download Submit
C:\Users\Admin\AppData\Local\OneStart.ai\OneStart\Application\130.0.6723.134\dxil.dll

Filesize
1.4MB

MD5
30da04b06e0abec33fecc55db1aa9b95

SHA1
de711585acfe49c510b500328803d3a411a4e515

SHA256
a5fe1d8d9caa2ff29daffd53f73a9a4e19c250351b2abe4fc7b57e60ce67ac68

SHA512
67790874377e308d1448d0e41df9dd353a5f63686df4eb9a8e70a4da449b0c63a5d3655ab38d24b145ad3c57971b1c6793ea6c5ac2257b6eb2e8964a44ab0f08

Download Submit
C:\Users\Admin\AppData\Local\OneStart.ai\OneStart\Application\130.0.6723.134\libEGL.dll

Filesize
492KB

MD5
dacd27261dc54adf160e9476f6fd7fe4

SHA1
ba7ab2d1c2a06d4f4d20aba5e1859ee5d83b5280

SHA256
e59d67293cb1eef3809a4f257db3c614683208fd92a51336372230e9d43f81e7

SHA512
f2ac75654ec8395b621675750ff37da1b80ce0ac0f0736b84d10f5bae50ed3d6c869db024c27fc4e4634d769307bf5ad383602a073d4b138abca6e206dc25374

Download Submit
C:\Users\Admin\AppData\Local\OneStart.ai\OneStart\Application\130.0.6723.134\libGLESv2.dll

Filesize
7.9MB

MD5
33a0a6a4b8fa6c9335b3f55896dc7fd3

SHA1
0438b48546e592af629f27129f2e41ab4dd0f8b8

SHA256
5bcf5b915c4e06d42d17f5af85ca09a640338f9d3a98b9e4218f599fe4d9dbbe

SHA512
11b7a1054273965444ec6f704886641fb79826e4816e2d0683050b74b365e3508066bcd037defa217f24ba51eb080f295099ff5460a61938499544175649bbfa

Download Submit
C:\Users\Admin\AppData\Local\OneStart.ai\OneStart\Application\130.0.6723.134\vk_swiftshader.dll

Filesize
5.1MB

MD5
8262a7a4f07fdec51ecfe824c2ad2e6e

SHA1
2e107ee01f85eb339b1e94d4912df7ebd0a4ec30

SHA256
6761c4713fd5b1afcb4a763dcd209fe728f8d1bc289a86d5d6364a705b004fa2

SHA512
993d6d365174750f4962e54c5371cf0437aca25d9d10323e17f8ca9c4bae5985801636928f1e0fea39509598a0a6d8fe85ea7dfe0b27150681f32e39e6288f7e

Download Submit
C:\Users\Admin\AppData\Local\OneStart.ai\OneStart\Application\master_preferences

Filesize
159B

MD5
746e45d4be2d95012aff9a0716e811f6

SHA1
3af1bef7086d7512f800084fc7c95fe994c6a459

SHA256
5269f6e042e298253d298cbe4a10efece8276bf8058a679dd81a9fa6fe91c060

SHA512
33a491d07d6360655d2df4191458cbb57e6fef8c583b7b049ec016ca43e5436711dceefdaf10335a90df5fe1c7328a51530bcc87fd1268352b385532d11c2412

Download Submit
C:\Users\Admin\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe

Filesize
3.2MB

MD5
7fef4a3eb9816cf40e87afbf9cd9a168

SHA1
4d038fc13242ac69151ad60176bf211529cfcf94

SHA256
7ae44a0606e74fa34cde274a0ed05b899992a9cda60124e8c60403774c7206bc

SHA512
08117aacdbb5660b50adf347cdb97f47b443d70784f8ae423beaef5fe7be8abd92eea7dc7c3ba66a07a680185da2dbfc61e2c4c98caa213a101a9d9d94963aeb

Download Submit
C:\Users\Admin\AppData\Local\OneStart.ai\OneStart\User Data\Crashpad\settings.dat

Filesize
40B

MD5
49c997ccc04fefe494026c6ac5331c94

SHA1
f5086101cc10570dc36c32a8b8fea07d6f17191f

SHA256
e7572320e6b59a4ce4c23dcf903b130c39522bce4303aecd139258cccd31227a

SHA512
4a5be31d0afd99e754155c03c11cadbe18846654ba98262577e6e8789e753e18917afc23d4fb8554a118b156c56245e982a0b2b2268e28abf0114f6bcbb8fa85

Download Submit
C:\Users\Admin\AppData\Local\OneStart.ai\OneStart\User Data\Default\12d73f5f-b039-46ff-88ef-d3453ec4a087.tmp

Filesize
163KB

MD5
70e5d4e286c45331931c22dbf5b15a9b

SHA1
bb4dbee62f4410666033d8bbf658227c80a3ad9a

SHA256
6fd93aa2e71ae66df17c2e84e719d27df69762375894522d80c95d7c82393793

SHA512
bb3931d23042265b7f9c0e4f35470fed8e3279cf677aa7b98ddcf19e110e1ea61b36778890b322bd0fa111023f6097cf4dfe185cf54c89a8e5b2ac3ff5283913

Download Submit
C:\Users\Admin\AppData\Local\OneStart.ai\OneStart\User Data\Default\Network\Network Persistent State

Filesize
831B

MD5
66b2bd79d357138c20e583e40eac82a2

SHA1
d42a035903d61c139779d457bec11bcab94e51d6

SHA256
c49d41999c35b4a636c4bf4812ce67edb14faeeb7cfe82b8d01c46c065a82f70

SHA512
02438b68a12a84453a6f97509ae5afaa8e5343c88d91ba218565c397579f39e0ead9933370c7de398f5f5b90a719916bec9b3f41c797c155e4b74362e92578fe

Download Submit
C:\Users\Admin\AppData\Local\OneStart.ai\OneStart\User Data\Default\Network\Network Persistent State~RFe58c9d3.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Local\OneStart.ai\OneStart\User Data\Default\Preferences

Filesize
8KB

MD5
6cdc72b1fc727da71cb017cf7b6e51c6

SHA1
8aa2dc27aa5dfbb8f50e7a980c5e3f55da1c9fc3

SHA256
bbcf1f673aa990d130942ec4dcf60deb451d085b137100e98890ee01f9fd6b85

SHA512
bfe43fa8b37f50ef04bb854938916f085105d39cfe922d85c25de221840a886dd8149ecab97bb1dff16afc01f92c9266fe259ddba93334e7597a73dfe300658e

Download Submit
C:\Users\Admin\AppData\Local\OneStart.ai\OneStart\User Data\Default\Preferences

Filesize
8KB

MD5
a9b6471687b505d6b9e57d02d7310182

SHA1
5fd321211da62f3749d1d229dfc0d2af1ae3f31a

SHA256
c91a137f6b381d694f50dc79b29112ea9b46d2b9eeaf5465303a77948a701a86

SHA512
88164260f43e0ccd6b50900dabb96386d405ca92ffb60c79470b32974ff62a32c01562fca96011bea34f7a82c24323e0e60954bb7e74c78ef9534030e87b9c88

Download Submit
C:\Users\Admin\AppData\Local\OneStart.ai\OneStart\User Data\Default\Preferences~RFe57da81.TMP

Filesize
2KB

MD5
c98f580bd81c412096bc5138cca60fbf

SHA1
c6d3f081cb64efdd8791153757524ee64f3f89a1

SHA256
02a03a9c2375f25e1f5877a2ff3471843353efbfd8fc8c08c2252f566fa46ffe

SHA512
c2b627c0772477cbda72e7d82ed96f191433e69cd1c85efae63d6de1df4281a86a61b9b25f1d129df3bd00a952b36b439a0e591bca154975bfa46a337db8cf1d

Download Submit
C:\Users\Admin\AppData\Local\OneStart.ai\OneStart\User Data\Default\shared_proto_db\metadata\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\OneStart.ai\OneStart\User Data\Default\shared_proto_db\metadata\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\OneStart.ai\OneStart\User Data\Local State

Filesize
3KB

MD5
33f8547fb735d1dabb711a5d79ac18b4

SHA1
cefb5949f186b236cade6d5932c28a372a1a7727

SHA256
69620da49c644e5311092c71c453f78be2124429c72c96337415e63111843a1c

SHA512
a0f249bbcb08b24d0451993a6ccf26ecc9f7a43934b6df49bf83ec83297f23d258c7631acae35034c78dfa630cfd186c052398e0fa90a1eea1528f62ddc08dd4

Download Submit
C:\Users\Admin\AppData\Local\OneStart.ai\OneStart\User Data\Local State

Filesize
1KB

MD5
880b5d313a300d6d0352e1ae9af25369

SHA1
b1bb55b973a29c9b88f7c3121c693d90b15df961

SHA256
ff1b6653361b3a6653cd5f41b232c8edefa8fe83e13f63848ea3629b7c639096

SHA512
7e30eb300a5ea50525880abe4400c4a9b1cbe44f8fbae06946951b0c0777435cae62b9314a561c4e356eed216dced258e584e8294fdf3e30ae5c37dd69725900

Download Submit
C:\Users\Admin\AppData\Local\OneStart.ai\OneStart\User Data\Local State

Filesize
3KB

MD5
ac95553cfca27257643d58c84e584205

SHA1
d490865f45524f9028776f166a98b29ce84a664f

SHA256
59769ea98ba261634c7c2d9f7fca916c05ccd3644d6c3728737952a5e5fc6a20

SHA512
34b38a046c10813ab461dbb8425db2319be5a18a06cff0d463d39f2bf210944cdc0855131017089f48e1bba2d3e49560ad651d44ca020036a60814833f3d46c5

Download Submit
C:\Users\Admin\AppData\Local\OneStart.ai\OneStart\User Data\Local State~RFe57b0c2.TMP

Filesize
909B

MD5
115d6d307856d35caaefad6eafc08d60

SHA1
ad3834bcbff611eb418e35e0c432d392b86ab284

SHA256
c103d7fdb164078bc0e2c53a8bcec27f8c3d3636a3f67f9d4968e24bcc26b796

SHA512
70630c42294fe53f57da1a600c547f0710fc3b9d426e2fe9abafd11519efccfa92c92372800195306bcf604859e1007551bb67f50a4f6cea51612aada03a105d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CR_124DB.tmp\setup.exe

Filesize
4.7MB

MD5
235fdb3b59ee9dc1069f9c05f6734e16

SHA1
9d5258311f06a5fda36107e435733dfd30973c0b

SHA256
882fa58642a270884bd432f4788c6da583f42fe185afd083746e2f4fdecb9aac

SHA512
e0c23d30ab021edae4741f38e7eb05b5901753644ec83d4aa23aa5253d93007f51bffb5d4609987e0ba6c5ef51b54066f2f1b0cfbc4eb8fbefd38ba1babfe2a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\fe9102ab-96ef-4ae4-9656-43adebdd13ad.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2888_1544537132\92f6aa67-672b-40b4-8966-9a3acc5e4fa3.tmp

Filesize
150KB

MD5
14937b985303ecce4196154a24fc369a

SHA1
ecfe89e11a8d08ce0c8745ff5735d5edad683730

SHA256
71006a5311819fef45c659428944897184880bcdb571bf68c52b3d6ee97682ff

SHA512
1d03c75e4d2cd57eee7b0e93e2de293b41f280c415fb2446ac234fc5afd11fe2f2fcc8ab9843db0847c2ce6bd7df7213fcf249ea71896fbf6c0696e3f5aee46c

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2888_1544537132\CRX_INSTALL\_locales\en\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneStart.lnk

Filesize
2KB

MD5
48472009f1acf48c3c700b6aa55caa40

SHA1
bde64f579c880099b11d953ca4b400872394643f

SHA256
d16b10244218db843ceff465fd717324fa30140ac6866980d7ca27425aea7625

SHA512
a825955c83dc84372bd38fb6733bc4c0c22abca6858f523dc13bf21d92f0fe51cab97b8efe4f2d470c5c2afdd876a9043ff6211d6dda6679a3bb5bd764a76d7d

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 306049.crdownload

Filesize
3.7MB

MD5
40170ac9a14ffdde99a72ae6df444287

SHA1
52ad2c044a939acda7393b42d5639903963d82b3

SHA256
c826b208e30168a7ccf9fb34a18927d60c6a4686bc5e84076216217ee9d7d3fb

SHA512
edb20a88738f967ad22eda99cf77c15824e41759c9a20d4409f1ecb83ef3d040b155492fd7e28f1d809e11397335a0d77d84f443ae6578c17b691a80152337c0

Download Submit
memory/2900-170-0x00007FF9ED070000-0x00007FF9ED071000-memory.dmp

Filesize
4KB

Download
memory/2900-169-0x00007FF9ECB30000-0x00007FF9ECB31000-memory.dmp

Filesize
4KB

Download
memory/5296-3035-0x000001F09DDD0000-0x000001F09DDD1000-memory.dmp

Filesize
4KB

Download
memory/5296-3037-0x000001F09DDD0000-0x000001F09DDD1000-memory.dmp

Filesize
4KB

Download
memory/5296-3041-0x000001F09DDD0000-0x000001F09DDD1000-memory.dmp

Filesize
4KB

Download
memory/5296-3043-0x000001F09DDD0000-0x000001F09DDD1000-memory.dmp

Filesize
4KB

Download
memory/5296-3047-0x000001F09DDD0000-0x000001F09DDD1000-memory.dmp

Filesize
4KB

Download
memory/5296-3046-0x000001F09DDD0000-0x000001F09DDD1000-memory.dmp

Filesize
4KB

Download
memory/5296-3045-0x000001F09DDD0000-0x000001F09DDD1000-memory.dmp

Filesize
4KB

Download
memory/5296-3044-0x000001F09DDD0000-0x000001F09DDD1000-memory.dmp

Filesize
4KB

Download
memory/5296-3042-0x000001F09DDD0000-0x000001F09DDD1000-memory.dmp

Filesize
4KB

Download
memory/5296-3036-0x000001F09DDD0000-0x000001F09DDD1000-memory.dmp

Filesize
4KB

Download