File name:

PDFSmartKit.msi

Full analysis: https://app.any.run/tasks/b4933308-e5b4-4b86-bc21-2a6f7eb41b2c
Verdict: Malicious activity
Threats:

Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.

Malware Trends Tracker     >>>
Analysis date: March 25, 2025, 00:40:48
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
generated-doc
adware
advancedinstaller
loader
stealer
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {379C2324-209C-4D64-B4C1-296F09F1135C}, Number of Words: 10, Subject: OneStart PDF, Author: OneStart.ai, Name of Creating Application: OneStart PDF, Template: ;1033, Comments: OneStart PDF 4.5.286.2, Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Fri Feb 21 01:24:57 2025, Last Saved Time/Date: Fri Feb 21 01:24:57 2025, Last Printed: Fri Feb 21 01:24:57 2025, Number of Pages: 450
MD5:

7ABF12AB98F4CBED63228BBA977CEA7E

SHA1:

E8E8075E078F22844C0C37941F5D76E693E83914

SHA256:

9C60480AFBBFBDF20520A9E7705F60A54FF2D0A94D72E4C26FC2AEE55A158A9F

SSDEEP:

49152:MMA9IzHPo6CsA+2HQ8Eip1siy0EvNcp5ECoyVZpJ/Diaf86LS:Y9I7o6Hh6Q8RkVcp5ECoaFTG

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • onestart_installer.exe (PID: 7672)
      • setup.exe (PID: 7912)
      • setup.exe (PID: 7728)
      • setup.exe (PID: 6652)
      • setup.exe (PID: 1276)
      • onestart.exe (PID: 7960)
      • onestart.exe (PID: 1348)
      • onestart.exe (PID: 8188)
      • onestart.exe (PID: 840)
      • onestart.exe (PID: 3096)
      • onestart.exe (PID: 2244)
      • onestart.exe (PID: 3300)
      • onestart.exe (PID: 6660)
      • onestart.exe (PID: 6744)
      • onestart.exe (PID: 4244)
      • onestart.exe (PID: 5172)
      • onestart.exe (PID: 3796)
      • onestart.exe (PID: 6728)
      • onestart.exe (PID: 5892)
      • onestart.exe (PID: 8084)
      • onestart.exe (PID: 8120)
      • onestart.exe (PID: 3620)
      • onestart.exe (PID: 4452)
      • onestart.exe (PID: 7256)
      • onestart.exe (PID: 7944)
      • onestart.exe (PID: 472)
      • onestart.exe (PID: 7932)
      • onestart.exe (PID: 3784)
      • onestart.exe (PID: 7856)
      • onestart.exe (PID: 6752)
      • onestart.exe (PID: 7864)
      • onestart.exe (PID: 3900)
      • onestart.exe (PID: 7860)
      • onestart.exe (PID: 6436)
      • onestart.exe (PID: 7624)
      • onestart.exe (PID: 7376)
      • onestart.exe (PID: 1616)
      • onestart.exe (PID: 7324)
      • onestart.exe (PID: 7456)
      • onestart.exe (PID: 5256)
      • onestart.exe (PID: 4172)
      • onestart.exe (PID: 7856)
      • onestart.exe (PID: 496)

    • ADVANCEDINSTALLER has been detected (SURICATA)

      • msiexec.exe (PID: 4988)

    • Actions looks like stealing of personal data

      • notification_helper.exe (PID: 6228)

    • Changes the autorun value in the registry

      • onestart.exe (PID: 7960)

  • SUSPICIOUS

    • Detects AdvancedInstaller (YARA)

      • msiexec.exe (PID: 6244)

    • Executes as Windows Service

      • VSSVC.exe (PID: 8104)

    • Reads the Windows owner or organization settings

      • msiexec.exe (PID: 7248)

    • Potential Corporate Privacy Violation

      • msiexec.exe (PID: 4988)

    • Reads security settings of Internet Explorer

      • msiexec.exe (PID: 4988)
      • msiexec.exe (PID: 7328)

    • Access to an unwanted program domain was detected

      • msiexec.exe (PID: 4988)

    • Process requests binary or script from the Internet

      • msiexec.exe (PID: 4988)

    • Application launched itself

      • setup.exe (PID: 7912)
      • setup.exe (PID: 6652)
      • onestart.exe (PID: 1348)
      • onestart.exe (PID: 7960)

    • Executable content was dropped or overwritten

      • onestart_installer.exe (PID: 7672)
      • setup.exe (PID: 7912)
      • onestart.exe (PID: 3900)

    • Creates a software uninstall entry

      • setup.exe (PID: 7912)

    • Searches for installed software

      • setup.exe (PID: 7912)

    • Starts CMD.EXE for commands execution

      • msiexec.exe (PID: 7328)

    • The process deletes folder without confirmation

      • msiexec.exe (PID: 7328)

    • The process checks if it is being run in the virtual environment

      • onestart.exe (PID: 7960)

  • INFO

    • An automatically generated document

      • msiexec.exe (PID: 6244)

    • Reads the computer name

      • msiexec.exe (PID: 7248)
      • msiexec.exe (PID: 7328)
      • msiexec.exe (PID: 4988)
      • onestart_installer.exe (PID: 7672)
      • setup.exe (PID: 7912)
      • notification_helper.exe (PID: 6228)
      • setup.exe (PID: 6652)
      • onestart.exe (PID: 7960)
      • onestart.exe (PID: 1348)
      • onestart.exe (PID: 8188)
      • onestart.exe (PID: 840)
      • onestart.exe (PID: 2244)
      • onestart.exe (PID: 3796)
      • onestart.exe (PID: 496)

    • Reads security settings of Internet Explorer

      • msiexec.exe (PID: 6244)

    • Checks supported languages

      • msiexec.exe (PID: 7328)
      • msiexec.exe (PID: 7248)
      • msiexec.exe (PID: 4988)
      • onestart_installer.exe (PID: 7672)
      • setup.exe (PID: 7912)
      • setup.exe (PID: 7728)
      • notification_helper.exe (PID: 6228)
      • setup.exe (PID: 6652)
      • setup.exe (PID: 1276)
      • onestart.exe (PID: 7960)
      • onestart.exe (PID: 1348)
      • onestart.exe (PID: 3096)
      • onestart.exe (PID: 8188)
      • onestart.exe (PID: 2244)
      • onestart.exe (PID: 6744)
      • onestart.exe (PID: 3300)
      • onestart.exe (PID: 6660)
      • onestart.exe (PID: 4244)
      • onestart.exe (PID: 5892)
      • onestart.exe (PID: 3796)
      • onestart.exe (PID: 6728)
      • onestart.exe (PID: 5172)
      • onestart.exe (PID: 8120)
      • onestart.exe (PID: 8084)
      • onestart.exe (PID: 3620)
      • onestart.exe (PID: 4452)
      • onestart.exe (PID: 7256)
      • onestart.exe (PID: 7944)
      • onestart.exe (PID: 472)
      • onestart.exe (PID: 6436)
      • onestart.exe (PID: 7932)
      • onestart.exe (PID: 6752)
      • onestart.exe (PID: 7856)
      • onestart.exe (PID: 7864)
      • onestart.exe (PID: 7860)
      • onestart.exe (PID: 3900)
      • onestart.exe (PID: 7324)
      • onestart.exe (PID: 3784)
      • onestart.exe (PID: 7376)
      • onestart.exe (PID: 1616)
      • onestart.exe (PID: 7624)
      • onestart.exe (PID: 496)
      • onestart.exe (PID: 840)
      • onestart.exe (PID: 7456)
      • onestart.exe (PID: 7856)
      • onestart.exe (PID: 5256)
      • onestart.exe (PID: 4172)

    • Creates files or folders in the user directory

      • msiexec.exe (PID: 6244)
      • msiexec.exe (PID: 4988)
      • onestart_installer.exe (PID: 7672)
      • setup.exe (PID: 7912)
      • notification_helper.exe (PID: 6228)
      • setup.exe (PID: 6652)
      • onestart.exe (PID: 7960)
      • onestart.exe (PID: 8188)
      • onestart.exe (PID: 496)

    • Reads the software policy settings

      • msiexec.exe (PID: 6244)
      • msiexec.exe (PID: 7248)
      • slui.exe (PID: 7552)
      • slui.exe (PID: 7772)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 6244)
      • msiexec.exe (PID: 7248)

    • Reads the machine GUID from the registry

      • msiexec.exe (PID: 7248)
      • onestart.exe (PID: 7960)
      • onestart.exe (PID: 496)

    • The sample compiled with english language support

      • msiexec.exe (PID: 6244)
      • msiexec.exe (PID: 7248)
      • msiexec.exe (PID: 4988)
      • onestart_installer.exe (PID: 7672)
      • setup.exe (PID: 7912)
      • onestart.exe (PID: 3900)

    • Checks proxy server information

      • msiexec.exe (PID: 6244)
      • msiexec.exe (PID: 4988)
      • onestart.exe (PID: 7960)
      • slui.exe (PID: 7772)

    • Reads Environment values

      • msiexec.exe (PID: 7328)
      • msiexec.exe (PID: 4988)

    • Manages system restore points

      • SrTasks.exe (PID: 5968)

    • Process checks computer location settings

      • msiexec.exe (PID: 7328)
      • onestart.exe (PID: 7960)
      • onestart.exe (PID: 6660)
      • onestart.exe (PID: 6744)
      • onestart.exe (PID: 5892)
      • onestart.exe (PID: 6728)
      • onestart.exe (PID: 6436)

    • Create files in a temporary directory

      • onestart.exe (PID: 7960)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Windows Installer (88.6)
.mst | Windows SDK Setup Transform Script (10)
.msi | Microsoft Installer (100)

EXIF

FlashPix

Security: None
CodePage: Windows Latin 1 (Western European)
RevisionNumber: {379C2324-209C-4D64-B4C1-296F09F1135C}
Words: 10
Subject: OneStart PDF
Author: OneStart.ai
LastModifiedBy: -
Software: OneStart PDF
Template: ;1033
Comments: OneStart PDF 4.5.286.2
Title: Installation Database
Keywords: Installer, MSI, Database
CreateDate: 2025:02:21 01:24:57
ModifyDate: 2025:02:21 01:24:57
LastPrinted: 2025:02:21 01:24:57
Pages: 450
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
200
Monitored processes
57
Malicious processes
6
Suspicious processes
41

Behavior graph

Click at the process to see the details
start msiexec.exe msiexec.exe msiexec.exe no specs sppextcomobj.exe no specs slui.exe vssvc.exe no specs srtasks.exe no specs conhost.exe no specs #ADVANCEDINSTALLER msiexec.exe onestart_installer.exe slui.exe setup.exe setup.exe no specs notification_helper.exe chrome.exe no specs setup.exe no specs setup.exe no specs onestart.exe onestart.exe no specs onestart.exe no specs cmd.exe no specs conhost.exe no specs onestart.exe no specs onestart.exe onestart.exe no specs onestart.exe onestart.exe no specs onestart.exe no specs onestart.exe no specs onestart.exe no specs onestart.exe no specs onestart.exe no specs onestart.exe no specs onestart.exe no specs onestart.exe no specs onestart.exe no specs onestart.exe no specs onestart.exe no specs onestart.exe no specs onestart.exe no specs onestart.exe no specs onestart.exe no specs onestart.exe no specs onestart.exe no specs onestart.exe no specs onestart.exe no specs onestart.exe onestart.exe no specs onestart.exe no specs onestart.exe no specs onestart.exe no specs onestart.exe no specs onestart.exe no specs onestart.exe no specs onestart.exe no specs onestart.exe no specs onestart.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
472"C:\Users\admin\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=4516,i,8951672226818975923,3828989060126540865,262144 --variations-seed-version --mojo-platform-channel-handle=4308 /prefetch:8C:\Users\admin\AppData\Local\OneStart.ai\OneStart\Application\onestart.exeonestart.exe
User:
admin
Company:
OneStart.ai
Integrity Level:
LOW
Description:
OneStart
Exit code:
0
Version:
132.0.6834.161
Modules
Images
c:\users\admin\appdata\local\onestart.ai\onestart\application\onestart.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\ucrtbase.dll
c:\users\admin\appdata\local\onestart.ai\onestart\application\132.0.6834.161\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
496"C:\Users\admin\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.3636 --string-annotations --start-stack-profiler --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=6792,i,8951672226818975923,3828989060126540865,262144 --variations-seed-version --mojo-platform-channel-handle=5304 /prefetch:8C:\Users\admin\AppData\Local\OneStart.ai\OneStart\Application\onestart.exeonestart.exe
User:
admin
Company:
OneStart.ai
Integrity Level:
MEDIUM
Description:
OneStart
Exit code:
0
Version:
132.0.6834.161
Modules
Images
c:\users\admin\appdata\local\onestart.ai\onestart\application\onestart.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\ucrtbase.dll
c:\users\admin\appdata\local\onestart.ai\onestart\application\132.0.6834.161\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
840"C:\Users\admin\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe" --type=gpu-process --string-annotations --start-stack-profiler --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2052,i,8951672226818975923,3828989060126540865,262144 --variations-seed-version --mojo-platform-channel-handle=1996 /prefetch:2C:\Users\admin\AppData\Local\OneStart.ai\OneStart\Application\onestart.exeonestart.exe
User:
admin
Company:
OneStart.ai
Integrity Level:
LOW
Description:
OneStart
Version:
132.0.6834.161
Modules
Images
c:\users\admin\appdata\local\onestart.ai\onestart\application\onestart.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\ucrtbase.dll
c:\users\admin\appdata\local\onestart.ai\onestart\application\132.0.6834.161\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
1276"C:\Users\admin\AppData\Local\OneStart.ai\OneStart Installer\CR_704F1.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\OneStart.ai\OneStart\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=OneStart --annotation=ver=132.0.6834.161 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x7ff7e002e2f8,0x7ff7e002e304,0x7ff7e002e310C:\Users\admin\AppData\Local\OneStart.ai\OneStart Installer\CR_704F1.tmp\setup.exesetup.exe
User:
admin
Company:
OneStart.ai
Integrity Level:
MEDIUM
Description:
OneStart Installer
Exit code:
0
Version:
132.0.6834.161
Modules
Images
c:\users\admin\appdata\local\onestart.ai\onestart installer\cr_704f1.tmp\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
1348C:\Users\admin\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\OneStart.ai\OneStart\User Data" /prefetch:4 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\admin\AppData\Local\OneStart.ai\OneStart\User Data" --monitor-self-argument=/prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\OneStart.ai\OneStart\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=OneStart --annotation=ver=132.0.6834.161 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7ffc8968dcf8,0x7ffc8968dd04,0x7ffc8968dd10C:\Users\admin\AppData\Local\OneStart.ai\OneStart\Application\onestart.exeonestart.exe
User:
admin
Company:
OneStart.ai
Integrity Level:
MEDIUM
Description:
OneStart
Version:
132.0.6834.161
Modules
Images
c:\users\admin\appdata\local\onestart.ai\onestart\application\onestart.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\ucrtbase.dll
c:\users\admin\appdata\local\onestart.ai\onestart\application\132.0.6834.161\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
1616"C:\Users\admin\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=6796,i,8951672226818975923,3828989060126540865,262144 --variations-seed-version --mojo-platform-channel-handle=4988 /prefetch:8C:\Users\admin\AppData\Local\OneStart.ai\OneStart\Application\onestart.exeonestart.exe
User:
admin
Company:
OneStart.ai
Integrity Level:
LOW
Description:
OneStart
Exit code:
0
Version:
132.0.6834.161
Modules
Images
c:\users\admin\appdata\local\onestart.ai\onestart\application\onestart.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\ucrtbase.dll
c:\users\admin\appdata\local\onestart.ai\onestart\application\132.0.6834.161\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
2244"C:\Users\admin\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe" --updateC:\Users\admin\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
onestart.exe
User:
admin
Company:
OneStart.ai
Integrity Level:
MEDIUM
Description:
OneStart
Exit code:
0
Version:
132.0.6834.161
Modules
Images
c:\users\admin\appdata\local\onestart.ai\onestart\application\onestart.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\ucrtbase.dll
c:\users\admin\appdata\local\onestart.ai\onestart\application\132.0.6834.161\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
2616\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeSrTasks.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3096C:\Users\admin\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\OneStart.ai\OneStart\User Data" /prefetch:4 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\OneStart.ai\OneStart\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=OneStart --annotation=ver=132.0.6834.161 --initial-client-data=0x190,0x194,0x198,0x154,0x19c,0x7ff73bee3840,0x7ff73bee384c,0x7ff73bee3858C:\Users\admin\AppData\Local\OneStart.ai\OneStart\Application\onestart.exeonestart.exe
User:
admin
Company:
OneStart.ai
Integrity Level:
MEDIUM
Description:
OneStart
Version:
132.0.6834.161
Modules
Images
c:\users\admin\appdata\local\onestart.ai\onestart\application\onestart.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\ucrtbase.dll
c:\users\admin\appdata\local\onestart.ai\onestart\application\132.0.6834.161\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
3300"C:\Users\admin\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2488,i,8951672226818975923,3828989060126540865,262144 --variations-seed-version --mojo-platform-channel-handle=2504 /prefetch:8C:\Users\admin\AppData\Local\OneStart.ai\OneStart\Application\onestart.exeonestart.exe
User:
admin
Company:
OneStart.ai
Integrity Level:
LOW
Description:
OneStart
Version:
132.0.6834.161
Modules
Images
c:\users\admin\appdata\local\onestart.ai\onestart\application\onestart.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\ucrtbase.dll
c:\users\admin\appdata\local\onestart.ai\onestart\application\132.0.6834.161\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
Total events
17 259
Read events
16 913
Write events
322
Delete events
24

Modification events

(PID) Process:(7248) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
480000000000000031F8709E1E9DDB01501C0000981F0000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7248) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Enter)
Value:
480000000000000031F8709E1E9DDB01501C0000981F0000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7248) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Leave)
Value:
48000000000000005A19249F1E9DDB01501C0000981F0000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7248) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Enter)
Value:
480000000000000051B7259F1E9DDB01501C0000981F0000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7248) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Leave)
Value:
4800000000000000AAE4359F1E9DDB01501C0000981F0000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7248) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppCreate (Enter)
Value:
48000000000000000BB93C9F1E9DDB01501C0000981F0000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7248) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGatherWriterMetadata (Enter)
Value:
4800000000000000C98DE79F1E9DDB01501C0000981F0000D30700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7248) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher
Operation:writeName:IDENTIFY (Enter)
Value:
4800000000000000B1C2EA9F1E9DDB01501C00001C1C0000E803000001000000000000000000000004C5912BD002EE42B7C5B8E1E7C20FA400000000000000000000000000000000
(PID) Process:(8104) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer
Operation:writeName:IDENTIFY (Leave)
Value:
480000000000000087C124A01E9DDB01A81F0000C41F0000E80300000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(8104) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer
Operation:writeName:IDENTIFY (Leave)
Value:
480000000000000087C124A01E9DDB01A81F0000341C0000E80300000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000
Executable files
36
Suspicious files
298
Text files
74
Unknown types
0

Dropped files

PID
Process
Filename
Type
7248msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
6244msiexec.exeC:\Users\admin\AppData\Local\Temp\MSID2F2.tmpexecutable
MD5:0606E1A2FE0D72593405CAFEB945C740
SHA256:E19A895AD4025EFF45AB03AA31A0916A6BA1E4F06DF5D6385B8C40924DC10890
6244msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\248DDD9FCF61002E219645695E3FFC98_047665DA31D3B6D49BCD9D6BF2556F80binary
MD5:40B333598FE98936E3225D0E529BA74A
SHA256:3DEC3F21E7080CB39B2D933FEEC5A164D394956F8808B46A3A3AFA95E1ED67B4
7248msiexec.exeC:\Windows\Installer\MSI7541.tmpexecutable
MD5:748B2602C9F9884DD718B958622F033B
SHA256:7F6BD90D567D13C53DA8FE4944A4496E0A68AC55CA74661C51A1609034B7F302
6244msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FE17BEC2A573BC9AE36869D0274FFA19_6DA81F04C5F9EAD2CD0268808FCE61E1binary
MD5:E2D709D30DF778AB929F3AB0F10931F5
SHA256:ED5F1EA425924F1959226B59E2385708289DEBAEE1506EED7506FD0904899F93
6244msiexec.exeC:\Users\admin\AppData\Local\Temp\MSIE100.tmpexecutable
MD5:0606E1A2FE0D72593405CAFEB945C740
SHA256:E19A895AD4025EFF45AB03AA31A0916A6BA1E4F06DF5D6385B8C40924DC10890
4988msiexec.exeC:\Users\admin\AppData\Local\OneStart.ai\OneStart Installer\onestart_installer.exe.part
MD5:
SHA256:
4988msiexec.exeC:\Users\admin\AppData\Local\OneStart.ai\OneStart Installer\onestart_installer.exe
MD5:
SHA256:
6244msiexec.exeC:\Users\admin\AppData\Local\Temp\MSIDE3D.tmpexecutable
MD5:0606E1A2FE0D72593405CAFEB945C740
SHA256:E19A895AD4025EFF45AB03AA31A0916A6BA1E4F06DF5D6385B8C40924DC10890
7248msiexec.exeC:\System Volume Information\SPP\snapshot-2binary
MD5:68552AEE6551CC92843E7F6FC4AE758F
SHA256:EAFCD30B9634BF1640F95C23AC5F88FEB098BC2EE0C045840E9CE49D15A64B67
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
35
TCP/UDP connections
74
DNS requests
57
Threats
30

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6244
msiexec.exe
GET
200
18.173.205.43:80
http://ocsps.ssl.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQg3SSkKA74hABkhmlBtJTz8w3hlAQU%2BWC71OPVNPa49QaAJadz20ZpqJ4CEEJLalPOx2YUHCpjsaUcQQQ%3D
unknown
whitelisted
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6244
msiexec.exe
GET
200
18.173.205.43:80
http://ocsps.ssl.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSoEwb5tith0jIBy9frSyNGB1lsAAQUNr1J%2FzEs669qQP6ZwBbtuvxI3V8CEEhAwkRt2T9xBNbvBB%2BwDhI%3D
unknown
whitelisted
1348
backgroundTaskHost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
8188
onestart.exe
GET
200
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/mfnf4w4aaa2rporuqgtjqv35v4_4.10.2891.0/oimompecagnajdejgnnjijobebaeigek_4.10.2891.0_win64_acwxtxt2znguar3w2o252umtomsq.crx3
unknown
whitelisted
2244
onestart.exe
POST
200
18.245.31.36:80
http://event.onestart.ai/
unknown
unknown
7960
onestart.exe
POST
200
18.245.31.36:80
http://event.onestart.ai/
unknown
unknown
7752
svchost.exe
HEAD
200
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adnnf2xkczyschn5rjlarpymlqwq_2025.3.12.0/niikhdgajlphfehepabhhblakbdgeefj_2025.03.12.00_all_adq7z562swe73sgkbx65gzsho2ha.crx3
unknown
whitelisted
7752
svchost.exe
GET
206
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adnnf2xkczyschn5rjlarpymlqwq_2025.3.12.0/niikhdgajlphfehepabhhblakbdgeefj_2025.03.12.00_all_adq7z562swe73sgkbx65gzsho2ha.crx3
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
6544
svchost.exe
40.126.31.129:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
40.115.3.253:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2104
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3216
svchost.exe
40.115.3.253:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5496
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6244
msiexec.exe
18.173.205.43:80
ocsps.ssl.com
US
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.181.238
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.156
whitelisted
login.live.com
  • 40.126.31.129
  • 20.190.159.68
  • 40.126.31.1
  • 20.190.159.75
  • 20.190.159.4
  • 40.126.31.69
  • 20.190.159.23
  • 40.126.31.3
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
client.wns.windows.com
  • 40.115.3.253
  • 40.113.110.67
whitelisted
ocsps.ssl.com
  • 18.173.205.43
  • 18.173.205.57
  • 18.173.205.76
  • 18.173.205.113
whitelisted
arc.msn.com
  • 20.31.169.57
whitelisted
slscr.update.microsoft.com
  • 20.109.210.53
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted

Threats

PID
Process
Class
Message
4988
msiexec.exe
Possibly Unwanted Program Detected
ADWARE [ANY.RUN] AdvancedInstaller User-Agent
4988
msiexec.exe
Potentially Bad Traffic
ET INFO Executable served from Amazon S3
4988
msiexec.exe
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
8188
onestart.exe
Generic Protocol Command Decode
SURICATA QUIC failed decrypt
8188
onestart.exe
Generic Protocol Command Decode
SURICATA QUIC failed decrypt
8188
onestart.exe
Generic Protocol Command Decode
SURICATA QUIC failed decrypt
8188
onestart.exe
Generic Protocol Command Decode
SURICATA QUIC failed decrypt
8188
onestart.exe
Generic Protocol Command Decode
SURICATA QUIC failed decrypt
8188
onestart.exe
Generic Protocol Command Decode
SURICATA QUIC failed decrypt
8188
onestart.exe
Generic Protocol Command Decode
SURICATA QUIC failed decrypt
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
PDFSmartKit.msi