Windows Analysis Report
runonce.exe

Overview

General Information

Sample name:	runonce.exe
Analysis ID:	1543805
MD5:	346e10b2e65680b29fdd16131dbf12ba
SHA1:	51c7d3e93eb83f9474d4c3cbb5c3ac40cea40355
SHA256:	0e8dfe0ae97133bf844939886a773489d1b21e520689d38ca7be105d4f832ad6
Infos:

Detection

Score:	24
Range:	0 - 100
Whitelisted:	false
Confidence:	60%

Signatures

Sigma detected: System File Execution Location Anomaly

Contains functionality for read data from the clipboard

Contains functionality to shutdown / reboot the system

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Found dropped PE file which has not been started or loaded

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Classification

Signatures

Uses 32bit PE files

Source: runonce.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: runonce.exe

Static PE information: certificate valid

Source: runonce.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\runonce.exe	Code function: 0_2_00405C63 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405C63
Source: C:\Users\user\Desktop\runonce.exe	Code function: 0_2_004068B4 FindFirstFileW,FindClose,	0_2_004068B4
Source: C:\Users\user\Desktop\runonce.exe	Code function: 0_2_00402910 FindFirstFileW,	0_2_00402910

Source: runonce.exe, 00000000.00000002.2118129105.000000000040D000.00000004.00000001.01000000.00000003.sdmp, System.dll.0.dr, AccessControl.dll.0.dr, nsExec.dll.0.dr, LogEx.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: runonce.exe, 00000000.00000002.2118129105.000000000040D000.00000004.00000001.01000000.00000003.sdmp, System.dll.0.dr, nsExec.dll.0.dr, LogEx.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: runonce.exe, 00000000.00000002.2118129105.000000000040D000.00000004.00000001.01000000.00000003.sdmp, System.dll.0.dr, nsExec.dll.0.dr, LogEx.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA.crt0
Source: runonce.exe, 00000000.00000002.2118129105.000000000040D000.00000004.00000001.01000000.00000003.sdmp, System.dll.0.dr, nsExec.dll.0.dr, LogEx.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: AccessControl.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: runonce.exe, 00000000.00000002.2118129105.000000000040D000.00000004.00000001.01000000.00000003.sdmp, System.dll.0.dr, AccessControl.dll.0.dr, nsExec.dll.0.dr, LogEx.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: runonce.exe, 00000000.00000002.2118129105.000000000040D000.00000004.00000001.01000000.00000003.sdmp, System.dll.0.dr, AccessControl.dll.0.dr, nsExec.dll.0.dr, LogEx.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: runonce.exe, 00000000.00000002.2118129105.000000000040D000.00000004.00000001.01000000.00000003.sdmp, System.dll.0.dr, AccessControl.dll.0.dr, nsExec.dll.0.dr, LogEx.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: runonce.exe, 00000000.00000002.2118129105.000000000040D000.00000004.00000001.01000000.00000003.sdmp, System.dll.0.dr, nsExec.dll.0.dr, LogEx.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: AccessControl.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: runonce.exe, 00000000.00000002.2118129105.000000000040D000.00000004.00000001.01000000.00000003.sdmp, System.dll.0.dr, AccessControl.dll.0.dr, nsExec.dll.0.dr, LogEx.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: AccessControl.dll.0.dr, nsExec.dll.0.dr, LogEx.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: runonce.exe, 00000000.00000002.2118129105.000000000040D000.00000004.00000001.01000000.00000003.sdmp, System.dll.0.dr, nsExec.dll.0.dr, LogEx.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/EVCodeSigning-g1.crl03
Source: runonce.exe, 00000000.00000002.2118129105.000000000040D000.00000004.00000001.01000000.00000003.sdmp, System.dll.0.dr, nsExec.dll.0.dr, LogEx.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: runonce.exe, 00000000.00000002.2118129105.000000000040D000.00000004.00000001.01000000.00000003.sdmp, System.dll.0.dr, nsExec.dll.0.dr, LogEx.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: AccessControl.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: runonce.exe, 00000000.00000002.2118129105.000000000040D000.00000004.00000001.01000000.00000003.sdmp, System.dll.0.dr, nsExec.dll.0.dr, LogEx.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/EVCodeSigning-g1.crl0K
Source: runonce.exe, 00000000.00000002.2118129105.000000000040D000.00000004.00000001.01000000.00000003.sdmp, System.dll.0.dr, nsExec.dll.0.dr, LogEx.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: runonce.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: AccessControl.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: runonce.exe, 00000000.00000002.2118129105.000000000040D000.00000004.00000001.01000000.00000003.sdmp, System.dll.0.dr, AccessControl.dll.0.dr, nsExec.dll.0.dr, LogEx.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: runonce.exe, 00000000.00000002.2118129105.000000000040D000.00000004.00000001.01000000.00000003.sdmp, System.dll.0.dr, AccessControl.dll.0.dr, nsExec.dll.0.dr, LogEx.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: runonce.exe, 00000000.00000002.2118129105.000000000040D000.00000004.00000001.01000000.00000003.sdmp, System.dll.0.dr, nsExec.dll.0.dr, LogEx.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0H
Source: runonce.exe, 00000000.00000002.2118129105.000000000040D000.00000004.00000001.01000000.00000003.sdmp, System.dll.0.dr, nsExec.dll.0.dr, LogEx.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0I
Source: runonce.exe, 00000000.00000002.2118129105.000000000040D000.00000004.00000001.01000000.00000003.sdmp, System.dll.0.dr, AccessControl.dll.0.dr, nsExec.dll.0.dr, LogEx.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: runonce.exe, 00000000.00000002.2118704065.00000000027D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://opensource.dell.com
Source: runonce.exe, 00000000.00000002.2118704065.00000000027D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://opensource.dell.com/
Source: AccessControl.dll.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: runonce.exe, 00000000.00000002.2118129105.000000000040D000.00000004.00000001.01000000.00000003.sdmp, System.dll.0.dr, nsExec.dll.0.dr, LogEx.dll.0.dr	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: runonce.exe, 00000000.00000002.2118129105.000000000040D000.00000004.00000001.01000000.00000003.sdmp, System.dll.0.dr, nsExec.dll.0.dr, LogEx.dll.0.dr	String found in binary or memory: https://www.digicert.com/CPS0

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\runonce.exe

Code function: 0_2_0040571B GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_0040571B

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\runonce.exe

Code function: 0_2_00403532 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,ExitProcess,CoUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_00403532

Detected potential crypto function

Source: C:\Users\user\Desktop\runonce.exe	Code function: 0_2_00406DC6		0_2_00406DC6
Source: C:\Users\user\Desktop\runonce.exe	Code function: 0_2_0040759D		0_2_0040759D

Uses 32bit PE files

Source: runonce.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: sus24.winEXE@4/5@0/0

Source: C:\Users\user\Desktop\runonce.exe

0_2_00403532

Source: C:\Users\user\Desktop\runonce.exe

Code function: 0_2_004049C7 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_004049C7

Source: C:\Users\user\Desktop\runonce.exe

Code function: 0_2_004021AF CoCreateInstance,

0_2_004021AF

Source: C:\Users\user\Desktop\runonce.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{2AA9978F-CCEB-4156-859E-D84D5CE6A993}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4284:120:WilError_03

Source: C:\Users\user\Desktop\runonce.exe

File created: C:\Users\user\AppData\Local\Temp\nsjF71D.tmp

Jump to behavior

Source: runonce.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\runonce.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\runonce.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\runonce.exe

File read: C:\Users\user\Desktop\runonce.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\runonce.exe "C:\Users\user\Desktop\runonce.exe"
Source: C:\Users\user\Desktop\runonce.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic /NAMESPACE:\\root\CIMV2 path Win32_BIOS get Manufacturer
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\runonce.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic /NAMESPACE:\\root\CIMV2 path Win32_BIOS get Manufacturer	Jump to behavior

Source: C:\Users\user\Desktop\runonce.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\runonce.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\runonce.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\runonce.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\runonce.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\runonce.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\runonce.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\runonce.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\runonce.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\runonce.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\runonce.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\runonce.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\runonce.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\runonce.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\runonce.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\runonce.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\runonce.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\runonce.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\runonce.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\runonce.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\runonce.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: sxs.dll	Jump to behavior

Source: C:\Users\user\Desktop\runonce.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: runonce.exe

Static PE information: certificate valid

Source: runonce.exe

Static file information: File size 40855120 > 1048576

Source: runonce.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Drops PE files

Source: C:\Users\user\Desktop\runonce.exe	File created: C:\Users\user\AppData\Local\Temp\nsjF7BA.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\Desktop\runonce.exe	File created: C:\Users\user\AppData\Local\Temp\nsjF7BA.tmp\AccessControl.dll	Jump to dropped file
Source: C:\Users\user\Desktop\runonce.exe	File created: C:\Users\user\AppData\Local\Temp\nsjF7BA.tmp\LogEx.dll	Jump to dropped file
Source: C:\Users\user\Desktop\runonce.exe	File created: C:\Users\user\AppData\Local\Temp\nsjF7BA.tmp\nsExec.dll	Jump to dropped file

Source: C:\Users\user\Desktop\runonce.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\runonce.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsjF7BA.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\Desktop\runonce.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsjF7BA.tmp\AccessControl.dll	Jump to dropped file
Source: C:\Users\user\Desktop\runonce.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsjF7BA.tmp\LogEx.dll	Jump to dropped file
Source: C:\Users\user\Desktop\runonce.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsjF7BA.tmp\nsExec.dll	Jump to dropped file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Windows\SysWOW64\wbem\WMIC.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Manufacturer FROM Win32_BIOS

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\runonce.exe	Code function: 0_2_00405C63 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405C63
Source: C:\Users\user\Desktop\runonce.exe	Code function: 0_2_004068B4 FindFirstFileW,FindClose,	0_2_004068B4
Source: C:\Users\user\Desktop\runonce.exe	Code function: 0_2_00402910 FindFirstFileW,	0_2_00402910

Source: C:\Users\user\Desktop\runonce.exe

API call chain: ExitProcess graph end node

Source: C:\Windows\SysWOW64\wbem\WMIC.exe

Process information queried: ProcessInformation

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\runonce.exe

Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic /NAMESPACE:\\root\CIMV2 path Win32_BIOS get Manufacturer

Jump to behavior

Source: C:\Users\user\Desktop\runonce.exe

0_2_00403532

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

ID:	1543805
Product:	CloudBasic
Start time:	13:44:12
Start date:	28.10.2024
Sample:	runonce.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	346e10b2e65680b29fdd16131dbf12ba
SHA1:	51c7d3e93eb83f9474d4c3cbb5c3ac40cea40355
SHA256:	0e8dfe0ae97133bf844939886a773489d1b21e520689d38ca7be105d4f832ad6
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Temp\DellPair-1.2.4-in.log	Unicode text, UTF-16, little-endian text, with CRLF line terminators	69CBB7C54EB8B52AB4EF6F5A121ACDF2	576FEDAA87A617D3CB6F9539EC2AE1B26888B161	4806F50C4AFF6299F165539A5E59FE9EFDF4E29088CFD7D61AEB7DAF6AFA2650
C:\Users\user\AppData\Local\Temp\nsjF7BA.tmp\AccessControl.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	CAFE177FC6D9492042CFEA6F370B7648	6901FFAF7B8E3DE0661AC1E427BDF8E469F94802	BC2C42EBF191CBD6374818B796BBB2D8C213C1FBFCEB1E8B4253B04894EEFBE8
C:\Users\user\AppData\Local\Temp\nsjF7BA.tmp\LogEx.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	EC59E06851E742F8415BB1C3C66AE993	EE7C03D70621CE17B6C020932A38ADCC5B08D84A	19ACE66BDC06055E281DAD38D862612D2DFE2B6F05D273639E65D4CCDA7530DB
C:\Users\user\AppData\Local\Temp\nsjF7BA.tmp\System.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	BC86B4F2A493162CC45D32188ED6C8C7	D828F960EF068338CB988DBA99C81E824D79D3A2	474266DEBBF0C41E6B66E5F90581A4640F51688135D2B42C0A7F5080D3153EB1
C:\Users\user\AppData\Local\Temp\nsjF7BA.tmp\nsExec.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	1CFC262CCBC117FEEBB7B84FB9488D0C	49B8E5061FD5F940761CB4BC814553EF2729223E	C52A43D96AF1F31C74696DE1E1971E437B97DFB69C702E6F48F163EA157DB079

Windows Analysis Report
runonce.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report runonce.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
runonce.exe