File name:

PDFSmartKit.msi

Full analysis: https://app.any.run/tasks/b4933308-e5b4-4b86-bc21-2a6f7eb41b2c
Verdict: Malicious activity
Threats:

Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.

Malware Trends Tracker     >>>
Analysis date: March 25, 2025, 00:40:48
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
generated-doc
adware
advancedinstaller
loader
stealer
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {379C2324-209C-4D64-B4C1-296F09F1135C}, Number of Words: 10, Subject: OneStart PDF, Author: OneStart.ai, Name of Creating Application: OneStart PDF, Template: ;1033, Comments: OneStart PDF 4.5.286.2, Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Fri Feb 21 01:24:57 2025, Last Saved Time/Date: Fri Feb 21 01:24:57 2025, Last Printed: Fri Feb 21 01:24:57 2025, Number of Pages: 450
MD5:

7ABF12AB98F4CBED63228BBA977CEA7E

SHA1:

E8E8075E078F22844C0C37941F5D76E693E83914

SHA256:

9C60480AFBBFBDF20520A9E7705F60A54FF2D0A94D72E4C26FC2AEE55A158A9F

SSDEEP:

49152:MMA9IzHPo6CsA+2HQ8Eip1siy0EvNcp5ECoyVZpJ/Diaf86LS:Y9I7o6Hh6Q8RkVcp5ECoaFTG

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ADVANCEDINSTALLER has been detected (SURICATA)

      • msiexec.exe (PID: 4988)

    • Executing a file with an untrusted certificate

      • setup.exe (PID: 7912)
      • setup.exe (PID: 7728)
      • onestart_installer.exe (PID: 7672)
      • setup.exe (PID: 6652)
      • setup.exe (PID: 1276)
      • onestart.exe (PID: 7960)
      • onestart.exe (PID: 3096)
      • onestart.exe (PID: 840)
      • onestart.exe (PID: 8188)
      • onestart.exe (PID: 1348)
      • onestart.exe (PID: 2244)
      • onestart.exe (PID: 6660)
      • onestart.exe (PID: 6744)
      • onestart.exe (PID: 4244)
      • onestart.exe (PID: 3300)
      • onestart.exe (PID: 5172)
      • onestart.exe (PID: 6728)
      • onestart.exe (PID: 5892)
      • onestart.exe (PID: 3796)
      • onestart.exe (PID: 8084)
      • onestart.exe (PID: 8120)
      • onestart.exe (PID: 3620)
      • onestart.exe (PID: 4452)
      • onestart.exe (PID: 7256)
      • onestart.exe (PID: 472)
      • onestart.exe (PID: 7944)
      • onestart.exe (PID: 7932)
      • onestart.exe (PID: 6436)
      • onestart.exe (PID: 7856)
      • onestart.exe (PID: 3784)
      • onestart.exe (PID: 6752)
      • onestart.exe (PID: 3900)
      • onestart.exe (PID: 7860)
      • onestart.exe (PID: 7324)
      • onestart.exe (PID: 7376)
      • onestart.exe (PID: 7624)
      • onestart.exe (PID: 1616)
      • onestart.exe (PID: 7864)
      • onestart.exe (PID: 496)
      • onestart.exe (PID: 7456)
      • onestart.exe (PID: 5256)
      • onestart.exe (PID: 4172)
      • onestart.exe (PID: 7856)

    • Actions looks like stealing of personal data

      • notification_helper.exe (PID: 6228)

    • Changes the autorun value in the registry

      • onestart.exe (PID: 7960)

  • SUSPICIOUS

    • Executes as Windows Service

      • VSSVC.exe (PID: 8104)

    • Detects AdvancedInstaller (YARA)

      • msiexec.exe (PID: 6244)

    • Potential Corporate Privacy Violation

      • msiexec.exe (PID: 4988)

    • Reads security settings of Internet Explorer

      • msiexec.exe (PID: 4988)
      • msiexec.exe (PID: 7328)

    • Access to an unwanted program domain was detected

      • msiexec.exe (PID: 4988)

    • Reads the Windows owner or organization settings

      • msiexec.exe (PID: 7248)

    • Process requests binary or script from the Internet

      • msiexec.exe (PID: 4988)

    • Executable content was dropped or overwritten

      • onestart_installer.exe (PID: 7672)
      • setup.exe (PID: 7912)
      • onestart.exe (PID: 3900)

    • Application launched itself

      • setup.exe (PID: 7912)
      • setup.exe (PID: 6652)
      • onestart.exe (PID: 1348)
      • onestart.exe (PID: 7960)

    • Searches for installed software

      • setup.exe (PID: 7912)

    • Creates a software uninstall entry

      • setup.exe (PID: 7912)

    • Starts CMD.EXE for commands execution

      • msiexec.exe (PID: 7328)

    • The process deletes folder without confirmation

      • msiexec.exe (PID: 7328)

    • The process checks if it is being run in the virtual environment

      • onestart.exe (PID: 7960)

  • INFO

    • An automatically generated document

      • msiexec.exe (PID: 6244)

    • Creates files or folders in the user directory

      • msiexec.exe (PID: 6244)
      • msiexec.exe (PID: 4988)
      • setup.exe (PID: 7912)
      • onestart_installer.exe (PID: 7672)
      • notification_helper.exe (PID: 6228)
      • setup.exe (PID: 6652)
      • onestart.exe (PID: 7960)
      • onestart.exe (PID: 8188)
      • onestart.exe (PID: 496)

    • Reads security settings of Internet Explorer

      • msiexec.exe (PID: 6244)

    • Checks supported languages

      • msiexec.exe (PID: 7248)
      • msiexec.exe (PID: 7328)
      • msiexec.exe (PID: 4988)
      • setup.exe (PID: 7728)
      • onestart_installer.exe (PID: 7672)
      • setup.exe (PID: 7912)
      • setup.exe (PID: 6652)
      • setup.exe (PID: 1276)
      • onestart.exe (PID: 7960)
      • onestart.exe (PID: 1348)
      • notification_helper.exe (PID: 6228)
      • onestart.exe (PID: 840)
      • onestart.exe (PID: 8188)
      • onestart.exe (PID: 3096)
      • onestart.exe (PID: 3300)
      • onestart.exe (PID: 2244)
      • onestart.exe (PID: 6660)
      • onestart.exe (PID: 6744)
      • onestart.exe (PID: 4244)
      • onestart.exe (PID: 5172)
      • onestart.exe (PID: 6728)
      • onestart.exe (PID: 5892)
      • onestart.exe (PID: 3796)
      • onestart.exe (PID: 8084)
      • onestart.exe (PID: 8120)
      • onestart.exe (PID: 3620)
      • onestart.exe (PID: 4452)
      • onestart.exe (PID: 7256)
      • onestart.exe (PID: 472)
      • onestart.exe (PID: 7944)
      • onestart.exe (PID: 6436)
      • onestart.exe (PID: 7856)
      • onestart.exe (PID: 3784)
      • onestart.exe (PID: 6752)
      • onestart.exe (PID: 7932)
      • onestart.exe (PID: 7324)
      • onestart.exe (PID: 7376)
      • onestart.exe (PID: 7624)
      • onestart.exe (PID: 1616)
      • onestart.exe (PID: 496)
      • onestart.exe (PID: 7864)
      • onestart.exe (PID: 7860)
      • onestart.exe (PID: 3900)
      • onestart.exe (PID: 7456)
      • onestart.exe (PID: 5256)
      • onestart.exe (PID: 4172)
      • onestart.exe (PID: 7856)

    • Reads the computer name

      • msiexec.exe (PID: 7248)
      • msiexec.exe (PID: 7328)
      • msiexec.exe (PID: 4988)
      • onestart_installer.exe (PID: 7672)
      • setup.exe (PID: 7912)
      • notification_helper.exe (PID: 6228)
      • setup.exe (PID: 6652)
      • onestart.exe (PID: 7960)
      • onestart.exe (PID: 840)
      • onestart.exe (PID: 8188)
      • onestart.exe (PID: 1348)
      • onestart.exe (PID: 2244)
      • onestart.exe (PID: 3796)
      • onestart.exe (PID: 496)

    • Reads the software policy settings

      • msiexec.exe (PID: 6244)
      • msiexec.exe (PID: 7248)
      • slui.exe (PID: 7552)
      • slui.exe (PID: 7772)

    • Checks proxy server information

      • msiexec.exe (PID: 6244)
      • msiexec.exe (PID: 4988)
      • onestart.exe (PID: 7960)
      • slui.exe (PID: 7772)

    • Reads Environment values

      • msiexec.exe (PID: 7328)
      • msiexec.exe (PID: 4988)

    • The sample compiled with english language support

      • msiexec.exe (PID: 6244)
      • msiexec.exe (PID: 4988)
      • msiexec.exe (PID: 7248)
      • onestart_installer.exe (PID: 7672)
      • setup.exe (PID: 7912)
      • onestart.exe (PID: 3900)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 6244)
      • msiexec.exe (PID: 7248)

    • Manages system restore points

      • SrTasks.exe (PID: 5968)

    • Reads the machine GUID from the registry

      • msiexec.exe (PID: 7248)
      • onestart.exe (PID: 7960)
      • onestart.exe (PID: 496)

    • Process checks computer location settings

      • msiexec.exe (PID: 7328)
      • onestart.exe (PID: 6744)
      • onestart.exe (PID: 6660)
      • onestart.exe (PID: 7960)
      • onestart.exe (PID: 6728)
      • onestart.exe (PID: 5892)
      • onestart.exe (PID: 6436)

    • Create files in a temporary directory

      • onestart.exe (PID: 7960)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Windows Installer (88.6)
.mst | Windows SDK Setup Transform Script (10)
.msi | Microsoft Installer (100)

EXIF

FlashPix

Security: None
CodePage: Windows Latin 1 (Western European)
RevisionNumber: {379C2324-209C-4D64-B4C1-296F09F1135C}
Words: 10
Subject: OneStart PDF
Author: OneStart.ai
LastModifiedBy: -
Software: OneStart PDF
Template: ;1033
Comments: OneStart PDF 4.5.286.2
Title: Installation Database
Keywords: Installer, MSI, Database
CreateDate: 2025:02:21 01:24:57
ModifyDate: 2025:02:21 01:24:57
LastPrinted: 2025:02:21 01:24:57
Pages: 450
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
200
Monitored processes
57
Malicious processes
6
Suspicious processes
41

Behavior graph

Click at the process to see the details
start msiexec.exe msiexec.exe msiexec.exe no specs sppextcomobj.exe no specs slui.exe vssvc.exe no specs srtasks.exe no specs conhost.exe no specs #ADVANCEDINSTALLER msiexec.exe onestart_installer.exe slui.exe setup.exe setup.exe no specs notification_helper.exe chrome.exe no specs setup.exe no specs setup.exe no specs onestart.exe onestart.exe no specs onestart.exe no specs cmd.exe no specs conhost.exe no specs onestart.exe no specs onestart.exe onestart.exe no specs onestart.exe onestart.exe no specs onestart.exe no specs onestart.exe no specs onestart.exe no specs onestart.exe no specs onestart.exe no specs onestart.exe no specs onestart.exe no specs onestart.exe no specs onestart.exe no specs onestart.exe no specs onestart.exe no specs onestart.exe no specs onestart.exe no specs onestart.exe no specs onestart.exe no specs onestart.exe no specs onestart.exe no specs onestart.exe no specs onestart.exe no specs onestart.exe onestart.exe no specs onestart.exe no specs onestart.exe no specs onestart.exe no specs onestart.exe no specs onestart.exe no specs onestart.exe no specs onestart.exe no specs onestart.exe no specs onestart.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
472"C:\Users\admin\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=4516,i,8951672226818975923,3828989060126540865,262144 --variations-seed-version --mojo-platform-channel-handle=4308 /prefetch:8C:\Users\admin\AppData\Local\OneStart.ai\OneStart\Application\onestart.exeonestart.exe
User:
admin
Company:
OneStart.ai
Integrity Level:
LOW
Description:
OneStart
Exit code:
0
Version:
132.0.6834.161
Modules
Images
c:\users\admin\appdata\local\onestart.ai\onestart\application\onestart.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\ucrtbase.dll
c:\users\admin\appdata\local\onestart.ai\onestart\application\132.0.6834.161\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
496"C:\Users\admin\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.3636 --string-annotations --start-stack-profiler --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=6792,i,8951672226818975923,3828989060126540865,262144 --variations-seed-version --mojo-platform-channel-handle=5304 /prefetch:8C:\Users\admin\AppData\Local\OneStart.ai\OneStart\Application\onestart.exeonestart.exe
User:
admin
Company:
OneStart.ai
Integrity Level:
MEDIUM
Description:
OneStart
Exit code:
0
Version:
132.0.6834.161
Modules
Images
c:\users\admin\appdata\local\onestart.ai\onestart\application\onestart.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\ucrtbase.dll
c:\users\admin\appdata\local\onestart.ai\onestart\application\132.0.6834.161\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
840"C:\Users\admin\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe" --type=gpu-process --string-annotations --start-stack-profiler --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2052,i,8951672226818975923,3828989060126540865,262144 --variations-seed-version --mojo-platform-channel-handle=1996 /prefetch:2C:\Users\admin\AppData\Local\OneStart.ai\OneStart\Application\onestart.exeonestart.exe
User:
admin
Company:
OneStart.ai
Integrity Level:
LOW
Description:
OneStart
Version:
132.0.6834.161
Modules
Images
c:\users\admin\appdata\local\onestart.ai\onestart\application\onestart.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\ucrtbase.dll
c:\users\admin\appdata\local\onestart.ai\onestart\application\132.0.6834.161\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
1276"C:\Users\admin\AppData\Local\OneStart.ai\OneStart Installer\CR_704F1.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\OneStart.ai\OneStart\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=OneStart --annotation=ver=132.0.6834.161 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x7ff7e002e2f8,0x7ff7e002e304,0x7ff7e002e310C:\Users\admin\AppData\Local\OneStart.ai\OneStart Installer\CR_704F1.tmp\setup.exesetup.exe
User:
admin
Company:
OneStart.ai
Integrity Level:
MEDIUM
Description:
OneStart Installer
Exit code:
0
Version:
132.0.6834.161
Modules
Images
c:\users\admin\appdata\local\onestart.ai\onestart installer\cr_704f1.tmp\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
1348C:\Users\admin\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\OneStart.ai\OneStart\User Data" /prefetch:4 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\admin\AppData\Local\OneStart.ai\OneStart\User Data" --monitor-self-argument=/prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\OneStart.ai\OneStart\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=OneStart --annotation=ver=132.0.6834.161 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7ffc8968dcf8,0x7ffc8968dd04,0x7ffc8968dd10C:\Users\admin\AppData\Local\OneStart.ai\OneStart\Application\onestart.exeonestart.exe
User:
admin
Company:
OneStart.ai
Integrity Level:
MEDIUM
Description:
OneStart
Version:
132.0.6834.161
Modules
Images
c:\users\admin\appdata\local\onestart.ai\onestart\application\onestart.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\ucrtbase.dll
c:\users\admin\appdata\local\onestart.ai\onestart\application\132.0.6834.161\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
1616"C:\Users\admin\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=6796,i,8951672226818975923,3828989060126540865,262144 --variations-seed-version --mojo-platform-channel-handle=4988 /prefetch:8C:\Users\admin\AppData\Local\OneStart.ai\OneStart\Application\onestart.exeonestart.exe
User:
admin
Company:
OneStart.ai
Integrity Level:
LOW
Description:
OneStart
Exit code:
0
Version:
132.0.6834.161
Modules
Images
c:\users\admin\appdata\local\onestart.ai\onestart\application\onestart.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\ucrtbase.dll
c:\users\admin\appdata\local\onestart.ai\onestart\application\132.0.6834.161\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
2244"C:\Users\admin\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe" --updateC:\Users\admin\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
onestart.exe
User:
admin
Company:
OneStart.ai
Integrity Level:
MEDIUM
Description:
OneStart
Exit code:
0
Version:
132.0.6834.161
Modules
Images
c:\users\admin\appdata\local\onestart.ai\onestart\application\onestart.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\ucrtbase.dll
c:\users\admin\appdata\local\onestart.ai\onestart\application\132.0.6834.161\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
2616\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeSrTasks.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3096C:\Users\admin\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\OneStart.ai\OneStart\User Data" /prefetch:4 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\OneStart.ai\OneStart\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=OneStart --annotation=ver=132.0.6834.161 --initial-client-data=0x190,0x194,0x198,0x154,0x19c,0x7ff73bee3840,0x7ff73bee384c,0x7ff73bee3858C:\Users\admin\AppData\Local\OneStart.ai\OneStart\Application\onestart.exeonestart.exe
User:
admin
Company:
OneStart.ai
Integrity Level:
MEDIUM
Description:
OneStart
Version:
132.0.6834.161
Modules
Images
c:\users\admin\appdata\local\onestart.ai\onestart\application\onestart.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\ucrtbase.dll
c:\users\admin\appdata\local\onestart.ai\onestart\application\132.0.6834.161\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
3300"C:\Users\admin\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2488,i,8951672226818975923,3828989060126540865,262144 --variations-seed-version --mojo-platform-channel-handle=2504 /prefetch:8C:\Users\admin\AppData\Local\OneStart.ai\OneStart\Application\onestart.exeonestart.exe
User:
admin
Company:
OneStart.ai
Integrity Level:
LOW
Description:
OneStart
Version:
132.0.6834.161
Modules
Images
c:\users\admin\appdata\local\onestart.ai\onestart\application\onestart.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\ucrtbase.dll
c:\users\admin\appdata\local\onestart.ai\onestart\application\132.0.6834.161\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
Total events
17 259
Read events
16 913
Write events
322
Delete events
24

Modification events

(PID) Process:(7248) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
480000000000000031F8709E1E9DDB01501C0000981F0000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7248) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Enter)
Value:
480000000000000031F8709E1E9DDB01501C0000981F0000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7248) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Leave)
Value:
48000000000000005A19249F1E9DDB01501C0000981F0000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7248) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Enter)
Value:
480000000000000051B7259F1E9DDB01501C0000981F0000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7248) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Leave)
Value:
4800000000000000AAE4359F1E9DDB01501C0000981F0000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7248) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppCreate (Enter)
Value:
48000000000000000BB93C9F1E9DDB01501C0000981F0000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7248) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGatherWriterMetadata (Enter)
Value:
4800000000000000C98DE79F1E9DDB01501C0000981F0000D30700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7248) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher
Operation:writeName:IDENTIFY (Enter)
Value:
4800000000000000B1C2EA9F1E9DDB01501C00001C1C0000E803000001000000000000000000000004C5912BD002EE42B7C5B8E1E7C20FA400000000000000000000000000000000
(PID) Process:(8104) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer
Operation:writeName:IDENTIFY (Leave)
Value:
480000000000000087C124A01E9DDB01A81F0000C41F0000E80300000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(8104) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer
Operation:writeName:IDENTIFY (Leave)
Value:
480000000000000087C124A01E9DDB01A81F0000341C0000E80300000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000
Executable files
36
Suspicious files
298
Text files
74
Unknown types
0

Dropped files

PID
Process
Filename
Type
7248msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
6244msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\248DDD9FCF61002E219645695E3FFC98_047665DA31D3B6D49BCD9D6BF2556F80binary
MD5:C651AA3BB73E9A7B34D157B157B45E59
SHA256:EDA167A51063394740685143BBBC5F84A6F1D21BE9AC50204527A7F4A6993AC1
6244msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FE17BEC2A573BC9AE36869D0274FFA19_6DA81F04C5F9EAD2CD0268808FCE61E1binary
MD5:7E5E9912DE7A985FF6257B5E3005DE2C
SHA256:EC0BDEA0FCC54BE0A302CAC5A2513186CCD5A9E1BD9DE7C8DD81CE1773141571
6244msiexec.exeC:\Users\admin\AppData\Local\Temp\MSIE023.tmpexecutable
MD5:0606E1A2FE0D72593405CAFEB945C740
SHA256:E19A895AD4025EFF45AB03AA31A0916A6BA1E4F06DF5D6385B8C40924DC10890
6244msiexec.exeC:\Users\admin\AppData\Local\Temp\MSIE0A2.tmpexecutable
MD5:0606E1A2FE0D72593405CAFEB945C740
SHA256:E19A895AD4025EFF45AB03AA31A0916A6BA1E4F06DF5D6385B8C40924DC10890
6244msiexec.exeC:\Users\admin\AppData\Local\Temp\MSIE100.tmpexecutable
MD5:0606E1A2FE0D72593405CAFEB945C740
SHA256:E19A895AD4025EFF45AB03AA31A0916A6BA1E4F06DF5D6385B8C40924DC10890
4988msiexec.exeC:\Users\admin\AppData\Local\OneStart.ai\OneStart Installer\onestart_installer.exe.part
MD5:
SHA256:
4988msiexec.exeC:\Users\admin\AppData\Local\OneStart.ai\OneStart Installer\onestart_installer.exe
MD5:
SHA256:
6244msiexec.exeC:\Users\admin\AppData\Local\Temp\MSIDE3D.tmpexecutable
MD5:0606E1A2FE0D72593405CAFEB945C740
SHA256:E19A895AD4025EFF45AB03AA31A0916A6BA1E4F06DF5D6385B8C40924DC10890
6244msiexec.exeC:\Users\admin\AppData\Local\Temp\MSIE053.tmpexecutable
MD5:0606E1A2FE0D72593405CAFEB945C740
SHA256:E19A895AD4025EFF45AB03AA31A0916A6BA1E4F06DF5D6385B8C40924DC10890
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
35
TCP/UDP connections
74
DNS requests
57
Threats
30

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6244
msiexec.exe
GET
200
18.173.205.43:80
http://ocsps.ssl.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSoEwb5tith0jIBy9frSyNGB1lsAAQUNr1J%2FzEs669qQP6ZwBbtuvxI3V8CEEhAwkRt2T9xBNbvBB%2BwDhI%3D
unknown
whitelisted
6244
msiexec.exe
GET
200
18.173.205.43:80
http://ocsps.ssl.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQg3SSkKA74hABkhmlBtJTz8w3hlAQU%2BWC71OPVNPa49QaAJadz20ZpqJ4CEEJLalPOx2YUHCpjsaUcQQQ%3D
unknown
whitelisted
1348
backgroundTaskHost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
6512
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
4988
msiexec.exe
GET
200
143.204.98.32:80
http://resources.onestart.ai/onestart_installer_132.0.6834.161.exe
unknown
unknown
7672
onestart_installer.exe
POST
200
18.245.31.36:80
http://event.onestart.ai/
unknown
unknown
8188
onestart.exe
GET
200
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/mfnf4w4aaa2rporuqgtjqv35v4_4.10.2891.0/oimompecagnajdejgnnjijobebaeigek_4.10.2891.0_win64_acwxtxt2znguar3w2o252umtomsq.crx3
unknown
whitelisted
7672
onestart_installer.exe
POST
200
18.245.31.36:80
http://event.onestart.ai/
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
6544
svchost.exe
40.126.31.129:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
40.115.3.253:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2104
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3216
svchost.exe
40.115.3.253:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5496
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6244
msiexec.exe
18.173.205.43:80
ocsps.ssl.com
US
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.181.238
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.156
whitelisted
login.live.com
  • 40.126.31.129
  • 20.190.159.68
  • 40.126.31.1
  • 20.190.159.75
  • 20.190.159.4
  • 40.126.31.69
  • 20.190.159.23
  • 40.126.31.3
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
client.wns.windows.com
  • 40.115.3.253
  • 40.113.110.67
whitelisted
ocsps.ssl.com
  • 18.173.205.43
  • 18.173.205.57
  • 18.173.205.76
  • 18.173.205.113
whitelisted
arc.msn.com
  • 20.31.169.57
whitelisted
slscr.update.microsoft.com
  • 20.109.210.53
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted

Threats

PID
Process
Class
Message
4988
msiexec.exe
Possibly Unwanted Program Detected
ADWARE [ANY.RUN] AdvancedInstaller User-Agent
4988
msiexec.exe
Potentially Bad Traffic
ET INFO Executable served from Amazon S3
4988
msiexec.exe
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
8188
onestart.exe
Generic Protocol Command Decode
SURICATA QUIC failed decrypt
8188
onestart.exe
Generic Protocol Command Decode
SURICATA QUIC failed decrypt
8188
onestart.exe
Generic Protocol Command Decode
SURICATA QUIC failed decrypt
8188
onestart.exe
Generic Protocol Command Decode
SURICATA QUIC failed decrypt
8188
onestart.exe
Generic Protocol Command Decode
SURICATA QUIC failed decrypt
8188
onestart.exe
Generic Protocol Command Decode
SURICATA QUIC failed decrypt
8188
onestart.exe
Generic Protocol Command Decode
SURICATA QUIC failed decrypt
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
PDFSmartKit.msi