File name:

onestartpdfdirect.msi

Full analysis: https://app.any.run/tasks/5118d829-a5c6-4b7d-85b0-3578f292cbfb
Verdict: Malicious activity
Threats:

Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.

Malware Trends Tracker     >>>
Analysis date: July 19, 2025, 02:50:49
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
generated-doc
advancedinstaller
loader
adware
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {2AB432B9-4A8F-450E-97CC-F7C2BB9E3A0D}, Number of Words: 10, Subject: OneStart PDF, Author: OneStart.ai, Name of Creating Application: OneStart PDF, Template: ;1033, Comments: OneStart PDF 4.5.288.2, Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Tue Feb 25 07:27:39 2025, Last Saved Time/Date: Tue Feb 25 07:27:39 2025, Last Printed: Tue Feb 25 07:27:39 2025, Number of Pages: 450
MD5:

EA145FD7E4BFE90B845087F625A58353

SHA1:

01E96D89E96DC4EEE50584B909C7B9D2C3CCD524

SHA256:

B3FBECF2FFECD74592B01AF25A2AF25E4B0E5CF47DA94468DE4104AB3D51B49F

SSDEEP:

49152:JpA9IzHPo6CsA+2HQ8Eip1siy0EvNcp5ECoyVZpJ/Diaf8psS:g9I7o6Hh6Q8RkVcp5ECoaF6v

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • onestart_installer.exe (PID: 7008)
      • setup.exe (PID: 3100)
      • setup.exe (PID: 1244)
      • setup.exe (PID: 4116)
      • setup.exe (PID: 2504)
      • onestart.exe (PID: 5576)
      • onestart.exe (PID: 3028)
      • onestart.exe (PID: 1204)
      • onestart.exe (PID: 3840)
      • onestart.exe (PID: 7192)
      • onestart.exe (PID: 7936)
      • onestart.exe (PID: 8056)
      • onestart.exe (PID: 5532)
      • onestart.exe (PID: 5620)
      • onestart.exe (PID: 8096)
      • onestart.exe (PID: 6264)
      • onestart.exe (PID: 4024)
      • onestart.exe (PID: 7972)
      • onestart.exe (PID: 7460)
      • onestart.exe (PID: 3160)
      • onestart.exe (PID: 4044)
      • onestart.exe (PID: 7720)
      • onestart.exe (PID: 3972)
      • onestart.exe (PID: 6524)
      • onestart.exe (PID: 480)
      • onestart.exe (PID: 2304)
      • onestart.exe (PID: 4916)
      • onestart.exe (PID: 3872)

    • ADVANCEDINSTALLER has been detected (SURICATA)

      • msiexec.exe (PID: 1352)

    • Changes the autorun value in the registry

      • onestart.exe (PID: 5576)

  • SUSPICIOUS

    • Executes as Windows Service

      • VSSVC.exe (PID: 5612)

    • Detects AdvancedInstaller (YARA)

      • msiexec.exe (PID: 7080)
      • msiexec.exe (PID: 1040)

    • Reads the Windows owner or organization settings

      • msiexec.exe (PID: 1040)

    • Reads security settings of Internet Explorer

      • msiexec.exe (PID: 1352)
      • msiexec.exe (PID: 6504)

    • Application launched itself

      • setup.exe (PID: 3100)
      • setup.exe (PID: 4116)
      • onestart.exe (PID: 5576)

    • Process requests binary or script from the Internet

      • msiexec.exe (PID: 1352)

    • Access to an unwanted program domain was detected

      • svchost.exe (PID: 2200)
      • msiexec.exe (PID: 1352)

    • Potential Corporate Privacy Violation

      • msiexec.exe (PID: 1352)

    • Executable content was dropped or overwritten

      • onestart_installer.exe (PID: 7008)
      • setup.exe (PID: 3100)
      • onestart.exe (PID: 6524)

    • Creates a software uninstall entry

      • setup.exe (PID: 3100)

    • Searches for installed software

      • setup.exe (PID: 3100)

    • Starts CMD.EXE for commands execution

      • msiexec.exe (PID: 6504)

    • The process deletes folder without confirmation

      • msiexec.exe (PID: 6504)

    • The process checks if it is being run in the virtual environment

      • onestart.exe (PID: 5576)

  • INFO

    • Reads security settings of Internet Explorer

      • msiexec.exe (PID: 7080)

    • Creates files or folders in the user directory

      • msiexec.exe (PID: 7080)
      • msiexec.exe (PID: 1352)
      • onestart_installer.exe (PID: 7008)
      • setup.exe (PID: 3100)
      • notification_helper.exe (PID: 1380)
      • onestart.exe (PID: 5576)
      • setup.exe (PID: 4116)
      • onestart.exe (PID: 3840)
      • onestart.exe (PID: 5532)

    • Checks proxy server information

      • msiexec.exe (PID: 7080)
      • msiexec.exe (PID: 1352)
      • onestart.exe (PID: 5576)
      • slui.exe (PID: 8064)

    • An automatically generated document

      • msiexec.exe (PID: 7080)

    • Reads the computer name

      • msiexec.exe (PID: 1040)
      • msiexec.exe (PID: 6504)
      • msiexec.exe (PID: 1352)
      • onestart_installer.exe (PID: 7008)
      • setup.exe (PID: 3100)
      • notification_helper.exe (PID: 1380)
      • setup.exe (PID: 4116)
      • onestart.exe (PID: 5576)
      • onestart.exe (PID: 3840)
      • onestart.exe (PID: 1204)
      • identity_helper.exe (PID: 7692)
      • identity_helper.exe (PID: 8068)
      • onestart.exe (PID: 5532)
      • onestart.exe (PID: 4024)

    • Checks supported languages

      • msiexec.exe (PID: 1040)
      • msiexec.exe (PID: 6504)
      • msiexec.exe (PID: 1352)
      • setup.exe (PID: 3100)
      • onestart_installer.exe (PID: 7008)
      • notification_helper.exe (PID: 1380)
      • onestart.exe (PID: 5576)
      • setup.exe (PID: 2504)
      • setup.exe (PID: 4116)
      • onestart.exe (PID: 3028)
      • setup.exe (PID: 1244)
      • onestart.exe (PID: 3840)
      • onestart.exe (PID: 1204)
      • onestart.exe (PID: 7936)
      • onestart.exe (PID: 8056)
      • identity_helper.exe (PID: 7692)
      • onestart.exe (PID: 7192)
      • identity_helper.exe (PID: 8068)
      • onestart.exe (PID: 5532)
      • onestart.exe (PID: 3160)
      • onestart.exe (PID: 8096)
      • onestart.exe (PID: 7460)
      • onestart.exe (PID: 4024)
      • onestart.exe (PID: 6264)
      • onestart.exe (PID: 7972)
      • onestart.exe (PID: 5620)
      • onestart.exe (PID: 4044)
      • onestart.exe (PID: 7720)
      • onestart.exe (PID: 6524)
      • onestart.exe (PID: 3972)
      • onestart.exe (PID: 480)
      • onestart.exe (PID: 2304)
      • onestart.exe (PID: 4916)
      • onestart.exe (PID: 3872)

    • Reads the software policy settings

      • msiexec.exe (PID: 7080)
      • msiexec.exe (PID: 1040)
      • slui.exe (PID: 8064)

    • Reads Environment values

      • msiexec.exe (PID: 6504)
      • msiexec.exe (PID: 1352)
      • identity_helper.exe (PID: 7692)
      • identity_helper.exe (PID: 8068)

    • The sample compiled with english language support

      • msiexec.exe (PID: 7080)
      • msiexec.exe (PID: 1040)
      • onestart_installer.exe (PID: 7008)
      • setup.exe (PID: 3100)
      • onestart.exe (PID: 6524)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 7080)
      • msiexec.exe (PID: 1040)
      • msedge.exe (PID: 2356)
      • msedge.exe (PID: 3844)

    • Manages system restore points

      • SrTasks.exe (PID: 1496)

    • Reads the machine GUID from the registry

      • msiexec.exe (PID: 1040)
      • onestart.exe (PID: 5576)
      • onestart.exe (PID: 5532)

    • Process checks computer location settings

      • msiexec.exe (PID: 6504)
      • onestart.exe (PID: 5576)
      • onestart.exe (PID: 3972)

    • Application launched itself

      • msedge.exe (PID: 2356)
      • msedge.exe (PID: 3588)

    • Create files in a temporary directory

      • onestart.exe (PID: 5576)

    • Launching a file from a Registry key

      • onestart.exe (PID: 5576)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Windows Installer (88.6)
.mst | Windows SDK Setup Transform Script (10)
.msi | Microsoft Installer (100)

EXIF

FlashPix

Security: None
CodePage: Windows Latin 1 (Western European)
RevisionNumber: {2AB432B9-4A8F-450E-97CC-F7C2BB9E3A0D}
Words: 10
Subject: OneStart PDF
Author: OneStart.ai
LastModifiedBy: -
Software: OneStart PDF
Template: ;1033
Comments: OneStart PDF 4.5.288.2
Title: Installation Database
Keywords: Installer, MSI, Database
CreateDate: 2025:02:25 07:27:39
ModifyDate: 2025:02:25 07:27:39
LastPrinted: 2025:02:25 07:27:39
Pages: 450
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
241
Monitored processes
88
Malicious processes
5
Suspicious processes
27

Behavior graph

Click at the process to see the details
start msiexec.exe msiexec.exe msiexec.exe no specs vssvc.exe no specs srtasks.exe no specs conhost.exe no specs #ADVANCEDINSTALLER msiexec.exe svchost.exe onestart_installer.exe setup.exe setup.exe no specs notification_helper.exe no specs chrome.exe no specs setup.exe no specs setup.exe no specs onestart.exe onestart.exe no specs msedge.exe cmd.exe no specs conhost.exe no specs onestart.exe no specs onestart.exe msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs onestart.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs onestart.exe no specs onestart.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs slui.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs onestart.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs rundll32.exe no specs msedge.exe no specs msedge.exe no specs onestart.exe no specs onestart.exe no specs onestart.exe no specs onestart.exe no specs onestart.exe no specs onestart.exe no specs onestart.exe no specs onestart.exe no specs onestart.exe no specs onestart.exe no specs onestart.exe no specs onestart.exe msedge.exe no specs onestart.exe no specs msedge.exe no specs onestart.exe no specs msedge.exe no specs msedge.exe no specs onestart.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
72"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.3636 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=1668,i,9558723766642874720,6547634192090441926,262144 --variations-seed-version --mojo-platform-channel-handle=4068 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
480"C:\Users\admin\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=5484,i,4771318160072051941,13807946904829185959,262144 --variations-seed-version --mojo-platform-channel-handle=4896 /prefetch:8C:\Users\admin\AppData\Local\OneStart.ai\OneStart\Application\onestart.exeonestart.exe
User:
admin
Company:
OneStart.ai
Integrity Level:
LOW
Description:
OneStart
Exit code:
0
Version:
132.0.6834.164
Modules
Images
c:\users\admin\appdata\local\onestart.ai\onestart\application\onestart.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\ucrtbase.dll
c:\users\admin\appdata\local\onestart.ai\onestart\application\132.0.6834.164\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
1040C:\WINDOWS\system32\msiexec.exe /VC:\Windows\System32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
1204"C:\Users\admin\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe" --type=gpu-process --string-annotations --start-stack-profiler --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2204,i,4771318160072051941,13807946904829185959,262144 --variations-seed-version --mojo-platform-channel-handle=2192 /prefetch:2C:\Users\admin\AppData\Local\OneStart.ai\OneStart\Application\onestart.exeonestart.exe
User:
admin
Company:
OneStart.ai
Integrity Level:
LOW
Description:
OneStart
Version:
132.0.6834.164
Modules
Images
c:\users\admin\appdata\local\onestart.ai\onestart\application\onestart.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\ucrtbase.dll
c:\users\admin\appdata\local\onestart.ai\onestart\application\132.0.6834.164\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
1244"C:\Users\admin\AppData\Local\OneStart.ai\OneStart Installer\CR_9B30D.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\OneStart.ai\OneStart\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=OneStart --annotation=ver=132.0.6834.164 --initial-client-data=0x2a4,0x2a8,0x2ac,0xa4,0x2b0,0x7ff601969338,0x7ff601969344,0x7ff601969350C:\Users\admin\AppData\Local\OneStart.ai\OneStart Installer\CR_9B30D.tmp\setup.exesetup.exe
User:
admin
Company:
OneStart.ai
Integrity Level:
MEDIUM
Description:
OneStart Installer
Exit code:
0
Version:
132.0.6834.164
Modules
Images
c:\users\admin\appdata\local\onestart.ai\onestart installer\cr_9b30d.tmp\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
1352C:\Windows\syswow64\MsiExec.exe -Embedding 2DB3E54D0543B99C0D53C47668F2CA10C:\Windows\SysWOW64\msiexec.exe
msiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
1380"C:\Program Files\Google\Chrome\Application\133.0.6943.127\notification_helper.exe" -EmbeddingC:\Program Files\Google\Chrome\Application\133.0.6943.127\notification_helper.exesvchost.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\133.0.6943.127\notification_helper.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
1388"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.92\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --disable-quic --string-annotations --always-read-main-dll --field-trial-handle=4504,i,9558723766642874720,6547634192090441926,262144 --variations-seed-version --mojo-platform-channel-handle=4964 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.92\identity_helper.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
PWA Identity Proxy Host
Exit code:
3221226029
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\identity_helper.exe
c:\windows\system32\ntdll.dll
1496C:\WINDOWS\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:11C:\Windows\System32\SrTasks.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Windows System Protection background tasks.
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\srtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1800"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --disable-quic --message-loop-type-ui --string-annotations --always-read-main-dll --field-trial-handle=5976,i,775436919709166843,16049408521998245468,262144 --variations-seed-version --mojo-platform-channel-handle=6520 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
26 231
Read events
25 871
Write events
338
Delete events
22

Modification events

(PID) Process:(1040) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
48000000000000009837CBF557F8DB01100400005C150000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(1040) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Enter)
Value:
4800000000000000039BCDF557F8DB01100400005C150000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(5612) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer
Operation:writeName:IDENTIFY (Enter)
Value:
4800000000000000FBC625F657F8DB01EC15000058190000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(5612) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer
Operation:writeName:IDENTIFY (Enter)
Value:
4800000000000000FBC625F657F8DB01EC15000048000000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(5612) VSSVC.exeKey:HKEY_LOCAL_MACHINE\BCD00000000\Objects\{5b970157-8568-11eb-b45c-806e6f6e6963}\Elements\11000001
Operation:writeName:Element
Value:
0000000000000000000000000000000006000000000000004800000000000000715E5C2FA985EB1190A89A9B763584210000000000000000745E5C2FA985EB1190A89A9B7635842100000000000000000000000000000000
(PID) Process:(5612) VSSVC.exeKey:HKEY_LOCAL_MACHINE\BCD00000000\Objects\{5b970157-8568-11eb-b45c-806e6f6e6963}\Elements\12000002
Operation:delete keyName:(default)
Value:
(PID) Process:(5612) VSSVC.exeKey:HKEY_LOCAL_MACHINE\BCD00000000\Objects\{5b970157-8568-11eb-b45c-806e6f6e6963}\Elements\12000002
Operation:writeName:Element
Value:
\EFI\Boot\Loader.efi
(PID) Process:(5612) VSSVC.exeKey:HKEY_LOCAL_MACHINE\BCD00000000\Objects\{a5a30fa2-3d06-4e9f-b5f4-a01df9d1fcba}\Description
Operation:delete keyName:(default)
Value:
(PID) Process:(5612) VSSVC.exeKey:HKEY_LOCAL_MACHINE\BCD00000000\Objects\{a5a30fa2-3d06-4e9f-b5f4-a01df9d1fcba}\Elements\24000001
Operation:delete keyName:(default)
Value:
(PID) Process:(5612) VSSVC.exeKey:HKEY_LOCAL_MACHINE\BCD00000000\Objects\{a5a30fa2-3d06-4e9f-b5f4-a01df9d1fcba}\Elements\25000004
Operation:delete keyName:(default)
Value:
Executable files
49
Suspicious files
418
Text files
149
Unknown types
4

Dropped files

PID
Process
Filename
Type
1040msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
7080msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\248DDD9FCF61002E219645695E3FFC98_047665DA31D3B6D49BCD9D6BF2556F80binary
MD5:4183D87AC843E5C740421269F87B3862
SHA256:05B1D65E35E7E77A28A153C2F362817BCB1475200B2188498180195E927F6E66
7080msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FE17BEC2A573BC9AE36869D0274FFA19_6DA81F04C5F9EAD2CD0268808FCE61E1binary
MD5:0DCF6E0DA2D87E8858AC479BE796669F
SHA256:A2C4BF34F710BFAB8F1DCCD14C53A7070E7B643902A9BFCCB281D81C8D593901
7080msiexec.exeC:\Users\admin\AppData\Local\Temp\MSIC85C.tmpexecutable
MD5:0606E1A2FE0D72593405CAFEB945C740
SHA256:E19A895AD4025EFF45AB03AA31A0916A6BA1E4F06DF5D6385B8C40924DC10890
7080msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\248DDD9FCF61002E219645695E3FFC98_047665DA31D3B6D49BCD9D6BF2556F80binary
MD5:E63DF09C625CC5CC222903A0B05B3529
SHA256:FD7A6A0A637B26DFA973BC5C00F0F034DEECE8FA07EA42A01FE9007712201511
1040msiexec.exeC:\System Volume Information\SPP\OnlineMetadataCache\{e792dc96-1c14-4203-a302-de43f108cf95}_OnDiskSnapshotPropbinary
MD5:6E602D2B191D16C2533600EAE2865F74
SHA256:143AA27B828A1AE5C997CD62A9567C7B3843F87C6F836A7C2CCA0D83368A0291
1352msiexec.exeC:\Users\admin\AppData\Local\OneStart.ai\OneStart Installer\onestart_installer.exe.part
MD5:
SHA256:
1352msiexec.exeC:\Users\admin\AppData\Local\OneStart.ai\OneStart Installer\onestart_installer.exe
MD5:
SHA256:
1040msiexec.exeC:\System Volume Information\SPP\snapshot-2binary
MD5:6E602D2B191D16C2533600EAE2865F74
SHA256:143AA27B828A1AE5C997CD62A9567C7B3843F87C6F836A7C2CCA0D83368A0291
1040msiexec.exeC:\Windows\Installer\MSIF7B.tmpexecutable
MD5:748B2602C9F9884DD718B958622F033B
SHA256:7F6BD90D567D13C53DA8FE4944A4496E0A68AC55CA74661C51A1609034B7F302
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
63
TCP/UDP connections
118
DNS requests
124
Threats
17

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2528
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
1268
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
7080
msiexec.exe
GET
200
18.173.205.43:80
http://ocsps.ssl.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQg3SSkKA74hABkhmlBtJTz8w3hlAQU%2BWC71OPVNPa49QaAJadz20ZpqJ4CEEJLalPOx2YUHCpjsaUcQQQ%3D
unknown
whitelisted
7080
msiexec.exe
GET
200
18.173.205.43:80
http://ocsps.ssl.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSoEwb5tith0jIBy9frSyNGB1lsAAQUNr1J%2FzEs669qQP6ZwBbtuvxI3V8CEEhAwkRt2T9xBNbvBB%2BwDhI%3D
unknown
whitelisted
1352
msiexec.exe
GET
143.204.98.59:80
http://resources.onestart.ai/onestart_installer_132.0.6834.164.exe
unknown
unknown
7008
onestart_installer.exe
POST
200
13.32.99.10:80
http://event.onestart.ai/
unknown
unknown
5012
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
5012
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
7008
onestart_installer.exe
POST
200
13.32.99.10:80
http://event.onestart.ai/
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5944
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
7008
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
7080
msiexec.exe
18.173.205.43:80
ocsps.ssl.com
US
whitelisted
4
System
192.168.100.255:138
whitelisted
2528
svchost.exe
40.126.31.129:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2528
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
1268
svchost.exe
23.216.77.28:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 51.104.136.2
  • 40.127.240.158
whitelisted
google.com
  • 142.250.185.142
whitelisted
ocsps.ssl.com
  • 18.173.205.43
  • 18.173.205.57
  • 18.173.205.113
  • 18.173.205.76
whitelisted
login.live.com
  • 40.126.31.129
  • 40.126.31.128
  • 20.190.159.23
  • 40.126.31.1
  • 40.126.31.131
  • 20.190.159.2
  • 40.126.31.0
  • 40.126.31.67
  • 20.190.159.129
  • 20.190.159.68
  • 20.190.159.64
  • 40.126.31.73
whitelisted
ocsp.digicert.com
  • 2.17.190.73
  • 184.30.131.245
whitelisted
crl.microsoft.com
  • 23.216.77.28
  • 23.216.77.6
whitelisted
www.microsoft.com
  • 23.35.229.160
  • 95.101.149.131
whitelisted
go.microsoft.com
  • 23.35.238.131
  • 184.28.89.167
whitelisted
resources.onestart.ai
  • 143.204.98.59
  • 143.204.98.8
  • 143.204.98.82
  • 143.204.98.32
unknown
onestart.ai
  • 13.33.187.25
  • 13.33.187.4
  • 13.33.187.77
  • 13.33.187.71
unknown

Threats

PID
Process
Class
Message
2200
svchost.exe
Possibly Unwanted Program Detected
SUSPICIOUS [ANY.RUN] PUP OneStart related domain (onestart .ai)
1352
msiexec.exe
Possibly Unwanted Program Detected
ADWARE [ANY.RUN] AdvancedInstaller User-Agent
1352
msiexec.exe
Potentially Bad Traffic
ET INFO Executable served from Amazon S3
1352
msiexec.exe
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
3844
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
3844
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
3844
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
3844
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
3840
onestart.exe
Generic Protocol Command Decode
SURICATA QUIC failed decrypt
3840
onestart.exe
Generic Protocol Command Decode
SURICATA QUIC failed decrypt
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
onestartpdfdirect.msi