Edit tour

Windows Analysis Report
allpdfpro.msi

Overview

General Information

Sample name:	allpdfpro.msi
Analysis ID:	1582898
MD5:	e5869064f95aa66ed6929d8f80706200
SHA1:	e1c6f8ae524d8bd9ef91fbeccfcb8952b00d25fa
SHA256:	7d5e85dbdbf85ed033be48f7ef38ef438be15db869b2950a359f9e23cc1f58cb
Infos:

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Compliance

Score:	61
Range:	0 - 100

Signatures

Antivirus detection for URL or domain

Writes to foreign memory regions

Adds / modifies Windows certificates

Checks for available system drives (often done to infect USB drives)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Deletes files inside the Windows folder

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Drops files with a non-matching file extension (content does not match file extension)

Found dropped PE file which has not been started or loaded

Queries the volume information (name, serial number etc) of a device

Sigma detected: Msiexec Initiated Connection

Stores large binary data to the registry

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

System is w10x64_ra

msiexec.exe (PID: 3784 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\allpdfpro.msi" MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 1044 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 3748 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding A68B78C46A4BD28A0D2771A61660EC3D C MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 3032 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 975CED43960BCCD61250A347004CF187 MD5: 9D09DC1EDA745A5F87553048E57620CF)

onestart_installer.exe (PID: 2896 cmdline: "C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\onestart_installer.exe" "install" "15" "2" "1" "1" MD5: 1D599092628613F06912EC455CA61F96)

setup.exe (PID: 5136 cmdline: "C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_2FC35.tmp\setup.exe" --install-archive="C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_2FC35.tmp\ONESTART.PACKED.7Z" "install" "15" "2" "1" "1" MD5: 235FDB3B59EE9DC1069F9C05F6734E16)

setup.exe (PID: 5856 cmdline: "C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_2FC35.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=OneStart --annotation=ver=130.0.6723.134 --initial-client-data=0x26c,0x270,0x274,0x248,0x278,0x7ff6265a8148,0x7ff6265a8154,0x7ff6265a8160 MD5: 235FDB3B59EE9DC1069F9C05F6734E16)

cleanup

Sigma Signatures

Sigma detected: Msiexec Initiated Connection

Source: Network Connection

Author: frack113: Data: DestinationIp: 143.204.98.59, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 3032, Protocol: tcp, SourceIp: 192.168.2.17, SourceIsIpv6: false, SourcePort: 49713

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://resources.onestart.ai/onestart_installer_130.0.6723.134.exe

Avira URL Cloud: Label: malware

Compliance

Creates install or setup log file

Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_2FC35.tmp\setup.exe

File created: C:\Windows\SystemTemp\chromium_installer.log

PE / OLE file has a valid certificate

Source: allpdfpro.msi

Static PE information: certificate valid

Spreading

Source: C:\Windows\System32\msiexec.exe	File opened: z:
Source: C:\Windows\System32\msiexec.exe	File opened: x:
Source: C:\Windows\System32\msiexec.exe	File opened: v:
Source: C:\Windows\System32\msiexec.exe	File opened: t:
Source: C:\Windows\System32\msiexec.exe	File opened: r:
Source: C:\Windows\System32\msiexec.exe	File opened: p:
Source: C:\Windows\System32\msiexec.exe	File opened: n:
Source: C:\Windows\System32\msiexec.exe	File opened: l:
Source: C:\Windows\System32\msiexec.exe	File opened: j:
Source: C:\Windows\System32\msiexec.exe	File opened: h:
Source: C:\Windows\System32\msiexec.exe	File opened: f:
Source: C:\Windows\System32\msiexec.exe	File opened: b:
Source: C:\Windows\System32\msiexec.exe	File opened: y:
Source: C:\Windows\System32\msiexec.exe	File opened: w:
Source: C:\Windows\System32\msiexec.exe	File opened: u:
Source: C:\Windows\System32\msiexec.exe	File opened: s:
Source: C:\Windows\System32\msiexec.exe	File opened: q:
Source: C:\Windows\System32\msiexec.exe	File opened: o:
Source: C:\Windows\System32\msiexec.exe	File opened: m:
Source: C:\Windows\System32\msiexec.exe	File opened: k:
Source: C:\Windows\System32\msiexec.exe	File opened: i:
Source: C:\Windows\System32\msiexec.exe	File opened: g:
Source: C:\Windows\System32\msiexec.exe	File opened: e:
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\onestart_installer.exe	File opened: c:
Source: C:\Windows\System32\msiexec.exe	File opened: a:

Networking

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /onestart_installer_130.0.6723.134.exe HTTP/1.1Accept: */*User-Agent: AdvancedInstallerHost: resources.onestart.aiConnection: Keep-AliveCache-Control: no-cache

Source: global traffic

DNS traffic detected: DNS query: resources.onestart.ai

System Summary

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\38de49.msi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIDFA1.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE000.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE03F.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{7A9DB5C8-BB7E-475A-A6B2-F867AB4DA720}
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE0CD.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE0FD.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE19A.tmp
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_2FC35.tmp\setup.exe	File created: C:\Windows\SystemTemp\chromium_installer.log

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSIDFA1.tmp

Source: classification engine

Classification label: mal52.winMSI@11/22@1/15

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\CMLE186.tmp

Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_2FC35.tmp\setup.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ChromeSetupMutex_12102577189367437840
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_2FC35.tmp\setup.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ChromeSetupExitEventMutex_12102577189367437840

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\Local\Temp\MSIA8C2.tmp

Source: C:\Windows\System32\msiexec.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\allpdfpro.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding A68B78C46A4BD28A0D2771A61660EC3D C
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding A68B78C46A4BD28A0D2771A61660EC3D C
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 975CED43960BCCD61250A347004CF187
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 975CED43960BCCD61250A347004CF187
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\onestart_installer.exe "C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\onestart_installer.exe" "install" "15" "2" "1" "1"
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\onestart_installer.exe	Process created: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_2FC35.tmp\setup.exe "C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_2FC35.tmp\setup.exe" --install-archive="C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_2FC35.tmp\ONESTART.PACKED.7Z" "install" "15" "2" "1" "1"
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_2FC35.tmp\setup.exe	Process created: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_2FC35.tmp\setup.exe "C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_2FC35.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=OneStart --annotation=ver=130.0.6723.134 --initial-client-data=0x26c,0x270,0x274,0x248,0x278,0x7ff6265a8148,0x7ff6265a8154,0x7ff6265a8160
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\onestart_installer.exe	Process created: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_2FC35.tmp\setup.exe "C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_2FC35.tmp\setup.exe" --install-archive="C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_2FC35.tmp\ONESTART.PACKED.7Z" "install" "15" "2" "1" "1"
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_2FC35.tmp\setup.exe	Process created: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_2FC35.tmp\setup.exe "C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_2FC35.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=OneStart --annotation=ver=130.0.6723.134 --initial-client-data=0x26c,0x270,0x274,0x248,0x278,0x7ff6265a8148,0x7ff6265a8154,0x7ff6265a8160

Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: srpapi.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: textinputframework.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: textshaping.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: msihnd.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: dwmapi.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: oleacc.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.ui.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windowmanagementapi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textinputframework.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: inputhost.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.ui.immersive.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netprofm.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: npmproxy.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: srclient.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: spp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.ui.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windowmanagementapi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textinputframework.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: inputhost.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.ui.immersive.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\onestart_installer.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\onestart_installer.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\onestart_installer.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\onestart_installer.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\onestart_installer.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\onestart_installer.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\onestart_installer.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\onestart_installer.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\onestart_installer.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\onestart_installer.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\onestart_installer.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\onestart_installer.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\onestart_installer.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\onestart_installer.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\onestart_installer.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\onestart_installer.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\onestart_installer.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\onestart_installer.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\onestart_installer.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\onestart_installer.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\onestart_installer.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\onestart_installer.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\onestart_installer.exe	Section loaded: cabinet.dll
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_2FC35.tmp\setup.exe	Section loaded: dbghelp.dll
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_2FC35.tmp\setup.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_2FC35.tmp\setup.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_2FC35.tmp\setup.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_2FC35.tmp\setup.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_2FC35.tmp\setup.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_2FC35.tmp\setup.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_2FC35.tmp\setup.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_2FC35.tmp\setup.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_2FC35.tmp\setup.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_2FC35.tmp\setup.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_2FC35.tmp\setup.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_2FC35.tmp\setup.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_2FC35.tmp\setup.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_2FC35.tmp\setup.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_2FC35.tmp\setup.exe	Section loaded: dbghelp.dll
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_2FC35.tmp\setup.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_2FC35.tmp\setup.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_2FC35.tmp\setup.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_2FC35.tmp\setup.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_2FC35.tmp\setup.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_2FC35.tmp\setup.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_2FC35.tmp\setup.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_2FC35.tmp\setup.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_2FC35.tmp\setup.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_2FC35.tmp\setup.exe	Section loaded: uxtheme.dll

PE / OLE file has a valid certificate

Source: allpdfpro.msi

Static PE information: certificate valid

Submission file is bigger than most known malware samples

Source: allpdfpro.msi

Static file information: File size 4000768 > 1048576

Persistence and Installation Behavior

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE0FD.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\onestart_installer.exe	File created: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_2FC35.tmp\setup.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSIAA20.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\onestart_installer.exe.part	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSIA9E1.tmp	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\Installer\MSIE0FD.tmp

Jump to dropped file

Source: C:\Windows\SysWOW64\msiexec.exe

File created: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\onestart_installer.exe.part

Jump to dropped file

Creates install or setup log file

Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_2FC35.tmp\setup.exe

File created: C:\Windows\SystemTemp\chromium_installer.log

Hooking and other Techniques for Hiding and Protection

Source: C:\Windows\System32\msiexec.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8 Blob

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_2FC35.tmp\setup.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_2FC35.tmp\setup.exe	Process information set: NOGPFAULTERRORBOX

Malware Analysis System Evasion

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIE0FD.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIAA20.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIA9E1.tmp	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

HIPS / PFW / Operating System Protection Evasion

Writes to foreign memory regions

Source: C:\Windows\System32\msiexec.exe	Memory written: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\onestart_installer.exe base: 1C3CDD20000
Source: C:\Windows\System32\msiexec.exe	Memory written: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\onestart_installer.exe base: 9B02E112D8

Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_2FC35.tmp\setup.exe

Process created: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_2FC35.tmp\setup.exe "C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_2FC35.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=OneStart --annotation=ver=130.0.6723.134 --initial-client-data=0x26c,0x270,0x274,0x248,0x278,0x7ff6265a8148,0x7ff6265a8154,0x7ff6265a8160

Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_2FC35.tmp\setup.exe	Process created: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_2FC35.tmp\setup.exe "c:\users\user\appdata\local\onestart.ai\onestart installer\cr_2fc35.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=c:\users\user\appdata\local\onestart.ai\onestart\user data\crashpad" --annotation=plat=win64 --annotation=prod=onestart --annotation=ver=130.0.6723.134 --initial-client-data=0x26c,0x270,0x274,0x248,0x278,0x7ff6265a8148,0x7ff6265a8154,0x7ff6265a8160
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_2FC35.tmp\setup.exe	Process created: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_2FC35.tmp\setup.exe "c:\users\user\appdata\local\onestart.ai\onestart installer\cr_2fc35.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=c:\users\user\appdata\local\onestart.ai\onestart\user data\crashpad" --annotation=plat=win64 --annotation=prod=onestart --annotation=ver=130.0.6723.134 --initial-client-data=0x26c,0x270,0x274,0x248,0x278,0x7ff6265a8148,0x7ff6265a8154,0x7ff6265a8160

Language, Device and Operating System Detection

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation

Lowering of HIPS / PFW / Operating System Security Settings

Source: C:\Windows\System32\msiexec.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8 Blob

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Replication Through Removable Media	1 Command and Scripting Interpreter	1 DLL Side-Loading	111 Process Injection	31 Masquerading	OS Credential Dumping	1 Process Discovery	Remote Services	Data from Local System	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Modify Registry	LSASS Memory	11 Peripheral Device Discovery	Remote Desktop Protocol	Data from Removable Media	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Disable or Modify Tools	Security Account Manager	12 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Process Injection	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 File Deletion	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Source	Detection	Scanner	Label	Link
allpdfpro.msi	0%	ReversingLabs

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Temp\MSIA9E1.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSIAA20.tmp	0%	ReversingLabs
C:\Windows\Installer\MSIE0FD.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\onestart_installer.exe (copy)	3%	ReversingLabs
C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_2FC35.tmp\setup.exe	3%	ReversingLabs

Source	Detection	Scanner	Label	Link
http://resources.onestart.ai/onestart_installer_130.0.6723.134.exe	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
resources.onestart.ai	143.204.98.59	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://resources.onestart.ai/onestart_installer_130.0.6723.134.exe	true	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
108.138.26.3	unknown	United States	16509	AMAZON-02US	false
13.33.187.4	unknown	United States	16509	AMAZON-02US	false
143.204.98.59	resources.onestart.ai	United States	16509	AMAZON-02US	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1582898
Start date and time:	2024-12-31 19:38:58 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	23
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled
Analysis Mode:	stream
Analysis stop reason:	Timeout
Sample name:	allpdfpro.msi
Detection:	MAL
Classification:	mal52.winMSI@11/22@1/15
Cookbook Comments:	Found application associated with file extension: .msi

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.
Skipping network analysis since amount of network traffic is too extensive
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: allpdfpro.msi

Created / dropped Files

C:\Config.Msi\38de4a.rbs

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	modified
Size (bytes):	796920
Entropy (8bit):	6.726801973383075
Encrypted:	false
SSDEEP:
MD5:	A236F8D16D8F41DC281EE1BB03CEDD3F
SHA1:	0A6D1DEB7F8EAD0C1F8F4693B031FA4B8F7171C8
SHA-256:	7CF0B4584920AAE91CDC8AA4BC6048C7721C576AAF1D84739724FD3AC8936D4B
SHA-512:	3183A85E11C76241502782B2A97701EB49EFB93A0290C626E888094F61B44F42F7D1C2402B36F05822F84F8893701C2DD59D1BAE5E017ACA97606FAA7BF8B271
Malicious:	false
Reputation:	unknown
Preview:	...@IXOS.@.....@.l.Y.@.....@.....@.....@.....@.....@......&.{7A9DB5C8-BB7E-475A-A6B2-F867AB4DA720}..OneStart PDF..allpdfpro.msi.@.....@.....@.....@........&.{249F5AB3-2E2B-4EC5-91BA-1BEA3464F645}.....@.....@.....@.....@.......@.....@.....@.......@......OneStart PDF......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{FEE34822-BEE6-46CA-8BC7-812252175977}&.{7A9DB5C8-BB7E-475A-A6B2-F867AB4DA720}.@......&.{D8511B6D-3FAD-4D18-929C-23F5ACD99D44}&.{7A9DB5C8-BB7E-475A-A6B2-F867AB4DA720}.@........CreateFolders..Creating folders..Folder: [1]#.*.C:\Users\user\AppData\Local\OneStart.ai\.@....#.=.C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\.@........AI_FdRollback..Rolling back downloaded files#.Rolling back downloaded file: "[1]"L...AI_FdRollback.@.-....h$..MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......#.!

C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_2FC35.tmp\ONESTART.PACKED.7Z

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\onestart_installer.exe
File Type:	7-zip archive data, version 0.4
Category:	dropped
Size (bytes):	100431188
Entropy (8bit):	7.999997985540364
Encrypted:	true
SSDEEP:
MD5:	DEA5890ADE3DD57F2718048029C3000C
SHA1:	5A59063D94A9CE2CB42B339BFA3D62AA1A914AE7
SHA-256:	8E7E4033FAE4B49B56E89D23F82188E908BE20ACB4EA87E444E75B089C6F74F6
SHA-512:	719014256BCA3B223A7C6C28E9C9184BCCD2223A627821B4B2B795056B5D357B0B10E4A61A446573837F8E0A26814B4579C696879F3CF15FE2405B183318B11A
Malicious:	false
Reputation:	unknown
Preview:	7z..'....G...t.................^......8%D..s.D#..d...a.._-..9...B.....\..\..ScC>......Q../.......E..V.,.ma<[...E.?.Q.h .ee...8.~Y..A...jD.I. ..kL0C.......b.ZU...m..C...e.....t.A..A{......v...k.."+J2+.Jo....cXvf.z.:jn.'.;W.;.Yt\|.0.}..?q.....^.sY3.x.#...S#.r.iO.,xW...?......7Ecz..ii.m9....BF..CzVx.bE.yl......\...8.o.. ......V.....)Ie.v.Q.....#..2...._].5~\...e..l/.....y.n?........}.\...Q.@..OW.w.....4...=:.Mw..........F..W..n^....[../$..5.zY.....Z./....V..x..J...%3/.._..L...=B..W....m-/..M..........(P~.p.}.C[Fg..O:...>{YHnK.#.Z...*.fY.N\|oG5.Qi......7c5X!;)!.#m.{....`..A...ykL....Mu.....2Xo=.F..E.D........./.x}.<..$9.....x.-.n..-..)C.^....EbP.C..#0..n.e6..p..'O...b^;......0.A..J.n.1z.O...)_f.j{.<;......9>W.]P...DYe0.\|.,..L.....>.&v...9T..aE.S..j.p...q...#s...m.[<@..!9...o.A....i...c.[..Q...$..9..e...e..Y.1.".to..7../.?.!......K.U.=~.n.......fH\|....!.....,..o.k.o...Z...Z.....z ....B....E..c...l....@...{.m)U`..\|.x.)!L....8o.

C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_2FC35.tmp\SETUP.EX_

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\onestart_installer.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 2150199 bytes, 1 file, at 0x2c "setup.exe", number 1, 151 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	2150199
Entropy (8bit):	7.998448042625016
Encrypted:	true
SSDEEP:
MD5:	116D9EED8FEA4CF1F2D10FECE0F0938A
SHA1:	3489E0D619804C4DB91FB84FEC57A07C2CBDA2AB
SHA-256:	49CBB3296BD12D6701E1D26B80A6C7DC6720751E145A88DB1F1DBA35ACAFEB70
SHA-512:	4AD1C3FE4FCEEAB0118AF72F5D7D19123D3EF850E2909B4827E6BA46DD3B3B33E249AE5761A4121D4DB84B296E8D16077BC79744688524321300B04A51899E7A
Malicious:	false
Reputation:	unknown
Preview:	MSCF....7. .....,...................F.......@.K........YFm..setup.exe.........CK.].P.W....N..7...<n..vn..r...H..d.6;F..Lr&.(.R.i...]y...a...u{U..J.e..vS[.;.pS.. ...5:...'.]...#2...^..bP.........=.}....}...u?.?..Y.cV....n...[...R..{.?.....P...GU............./x..^.s............+..~X..f.w.}.....\.Z.(..~...."...0v...s.].Mc,.......\|,.5./`.......p,dU.....{)...`yYT.b..g...e..[S.0...{....b=...C.3..6.W.zC-...&W.D.O.....{^u.......m..1.2.Oy,.:.7O^.n.....].......U........t....l......{.{.p.u.k....1..F.....h.....-...g.uB......R=.E.....nsAq....9Tp.h.....Y..,,`..P..u.c......3.$............TV.V....q]k.=.k.W!/8.n......c.c.56...OD_..%...q.+U.O....jci.....j\.U.L.V..n{..n.....,..gi..i._..%^......>b...uUi..jq6.q.w..w..s......5.....6..6=..:...#+.S.....K.uS.C....$..{lyr!.I.g...@.............M....}.i...h.L..-"......c%...u.Q?(.\{...z.7......G..:\|.G.X/..%...q.0...F..@.B.h.....IR\.K?..7..;.c.5t.>xw.~.2n{.-.......C.......zvG..0H..."...w...l..*;5.{?......p.+

C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_2FC35.tmp\setup.exe

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\onestart_installer.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	4918336
Entropy (8bit):	6.566405491610466
Encrypted:	false
SSDEEP:
MD5:	235FDB3B59EE9DC1069F9C05F6734E16
SHA1:	9D5258311F06A5FDA36107E435733DFD30973C0B
SHA-256:	882FA58642A270884BD432F4788C6DA583F42FE185AFD083746E2F4FDECB9AAC
SHA-512:	E0C23D30AB021EDAE4741F38E7EB05B5901753644EC83D4AA23AA5253D93007F51BFFB5D4609987E0BA6C5EF51B54066F2F1B0CFBC4EB8FBEFD38BA1BABFE2A2
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...2~.f..........".......:...........'........@.............................PL.....(.K...`.........................................s%B.l....%B...... G.p.....E..Q....J.@(... L.t+....B.......................B.(...P';.@...........P6B......$B.@....................text.....:.......:................. ..`.rdata..\|.....;.......;.............@..@.data........0C.......C.............@....pdata...Q....E..R....D.............@..@.gxfg...P4...`F..6...fE.............@..@.retplne......F.......E..................rodata.......F.......E............. ..`.tls....E.....F.......E.............@...CPADinfo8.....F.......E.............@...LZMADEC.......F.......E............. ..`_RDATA........G.......E.............@..@malloc_h......G.......E............. ..`.rsrc...p.... G.......E.............@..@.reloc..t+... L..,....J.............@..B........................................................

C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\onestart_installer.exe (copy)

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:
MD5:	1D599092628613F06912EC455CA61F96
SHA1:	9DFCD7BC88F597F199E336F262E52195EE2514E4
SHA-256:	FDB0CAAAE3AEF5B7DB2F8AE96424AD0C2A3FAA5FE7DC4DB35A5A85BB6935EB5D
SHA-512:	DEAECA59EE40E280D49290283B6E8220B47554F9D9C904E7E238DC7BC4EBE8FB13833A11291E9AC10C32B8E471F1C370A993FF8E926D17B9FB05BF8443FE277B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...2~.f.........."...........!......n.........@.............................@1.......0...`.........................................h...W................Q.......l...<0.@(... 1.P..............................(.......@............................................text...v........................... ..`.rdata.............................@..@.data....p...p.......T..............@....pdata...l.......n...6..............@..@.gxfg....,...`......................@..@.retplne.................................tls....2...........................@..._RDATA..............................@..@.rsrc....Q.......R..................@..@.reloc..P.... 1......*0.............@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\onestart_installer.exe.part

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	modified
Size (bytes):	103834688
Entropy (8bit):	7.999200202442297
Encrypted:	true
SSDEEP:
MD5:	1D599092628613F06912EC455CA61F96
SHA1:	9DFCD7BC88F597F199E336F262E52195EE2514E4
SHA-256:	FDB0CAAAE3AEF5B7DB2F8AE96424AD0C2A3FAA5FE7DC4DB35A5A85BB6935EB5D
SHA-512:	DEAECA59EE40E280D49290283B6E8220B47554F9D9C904E7E238DC7BC4EBE8FB13833A11291E9AC10C32B8E471F1C370A993FF8E926D17B9FB05BF8443FE277B
Malicious:	false
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...2~.f.........."...........!......n.........@.............................@1.......0...`.........................................h...W................Q.......l...<0.@(... 1.P..............................(.......@............................................text...v........................... ..`.rdata.............................@..@.data....p...p.......T..............@....pdata...l.......n...6..............@..@.gxfg....,...`......................@..@.retplne.................................tls....2...........................@..._RDATA..............................@..@.rsrc....Q.......R..................@..@.reloc..P.... 1......*0.............@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\OneStart.ai\OneStart\.data\OneStart.json

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\onestart_installer.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	267
Entropy (8bit):	4.403031862950717
Encrypted:	false
SSDEEP:
MD5:	A2F57C71DFB7619A70A12AEFDB89B22A
SHA1:	73339D4F949AE6E8437B2B263DF63904DE19E828
SHA-256:	1C97068CE9EAAB28D5D2CCACA26D4EF0FDBA2E4C673B969ACFDD3DD888F3DA23
SHA-512:	E3F52122FF136627CE255A3E142EBC2F43D880F9AFBC3E56EA32489D1CDE18A8E58F6A1D9854CD80C8A33CA21AE1FB93E19C411A5307575D6EEC27A636B1B912
Malicious:	false
Reputation:	unknown
Preview:	{"ai":"15","bb_mode":"0","cid":"","cpa":"","date":"1735670476","db_mode":"1","fhkey":"","iid":"3f0386f1-a8c7-4407-a4f3-fbe7faf27afe","init_background":"1","init_startup":"1","min_wake":"96","p_index":"2","uac":"","uac_attempt":"","uac_last":"","wake":"24","wciid":""}

C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\master_preferences

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\onestart_installer.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	159
Entropy (8bit):	4.286966456484247
Encrypted:	false
SSDEEP:
MD5:	746E45D4BE2D95012AFF9A0716E811F6
SHA1:	3AF1BEF7086D7512F800084FC7C95FE994C6A459
SHA-256:	5269F6E042E298253D298CBE4A10EFECE8276BF8058A679DD81A9FA6FE91C060
SHA-512:	33A491D07D6360655D2DF4191458CBB57E6FEF8C583B7B049EC016CA43E5436711DCEEFDAF10335A90DF5FE1C7328A51530BCC87FD1268352B385532D11C2412
Malicious:	false
Reputation:	unknown
Preview:	{"distribution":{"import_bookmarks":"true","import_history":"true","verbose_logging":"true","log_file":"onestartsetup.log"},"session":{"restore_on_startup":1}}

C:\Users\user\AppData\Local\OneStart.ai\OneStart\Temp\source5136_15266286\onestart.7z

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_2FC35.tmp\setup.exe
File Type:	7-zip archive data, version 0.4
Category:	dropped
Size (bytes):	356276085
Entropy (8bit):	6.918198460533539
Encrypted:	false
SSDEEP:
MD5:	E7C6CFA0744134E939CDEF6A9B409BD6
SHA1:	5C05B4BD136A38B3903773EF9DD8D011C3B9AD97
SHA-256:	5C70C82651CB90F20C181242B3E7E1ACA2CE7D25D5AB964D47844CFD8C94D9A0
SHA-512:	798EA48BCB26656FB712F577DA1B1BE035A6F72A12F189865A60CEE63CC83FF51475264300B0E3F10DC33CCBAB1E650FEF237865881C7EBC4902120BCD69A8F6
Malicious:	false
Reputation:	unknown
Preview:	7z..'...E..$/W<.....&.........&G<assembly.. xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>.. <assemblyIdentity.. name='130.0.6723.134'.. version='130.0.6723.134'.. type='win32'/>.. <file name='chrome_elf.dll'/>..</assembly>..MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...2~.f.........." ......C.........0Sk.......................................\|.....y.Y...`A.........................................................._......0....]...X.@(....c.....`...8...................px..(...@.C.@...........@................................text.....C.......C................. ..`.rdata........C.......C.............@..@.data........`.......L..............@....pdata....]..0....].................@..@.gxfg....C....^..D....;.............@..@.retplne.....0_.......;..................rodata......@_.......;............. ..`.tls.........`_.......;.............@...CPADinfo8....p_.......;.............

C:\Users\user\AppData\Local\OneStart.ai\OneStart\Update\transfer.dat

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\onestart_installer.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:
MD5:	9BF31C7FF062936A96D3C8BD1F8F2FF3
SHA1:	F1ABD670358E036C31296E66B3B66C382AC00812
SHA-256:	E629FA6598D732768F7C726B4B621285F9C3B85303900AA912017DB7617D8BDB
SHA-512:	9A6398CFFC55ADE35B39F1E41CF46C7C491744961853FF9571D09ABB55A78976F72C34CD7A8787674EFA1C226EAA2494DBD0A133169C9E4E2369A7D2D02DE31A
Malicious:	false
Reputation:	unknown
Preview:	15

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Crashpad\settings.dat

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_2FC35.tmp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	3.254162526001658
Encrypted:	false
SSDEEP:
MD5:	DD163C274AA4987F8E5D38BC5A08337E
SHA1:	CE26404AE1C12EBA58D51411955EE4848C4487AD
SHA-256:	370AB15FA4BDF985CB2FEA5199ED43779DB86A0C3632659389B170547EC62753
SHA-512:	C77826E0197A83F774AF26CA609C6E4FC46006275121EF417E2C71CA49B62C1A01E086AD120E2FF2130E53A8FF81CB2507EFE58B9A0687315201820076D7A350
Malicious:	false
Reputation:	unknown
Preview:	sdPC......................PO...I.a....\|

C:\Users\user\AppData\Local\Temp\MSIA9E1.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1201504
Entropy (8bit):	6.4557937684843365
Encrypted:	false
SSDEEP:
MD5:	E83D774F643972B8ECCDB3A34DA135C5
SHA1:	A58ECCFB12D723C3460563C5191D604DEF235D15
SHA-256:	D0A6F6373CFB902FCD95BC12360A9E949F5597B72C01E0BD328F9B1E2080B5B7
SHA-512:	CB5FF0E66827E6A1FA27ABDD322987906CFDB3CDB49248EFEE04D51FEE65E93B5D964FF78095866E197448358A9DE9EC7F45D4158C0913CBF0DBD849883A6E90
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............@G..@G..@G.yCF..@G.yEF..@G.\|CF..@G.\|DF..@G.\|EF..@G.yDF..@G.yAF..@G..AG..@G.}IF..@G.}@F..@G.}.G..@G...G..@G.}BF..@GRich..@G........PE..L...'.$g.........."!...).~..........Pq.......................................`......0.....@A........................ ...t...............................`=.......l......p........................... ...@...............L............................text...J}.......~.................. ..`.rdata...;.......<..................@..@.data...............................@....fptable............................@....rsrc...............................@..@.reloc...l.......n..................@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSIAA20.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1021792
Entropy (8bit):	6.608727172078022
Encrypted:	false
SSDEEP:
MD5:	EE09D6A1BB908B42C05FD0BEEB67DFD2
SHA1:	1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
SHA-256:	7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
SHA-512:	2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

C:\Windows\Installer\38de49.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {249F5AB3-2E2B-4EC5-91BA-1BEA3464F645}, Number of Words: 10, Subject: OneStart PDF, Author: OneStart.ai, Name of Creating Application: OneStart PDF, Template: ;1033, Comments: OneStart PDF 4.5.264.2, Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Thu Dec 12 05:54:07 2024, Last Saved Time/Date: Thu Dec 12 05:54:07 2024, Last Printed: Thu Dec 12 05:54:07 2024, Number of Pages: 450
Category:	dropped
Size (bytes):	4000768
Entropy (8bit):	6.635648546295468
Encrypted:	false
SSDEEP:
MD5:	E5869064F95AA66ED6929D8F80706200
SHA1:	E1C6F8AE524D8BD9EF91FBECCFCB8952B00D25FA
SHA-256:	7D5E85DBDBF85ED033BE48F7EF38EF438BE15DB869B2950A359F9E23CC1F58CB
SHA-512:	8B8A2676C78B3C088DFBF82AE9A512E949E12004589052A20A323C164309AD6B454A5424970B1E7B8293A116B0C9403A9F99A2E436DF849FFD2D82A9D0E73233
Malicious:	false
Reputation:	unknown
Preview:	......................>...................>...................................H.......d.......l...............................a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y.......................................................o......................................................................................................................................................................................................................."...6............................................................................................... ...!...-...#.......%...&...'...(...)...*...+...,......./...4...0...1...2...3...7...5...>...A...8...9...:...;...<...=.......?...@.......B...C...D...E...F...G...........J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Windows\Installer\MSIE0CD.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	1593020
Entropy (8bit):	6.726279749084214
Encrypted:	false
SSDEEP:
MD5:	2C8E2DEEA327FC82380EAF07F859367D
SHA1:	12FCF7523BCA0BD658244F930C57347FE9466509
SHA-256:	F86FF6DE2D0119024A357A4A61C79EABFA9EF06FFC7C7D8A1A6D2B322774433C
SHA-512:	EDAC10883C82B8D6344BF010A8B329A31B6E1A6947852D5F8EFA31C9466FBDF6E2BDC9A3375B060C2A089F2697EC12ADD99AE612F30232FED13D98A96E8AF455
Malicious:	false
Reputation:	unknown
Preview:	...@IXOS.@.....@.l.Y.@.....@.....@.....@.....@.....@......&.{7A9DB5C8-BB7E-475A-A6B2-F867AB4DA720}..OneStart PDF..allpdfpro.msi.@.....@.....@.....@........&.{249F5AB3-2E2B-4EC5-91BA-1BEA3464F645}.....@.....@.....@.....@.......@.....@.....@.......@......OneStart PDF......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration...@.....@.....@.]....&.{FEE34822-BEE6-46CA-8BC7-812252175977}.C:\Users\user\AppData\Local\OneStart.ai\.@.......@.....@.....@......&.{D8511B6D-3FAD-4D18-929C-23F5ACD99D44}=.C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\.@.......@.....@.....@........CreateFolders..Creating folders..Folder: [1]"..C:\Users\user\AppData\Local\OneStart.ai\.@....".=.C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\.@........AI_FdRollback..Rolling back downloaded files#.Rolling back downloaded file: "[1]"J...AI_FdRollback.@.-....h$..MZ......................@...

C:\Windows\Installer\MSIE0FD.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	795752
Entropy (8bit):	6.725505843430141
Encrypted:	false
SSDEEP:
MD5:	367D9C1FB0E917819A12E6492A88C6B9
SHA1:	E8144A631337CC47F87C9A171F95CB955B5E0656
SHA-256:	B5BBB9A1899DADF2BA6CCF0C88868C6C1200F7A095F6E1DBC686DA7CCC271452
SHA-512:	C8645C60B9E5CA4C73968EB7975ECD77E7828E74F95680EE8120CC2823027A3FE6F9F14B162D84C12C6E552F45712260F93BB85637DDCF22D619E9376A1B20D3
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......#.!qg.O"g.O"g.O"..L#k.O"..J#.O"w+L#..O"w+K#v.O"w+J#1.O"..K#..O"..N#~.O"g.N"-.O"/F#..O"/O#f.O"/."f.O"g.."f.O"/M#f.O"Richg.O"........PE..L.....$g.........."!...).............................................................G....@A........................@n..D....o..........................h:... ..Xd......p...................@..........@...............d............................text...J........................... ..`.rdata..`...........................@..@.data....a...........j..............@....fptable.............\|..............@....rsrc................~..............@..@.reloc..Xd... ...f..................@..B........................................................................................................................................................................................................................................................

C:\Windows\Installer\SourceHash{7A9DB5C8-BB7E-475A-A6B2-F867AB4DA720}

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.769008334585432
Encrypted:	false
SSDEEP:
MD5:	FCC1F594A4A775E2C36CC1AC60A1EC73
SHA1:	56A82BE9FBB2FA78F0B76B3D6B8616A7B4A69063
SHA-256:	56119A5BDAB85294FDB7A2480011DFD833A4B9E0FFDAD82232E76709736A7446
SHA-512:	A926368EE28607F9EA8266BB024ADAB02F0C243DAC96E42F4F4858A674AF547F338D6A6DB40078EFD261011F343CE28D3F3C35189B1A379A2207F9836932ED59
Malicious:	false
Reputation:	unknown
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\inprogressinstallinfo.ipi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2568524877461802
Encrypted:	false
SSDEEP:
MD5:	00BA5A9B3BBB0B79C073CD159BC32A8E
SHA1:	3798ADDB8472A281FB909EF36379A8E3E4E0C24F
SHA-256:	9AE19710FC32AB1A592615DE5031D2EEDDDBEA3129DB9BA35116E61CD2518156
SHA-512:	291AACB2E09D704809909E2541C0BE44F3C939AA6BE9366737C5509AAC1FD987E2C8A07A3B678799A9695D0F72952E4EBAE6C22CA94E07E2C51275E89954F3B4
Malicious:	false
Reputation:	unknown
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	403156
Entropy (8bit):	5.359651201712884
Encrypted:	false
SSDEEP:
MD5:	81BDD5FC6032C80819796150A7829F21
SHA1:	507F1C5CEF2E44C9B8D93305B1FE85D34A652BCC
SHA-256:	39070E36C317346F2971D106089A895D08543873CD7182988263CBACC258512E
SHA-512:	B31716B5913671A7D221489FFB6CED7082B17D4723956C2B6D524D0301BD625B315818D59D15B4FB596C77D6638AE7F1805D90A8639C5788E7204D819C0AD4A7
Malicious:	false
Reputation:	unknown
Preview:	.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

C:\Windows\Temp\~DF5EFC17A1543D526C.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Reputation:	unknown
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF6D9A7D265DFE082C.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.07101287558263503
Encrypted:	false
SSDEEP:
MD5:	94F861EB34E959E2802B9A8B9F7BA59C
SHA1:	AF28734F5BB6F83F7AB5DD0C8B543CD9E0D7E33C
SHA-256:	247583574604B93A14910C301A4AEB203379AB5CABB410CB448726104B435C86
SHA-512:	7495314F47F0F1E343AF9BD232CB049136CF39E9E710C5B1A320D2177B257F7B3F891E25440E4F7170D635F62D904A71D7CC8847C787E881818425E6083D406B
Malicious:	false
Reputation:	unknown
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF8C737CE36783B513.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2675936850547487
Encrypted:	false
SSDEEP:
MD5:	B792537CB4372108D7EA6813709BC74D
SHA1:	8DED43DDF329A616F011FC58FD5414BD979AE3DD
SHA-256:	FF6E09CDD7FD5A778E0CBB5C25E5DCA5D202520AC8FB05FB88EA3D842EF52254
SHA-512:	B35A8BD92959836C6618400F42212F2D995890514DC711C96C6724E862757EA6D595C794D9382C434EA0B77919795C23B62DBD1FF78A088F05CEF7D9B3C05BE6
Malicious:	false
Reputation:	unknown
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFA8D785928AF0AF9D.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	81920
Entropy (8bit):	0.13123899594360766
Encrypted:	false
SSDEEP:
MD5:	BD06AC2A17E9AFF50D24014046F73916
SHA1:	A99F9C7EDA19D2D7113DF06FBC9F662A913B1069
SHA-256:	C3816AB806B8B7307F870D93B7192944D1A1DC91E3F0C730E55123282074FECC
SHA-512:	132CDB81453C046E1EE3A297D84FA6FFC66DA4AADF134F97C732F131BAE9A436B3B35C5674E8DA38CED63C7921855AB9F582F2FEB9019D7D6790737207931880
Malicious:	false
Reputation:	unknown
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {249F5AB3-2E2B-4EC5-91BA-1BEA3464F645}, Number of Words: 10, Subject: OneStart PDF, Author: OneStart.ai, Name of Creating Application: OneStart PDF, Template: ;1033, Comments: OneStart PDF 4.5.264.2, Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Thu Dec 12 05:54:07 2024, Last Saved Time/Date: Thu Dec 12 05:54:07 2024, Last Printed: Thu Dec 12 05:54:07 2024, Number of Pages: 450
Entropy (8bit):	6.635648546295468
TrID:	Windows SDK Setup Transform Script (63028/2) 47.91% Microsoft Windows Installer (60509/1) 46.00% Generic OLE2 / Multistream Compound File (8008/1) 6.09%
File name:	allpdfpro.msi
File size:	4'000'768 bytes
MD5:	e5869064f95aa66ed6929d8f80706200
SHA1:	e1c6f8ae524d8bd9ef91fbeccfcb8952b00d25fa
SHA256:	7d5e85dbdbf85ed033be48f7ef38ef438be15db869b2950a359f9e23cc1f58cb
SHA512:	8b8a2676c78b3c088dfbf82ae9a512e949e12004589052a20a323c164309ad6b454a5424970b1e7b8293a116b0c9403a9f99a2e436df849ffd2d82a9d0e73233
SSDEEP:	49152:rJTcz0A+biU50unDNyGAhmq6KGk/cHrOGGY8Wea/xwuy2QxNwCsec+4VGWSlnfYC:yKUhN6TkkHQ2tVvO3PfY4
TLSH:	9306AF21796EC137EA6F04719939EA6AA43D6DE30B7009EBA3F0F85959305C27335F42
File Content Preview:	........................>...................>...................................H.......d.......l...............................a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v..

File Icon


Icon Hash:	2d2e3797b32b2b99

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report allpdfpro.msi

Overview

General Information

Detection

Compliance

Signatures

Classification

Process Tree

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Created / dropped Files

C:\Config.Msi\38de4a.rbs

C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_2FC35.tmp\ONESTART.PACKED.7Z

C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_2FC35.tmp\SETUP.EX_

C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_2FC35.tmp\setup.exe

C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\onestart_installer.exe (copy)

C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\onestart_installer.exe.part

C:\Users\user\AppData\Local\OneStart.ai\OneStart\.data\OneStart.json

C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\master_preferences

C:\Users\user\AppData\Local\OneStart.ai\OneStart\Temp\source5136_15266286\onestart.7z

C:\Users\user\AppData\Local\OneStart.ai\OneStart\Update\transfer.dat

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Crashpad\settings.dat

C:\Users\user\AppData\Local\Temp\MSIA9E1.tmp

C:\Users\user\AppData\Local\Temp\MSIAA20.tmp

C:\Windows\Installer\38de49.msi

C:\Windows\Installer\MSIE0CD.tmp

C:\Windows\Installer\MSIE0FD.tmp

C:\Windows\Installer\SourceHash{7A9DB5C8-BB7E-475A-A6B2-F867AB4DA720}

C:\Windows\Installer\inprogressinstallinfo.ipi

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

C:\Windows\Temp\~DF5EFC17A1543D526C.TMP

C:\Windows\Temp\~DF6D9A7D265DFE082C.TMP

C:\Windows\Temp\~DF8C737CE36783B513.TMP

C:\Windows\Temp\~DFA8D785928AF0AF9D.TMP

Static File Info

General

File Icon

Windows Analysis Report
allpdfpro.msi