Multi-License Discount Quote

Change Region

English
Threat Database Potentially Unwanted Programs PUP.Onestart.ai

PUP.Onestart.ai

By CagedTech in Potentially Unwanted Programs

Threat Scorecard

Popularity Rank: 379
Threat Level: 10 % (Normal)
Infected Computers: 6,550
First Seen: February 18, 2025
Last Seen: February 8, 2026
OS(es) Affected: Windows

SpyHunter Detects & Remove PUP.Onestart.ai

Registry Details

PUP.Onestart.ai may create the following registry entry or registry entries:
File name without path
OneStart.lnk
Regexp file mask
%windir%\system32\tasks\onestartupdater
%windir%\system32\tasks\onestartuser
HKEY..\..\..\..{RegistryKeys}
Software\Classes\OneStart.aiUpdate.Update3WebUser
Software\Clients\StartMenuInternet\OneStart.ELFCRJCXLYA2DS7QOCP5YHK7HM
SOFTWARE\Clients\StartMenuInternet\OneStart.UCUBKJGDULZB5GHKEXRPBT752M
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\OneStartUser
Software\Microsoft\Windows\CurrentVersion\App Paths\onestart.exe
Software\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage\AppBadgeUpdated\OneStart.ELFCRJCXLYA2DS7QOCP5YHK7HM
Software\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage\AppSwitched\OneStart.ELFCRJCXLYA2DS7QOCP5YHK7HM
SOFTWARE\OneStart.ai
Software\RegisteredApplications\OneStart.ELFCRJCXLYA2DS7QOCP5YHK7HM
SOFTWARE\WOW6432Node\Microsoft\Tracing\OneStart_RASAPI32
SOFTWARE\WOW6432Node\Microsoft\Tracing\OneStart_RASMANCS
HKEY_LOCAL_MACHINE\Software\[APPLICATION]\Microsoft\Windows\CurrentVersion\Uninstall..{Uninstaller}
onestart
OneStart.ai OneStart

Directories

PUP.Onestart.ai may create the following directory or directories:

%LOCALAPPDATA%\OneStart.ai
%userprofile%\onestart.ai
%windir%\system32\tasks\OneStartUser

Analysis Report

General information

Family Name: PUP.Onestart.ai
Signature status: Root Not Trusted

Known Samples

MD5: 390e9809611e640ff8f15fc5d4fb711d
SHA1: 7fe6d020be387a55282ff148e93e0b52bc880112
SHA256: 1C90519A6D75BE37EF3ED591BFEA92EFFA0CC0F724993F440977486368EACAF0
File Size: 447.60 KB, 447600 bytes
MD5: cc48c78e8f636dab0a80366761b05ef0
SHA1: 9c81e501d879915c7e396e322cf548ac5bf4fd5f
SHA256: 39BA33C1AAA13552EE4D381F32BE79E50D0792E2CDBD7ADC716A8CE124ACE3E4
File Size: 8.03 MB, 8034416 bytes
MD5: 7c9f2d152612aa4b3302c89aa1aac114
SHA1: c0faf2ff211c5a927811aad5409eb5602e89d0d4
SHA256: A837695C510F56FA06FADABDAC301EE93CB0944E80EA680C3F6BC7A6DDEB2680
File Size: 454.26 KB, 454256 bytes
MD5: b9bf43a89b95a264ea434137652f0331
SHA1: de7e25226c3590958825a15ec94835227f4f4b0c
SHA256: E6E5C6C2B4CB6C7F6FF8CE7D6230D86FB1536C0EA1105388BB968310675C2EE2
File Size: 460.98 KB, 460976 bytes
MD5: 517ffcd12c0c549185a950da576a2fd6
SHA1: 3d19ed500ef576939372b1a5ff92c64d4f8d9ad8
SHA256: B22F412F17F25F7B428895AC3F01E2A231E46359F514277233882ECFEC5C2F8E
File Size: 15.98 KB, 15984 bytes
Show More
MD5: c998a94dc0bf3ec1254ef27d71dd8a39
SHA1: dd1a171f4b003d54e57b4b4799c7817d7ea0be79
SHA256: 283D0D337E094A017AD9E1E1CE6D0BC3D469FB81F9BB963D6C6BF435A374C709
File Size: 15.98 KB, 15984 bytes
MD5: da5aa1ade4ae53ee0579f9a3cea40a0f
SHA1: fe0366f858d4e8a42d3c79661527ebaa7a0b6e17
SHA256: 0070DBE2E8D6F47E8BF5B04E6C139793E091F14924965A22DE1AA49722F85801
File Size: 15.98 KB, 15984 bytes
MD5: b3c13c13ec5050b1252ce8574742f75d
SHA1: 98b7466a494401cd58640bed9c04a6f72719d1e1
SHA256: 1D1AB8711515FDB7A4F32795EE09D9771013E613EF12EE9F92C937CC06C8049C
File Size: 16.05 KB, 16048 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have exports table
  • File has exports table
  • File has TLS information
  • File is .NET application
  • File is 32-bit executable
  • File is 64-bit executable
  • File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
Show More
  • File is Native application (NOT .NET application)
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name Value
Assembly Version
  • 6.3.32.0
  • 6.1.33.0
  • 6.0.34.0
Comments OneStartBrowser
Company Name
  • OneStart.ai
Company Short Name OneStart.ai
File Description
  • OneStart
  • OneStartBrowser
  • OneStart Installer
File Version
  • 138.0.7204.185
  • 136.0.7103.112
  • 136.0.7103.107
  • 136.0.7103.101
  • 134.0.6998.175
  • 6.3.32.0
  • 6.1.33.0
  • 6.0.34.0
Internal Name
  • eventlog_provider_dll
  • OneStart.exe
  • OneStart Installer (x64)
Last Change
  • 5b465232cdf7231fa292f920fa33b217af66a01a
  • 17e1317f6960e3a0bf9dcc371613c98a6d7db701
Legal Copyright
  • Copyright 2024 OneStart.ai. All rights reserved.
  • Copyright 2025 OneStart.ai. All rights reserved.
  • Copyright © OneStart.ai 2025
Official Build 1
Original Filename
  • eventlog_provider.dll
  • OneStart.exe
  • UpdaterSetup.exe
Product Name
  • OneStart
  • OneStartBrowser
  • OneStart Installer
Product Short Name
  • OneStart
  • OneStartUpdater
Product Version
  • 138.0.7204.185
  • 136.0.7103.112
  • 136.0.7103.107
  • 136.0.7103.101
  • 134.0.6998.175
  • 6.3.32.0
  • 6.1.33.0
  • 6.0.34.0

Digital Signatures

Signer Root Status
OneStart Technologies LLC DigiCert Trusted Root G4 Root Not Trusted

Block Information

Total Blocks: 1
Potentially Malicious Blocks: 0
Whitelisted Blocks: 1
Unknown Blocks: 0

Registry Modifications

Key::Value Data API Name
HKLM\software\wow6432node\microsoft\tracing::enableconsoletracing RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasapi32::enablefiletracing RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasapi32::enableautofiletracing RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasapi32::enableconsoletracing RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasapi32::filetracingmask ￿ RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasapi32::consoletracingmask ￿ RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasapi32::maxfilesize  RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasapi32::filedirectory %windir%\tracing RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasmancs::enablefiletracing RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasmancs::enableautofiletracing RegNtPreCreateKey
Show More
HKLM\software\wow6432node\microsoft\tracing\rasmancs::enableconsoletracing RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasmancs::filetracingmask ￿ RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasmancs::consoletracingmask ￿ RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasmancs::maxfilesize  RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasmancs::filedirectory %windir%\tracing RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 RegNtPreCreateKey

Windows API Usage

Category API
User Data Access
  • GetComputerName
  • GetComputerNameEx
  • GetUserDefaultLocaleName
  • GetUserObjectInformation
Encryption Used
  • BCryptOpenAlgorithmProvider
Anti Debug
  • IsDebuggerPresent
  • NtQuerySystemInformation
Network Info Queried
  • GetAdaptersAddresses
  • GetNetworkParams
Other Suspicious
  • AdjustTokenPrivileges
Network Winsock2
  • WSASend
  • WSASocket
  • WSAStartup
  • WSAttemptAutodialName
Network Winsock
  • bind
  • closesocket
  • freeaddrinfo
  • getaddrinfo
  • setsockopt
Network Winhttp
  • WinHttpOpen
Syscall Use
  • ntdll.dll!NtAccessCheck
  • ntdll.dll!NtAlertThreadByThreadId
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtApphelpCacheControl
  • ntdll.dll!NtClose
  • ntdll.dll!NtConnectPort
  • ntdll.dll!NtCreateMutant
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtDuplicateToken
  • ntdll.dll!NtFreeVirtualMemory
Show More
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenKeyEx
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtOpenProcessTokenEx
  • ntdll.dll!NtOpenSection
  • ntdll.dll!NtOpenSemaphore
  • ntdll.dll!NtOpenThreadTokenEx
  • ntdll.dll!NtProtectVirtualMemory
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryDebugFilterState
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQueryKey
  • ntdll.dll!NtQueryLicenseValue
  • ntdll.dll!NtQueryPerformanceCounter
  • ntdll.dll!NtQuerySecurityAttributesToken
  • ntdll.dll!NtQuerySystemInformation
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtQueryWnfStateData
  • ntdll.dll!NtReleaseMutant
  • ntdll.dll!NtReleaseSemaphore
  • ntdll.dll!NtReleaseWorkerFactoryWorker
  • ntdll.dll!NtRequestWaitReplyPort
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationProcess
  • ntdll.dll!NtSetInformationVirtualMemory
  • ntdll.dll!NtSetInformationWorkerFactory
  • ntdll.dll!NtSubscribeWnfStateChange
  • ntdll.dll!NtTestAlert
  • ntdll.dll!NtTraceControl
  • ntdll.dll!NtUnmapViewOfSection
  • ntdll.dll!NtUnmapViewOfSectionEx
  • ntdll.dll!NtWaitForAlertByThreadId
  • ntdll.dll!NtWaitForSingleObject
  • ntdll.dll!NtWaitLowEventPair
  • ntdll.dll!NtWriteFile
  • ntdll.dll!NtWriteVirtualMemory
  • UNKNOWN
  • win32u.dll!NtUserGetKeyboardLayout
  • win32u.dll!NtUserGetThreadState

Trending

Most Viewed

Loading...