Windows Analysis Report
OneStart.exe

Overview

General Information

Sample name: OneStart.exe
Analysis ID: 1663310
MD5: 201ca7e5224e05fc81e7291bce36efc2
SHA1: 28854877ea28c2ea1e0b38eec3c074f810daea1d
SHA256: 093982b3c7045d7bd54ec838c8e0af225842515901fa1829b97cfc396565ae8b

Detection

Score: 17
Range: 0 - 100
Confidence: 40%

Signatures

Uses Windows timers to delay execution
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Potential time zone aware malware
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Source: OneStart.exe Static PE information: certificate valid
Source: OneStart.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: OneStart.exe String found in binary or memory: http://cert.ssl.com/SSL.com-timeStamping-I-RSA-R1.cer0Q
Source: OneStart.exe String found in binary or memory: http://cert.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.cer0
Source: OneStart.exe String found in binary or memory: http://crls.ssl.com/SSL.com-timeStamping-I-RSA-R1.crl0
Source: OneStart.exe String found in binary or memory: http://crls.ssl.com/SSLcom-RootCA-EV-RSA-4096-R2.crl0
Source: OneStart.exe String found in binary or memory: http://crls.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.crl0
Source: OneStart.exe String found in binary or memory: http://crls.ssl.com/ssl.com-rsa-RootCA.crl0
Source: OneStart.exe, 00000000.00000002.2500184270.0000000002B11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://defaultcontainer/Img/pdf-welcome2.png
Source: OneStart.exe, 00000000.00000002.2500184270.0000000002B11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://defaultcontainer/Img/pdf-welcome2.pngd
Source: OneStart.exe, 00000000.00000002.2500184270.0000000002B11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://defaultcontainer/OneStart;component/Img/background1a.png
Source: OneStart.exe, 00000000.00000002.2500184270.0000000002B11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://defaultcontainer/OneStart;component/Img/background1a.pngd
Source: OneStart.exe, 00000000.00000002.2500184270.0000000002B11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://defaultcontainer/OneStart;component/Img/close-32.png
Source: OneStart.exe, 00000000.00000002.2500184270.0000000002B11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://defaultcontainer/OneStart;component/Img/close-32.pngd
Source: OneStart.exe, 00000000.00000002.2500184270.0000000002B11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://defaultcontainer/OneStart;component/Page2a.xaml
Source: OneStart.exe, 00000000.00000002.2500184270.0000000002B11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://defaultcontainer/OneStart;component/Page2a.xamld
Source: OneStart.exe, 00000000.00000002.2500184270.0000000002B11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/Img/background1a.png
Source: OneStart.exe, 00000000.00000002.2500184270.0000000002B11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/Img/background1a.pngd
Source: OneStart.exe, 00000000.00000002.2500184270.0000000002B11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/Img/close-32.png
Source: OneStart.exe, 00000000.00000002.2500184270.0000000002B11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/Img/close-32.pngd
Source: OneStart.exe, 00000000.00000002.2500184270.0000000002B11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/Img/pdf-welcome2.png
Source: OneStart.exe, 00000000.00000002.2500184270.0000000002B11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/Img/pdf-welcome2.pngd
Source: OneStart.exe, 00000000.00000002.2500184270.0000000002B11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/Page2a.xaml
Source: OneStart.exe, 00000000.00000002.2500184270.0000000002B11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/Page2a.xamld
Source: OneStart.exe, 00000000.00000002.2500184270.0000000002B11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/bar/img/background1a.png
Source: OneStart.exe, 00000000.00000002.2500184270.0000000002B11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/bar/img/background1a.pngd
Source: OneStart.exe, 00000000.00000002.2500184270.0000000002B11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/bar/img/close-32.png
Source: OneStart.exe, 00000000.00000002.2500184270.0000000002B11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/bar/img/close-32.pngd
Source: OneStart.exe, 00000000.00000002.2500184270.0000000002B11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/bar/img/pdf-welcome2.png
Source: OneStart.exe, 00000000.00000002.2500184270.0000000002B11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/bar/img/pdf-welcome2.pngd
Source: OneStart.exe, 00000000.00000002.2500184270.0000000002B11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/bar/page2a.baml
Source: OneStart.exe, 00000000.00000002.2500184270.0000000002B11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/bar/page2a.bamld
Source: OneStart.exe String found in binary or memory: http://ocsps.ssl.com0
Source: OneStart.exe String found in binary or memory: http://ocsps.ssl.com0?
Source: OneStart.exe String found in binary or memory: http://ocsps.ssl.com0P
Source: OneStart.exe String found in binary or memory: http://www.ssl.com/repository/SSLcom-RootCA-EV-RSA-4096-R2.crt0
Source: OneStart.exe String found in binary or memory: http://www.ssl.com/repository/SSLcomRootCertificationAuthorityRSA.crt0
Source: OneStart.exe, 00000000.00000002.2500184270.0000000002B11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://onestart.ai/
Source: OneStart.exe String found in binary or memory: https://onestart.ai/Chttps://onestart.ai/terms-of-use/
Source: OneStart.exe String found in binary or memory: https://onestart.ai/privacy-policy/
Source: OneStart.exe String found in binary or memory: https://onestart.ai/privacy-policy/?
Source: OneStart.exe, 00000000.00000002.2500184270.0000000002B11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://onestart.ai/terms-of-use/
Source: OneStart.exe String found in binary or memory: https://onestart.ai/terms-of-use/?
Source: OneStart.exe String found in binary or memory: https://onestart.ai/uninstall/
Source: OneStart.exe String found in binary or memory: https://resources.onestartapi.com/UpdaterSetup_134.0.6998.101.exe
Source: OneStart.exe String found in binary or memory: https://resources.onestartapi.com/UpdaterSetup_134.0.6998.101.exezA
Source: OneStart.exe String found in binary or memory: https://www.ssl.com/repository0
Sample file is different than original file name gathered from version info
Source: OneStart.exe, 00000000.00000002.2500184270.0000000002B11000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs OneStart.exe
Source: OneStart.exe, 00000000.00000002.2496546682.0000000000DAE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs OneStart.exe
Source: classification engine Classification label: clean17.evad.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\OneStart.exe Mutant created: NULL
Source: OneStart.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: OneStart.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
Source: C:\Users\user\Desktop\OneStart.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: OneStart.exe String found in binary or memory: 13--install --install-dir="
Source: OneStart.exe String found in binary or memory: %" --install-pref="
Source: OneStart.exe String found in binary or memory: -InstallerWpfApp.Page4a+<btnInstall_Click>d__8
Source: OneStart.exe String found in binary or memory: -InstallerWpfApp.Page4a+<btnInstall_Click>d__8#
Source: OneStart.exe String found in binary or memory: -InstallerWpfApp.Page3a+<btnInstall_Click>d__8
Source: OneStart.exe String found in binary or memory: -InstallerWpfApp.Page3a+<btnInstall_Click>d__82
Source: OneStart.exe String found in binary or memory: -InstallerWpfApp.Page2a+<btnInstall_Click>d__8
Source: OneStart.exe String found in binary or memory: -InstallerWpfApp.Page2a+<btnInstall_Click>d__82
Source: OneStart.exe String found in binary or memory: -InstallerWpfApp.Page1a+<btnInstall_Click>d__8
Source: OneStart.exe String found in binary or memory: -InstallerWpfApp.Page1a+<btnInstall_Click>d__83
Source: OneStart.exe String found in binary or memory: /InstallerWpfApp.Page1c+<DownloadFileAsync>d__14
Source: OneStart.exe String found in binary or memory: /InstallerWpfApp.Page1c+<DownloadFileAsync>d__14=
Source: C:\Users\user\Desktop\OneStart.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Section loaded: msvcp140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Section loaded: d3d9.dll Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Section loaded: dataexchange.dll Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Section loaded: dcomp.dll Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Section loaded: msctfui.dll Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Section loaded: uiautomationcore.dll Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Section loaded: d3dcompiler_47.dll Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{41945702-8302-44A6-9445-AC98E8AFA086}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\OneStart.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: OneStart.exe Static PE information: certificate valid
Source: OneStart.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: OneStart.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: OneStart.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Binary contains a suspicious time stamp
Source: OneStart.exe Static PE information: 0xA5EDA8F0 [Wed Mar 20 02:12:00 2058 UTC]
Source: C:\Users\user\Desktop\OneStart.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Uses Windows timers to delay execution
Source: C:\Users\user\Desktop\OneStart.exe User Timer Set: Timeout: 1ms Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe User Timer Set: Timeout: 125ms Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe User Timer Set: Timeout: 1ms Jump to behavior
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\OneStart.exe Memory allocated: 1160000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Memory allocated: 2B10000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Memory allocated: 2940000 memory reserve | memory write watch Jump to behavior
Potential time zone aware malware
Source: C:\Users\user\Desktop\OneStart.exe System information queried: CurrentTimeZoneInformation Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\OneStart.exe Memory allocated: page read and write | page guard Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\OneStart.exe Queries volume information: C:\Users\user\Desktop\OneStart.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework-SystemXml\v4.0_4.0.0.0__b77a5c561934e089\PresentationFramework-SystemXml.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationTypes\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationTypes.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationProvider\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationProvider.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\OneStart.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Behavior
Click here to start
Slideshow Behavior Animation
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1663310 Sample: OneStart.exe Startdate: 11/04/2025 Architecture: WINDOWS Score: 17 4 OneStart.exe 2 2->4         started        signatures3 7 Uses Windows timers to delay execution 4->7
No contacted IP infos