Loading ...

Play interactive tourEdit tour

Analysis Report Coronavirus Disease (COVID-19) CURE.bin

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:216732
Start date:20.03.2020
Start time:02:08:15
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 5m 59s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:Coronavirus Disease (COVID-19) CURE.bin (renamed file extension from bin to exe)
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:3
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.troj.evad.winEXE@5/3@2/1
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 16.2% (good quality ratio 10.5%)
  • Quality average: 38.8%
  • Quality standard deviation: 33.3%
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 243
  • Number of non-executed functions: 17
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Stop behavior analysis, all processes terminated
Warnings:
Show All
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Timeout during Intezer genetic analysis for /opt/package/joesandbox/database/analysis/216732/sample/Coronavirus Disease (COVID-19) CURE.exe
  • Timeout during Intezer genetic analysis for unpackpe/2.2.MSBuild.exe.85f0000.3.unpack

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold1000 - 100false
HawkEye
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification Spiderchart

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management Instrumentation511Winlogon Helper DLLAccess Token Manipulation1Masquerading1Credential DumpingVirtualization/Sandbox Evasion33Remote File Copy1Data from Local SystemData Encrypted11Standard Cryptographic Protocol1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaExecution through API1Port MonitorsProcess Injection11Software Packing3Network SniffingProcess Discovery1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumRemote Access Tools1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesWindows Management InstrumentationAccessibility FeaturesPath InterceptionDisabling Security Tools1Input CaptureSecurity Software Discovery521Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationRemote File Copy1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingVirtualization/Sandbox Evasion33Credentials in FilesRemote System Discovery1Logon ScriptsInput CaptureData EncryptedStandard Non-Application Layer Protocol2SIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessAccess Token Manipulation1Account ManipulationSystem Network Configuration Discovery1Shared WebrootData StagedScheduled TransferStandard Application Layer Protocol2Manipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceProcess Injection11Brute ForceSystem Information Discovery113Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
Spearphishing AttachmentScriptingPath InterceptionScheduled TaskDeobfuscate/Decode Files or Information1Two-Factor Authentication InterceptionNetwork SniffingPass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Spearphishing via ServiceThird-party SoftwareLogon ScriptsProcess InjectionObfuscated Files or Information2Bash HistoryNetwork Service ScanningRemote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for URL or domainShow sources
Source: https://a.pomf.cat/URL Reputation: Label: malware
Found malware configurationShow sources
Source: MSBuild.exe.5724.2.memstrMalware Configuration Extractor: HawkEye {"Modules": ["browserpv", "mailpv", "WebBrowserPassView"], "Version": ""}
Multi AV Scanner detection for domain / URLShow sources
Source: http://pomf.cat/upload.phpVirustotal: Detection: 8%Perma Link
Multi AV Scanner detection for submitted fileShow sources
Source: Coronavirus Disease (COVID-19) CURE.exeVirustotal: Detection: 49%Perma Link
Source: Coronavirus Disease (COVID-19) CURE.exeReversingLabs: Detection: 61%
Machine Learning detection for sampleShow sources
Source: Coronavirus Disease (COVID-19) CURE.exeJoe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked fileShow sources
Source: 2.2.MSBuild.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen

Networking:

barindex
May check the online IP address of the machineShow sources
Source: unknownDNS query: name: bot.whatismyipaddress.com
Source: unknownDNS query: name: bot.whatismyipaddress.com
Source: unknownDNS query: name: bot.whatismyipaddress.com
Source: unknownDNS query: name: bot.whatismyipaddress.com
Source: unknownDNS query: name: bot.whatismyipaddress.com
HTTP GET or POST without a user agentShow sources
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: bot.whatismyipaddress.comConnection: Keep-Alive
IP address seen in connection with other malwareShow sources
Source: Joe Sandbox ViewIP Address: 66.171.248.178 66.171.248.178
Source: Joe Sandbox ViewIP Address: 66.171.248.178 66.171.248.178
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: bot.whatismyipaddress.comConnection: Keep-Alive
Found strings which match to known social media urlsShow sources
Source: MSBuild.exe, 00000002.00000002.775990524.0000000003070000.00000004.00000001.sdmpString found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: MSBuild.exe, 00000002.00000002.775990524.0000000003070000.00000004.00000001.sdmpString found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: 208.168.6.0.in-addr.arpa
Urls found in memory or binary dataShow sources
Source: MSBuild.exe, 00000002.00000002.778110080.0000000003579000.00000004.00000001.sdmpString found in binary or memory: http://bot.whatismyipaddress.com
Source: MSBuild.exe, 00000002.00000002.778035817.0000000003560000.00000004.00000001.sdmp, MSBuild.exe, 00000002.00000002.778110080.0000000003579000.00000004.00000001.sdmpString found in binary or memory: http://bot.whatismyipaddress.com/
Source: MSBuild.exe, 00000002.00000002.778110080.0000000003579000.00000004.00000001.sdmpString found in binary or memory: http://bot.whatismyipaddress.comx&
Source: Coronavirus Disease (COVID-19) CURE.exe, 00000000.00000003.745711799.00000000059AC000.00000004.00000001.sdmp, Coronavirus Disease (COVID-19) CURE.exe, 00000000.00000003.753039601.00000000059AF000.00000004.00000001.sdmpString found in binary or memory: http://en.w
Source: Coronavirus Disease (COVID-19) CURE.exe, 00000000.00000003.747097312.00000000059AC000.00000004.00000001.sdmpString found in binary or memory: http://en.wikip
Source: Coronavirus Disease (COVID-19) CURE.exe, 00000000.00000002.778427196.0000000005AE6000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
Source: MSBuild.exe, 00000002.00000002.778035817.0000000003560000.00000004.00000001.sdmpString found in binary or memory: http://pomf.cat/upload.php
Source: Coronavirus Disease (COVID-19) CURE.exe, 00000000.00000002.776785438.00000000048FC000.00000004.00000001.sdmp, MSBuild.exe, 00000002.00000002.773814243.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://pomf.cat/upload.php&https://a.pomf.cat/
Source: MSBuild.exe, 00000002.00000002.778035817.0000000003560000.00000004.00000001.sdmpString found in binary or memory: http://pomf.cat/upload.phpCContent-Disposition:
Source: Coronavirus Disease (COVID-19) CURE.exe, 00000000.00000003.751870970.0000000005994000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Coronavirus Disease (COVID-19) CURE.exe, 00000000.00000003.759052801.00000000059AF000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
Source: Coronavirus Disease (COVID-19) CURE.exe, 00000000.00000003.759052801.00000000059AF000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html$e
Source: Coronavirus Disease (COVID-19) CURE.exe, 00000000.00000003.753273648.00000000059AF000.00000004.00000001.sdmp, Coronavirus Disease (COVID-19) CURE.exe, 00000000.00000003.752859076.00000000059AF000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
Source: Coronavirus Disease (COVID-19) CURE.exe, 00000000.00000003.753273648.00000000059AF000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comJh
Source: Coronavirus Disease (COVID-19) CURE.exe, 00000000.00000002.778427196.0000000005AE6000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
Source: Coronavirus Disease (COVID-19) CURE.exe, 00000000.00000003.753273648.00000000059AF000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comlg
Source: Coronavirus Disease (COVID-19) CURE.exe, 00000000.00000003.752859076.00000000059AF000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.como.
Source: Coronavirus Disease (COVID-19) CURE.exe, 00000000.00000003.752859076.00000000059AF000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comof
Source: Coronavirus Disease (COVID-19) CURE.exe, 00000000.00000003.753273648.00000000059AF000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comue
Source: Coronavirus Disease (COVID-19) CURE.exe, 00000000.00000002.778427196.0000000005AE6000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
Source: Coronavirus Disease (COVID-19) CURE.exe, 00000000.00000003.750147511.00000000059B0000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
Source: Coronavirus Disease (COVID-19) CURE.exe, 00000000.00000002.778427196.0000000005AE6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Coronavirus Disease (COVID-19) CURE.exe, 00000000.00000002.778427196.0000000005AE6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Coronavirus Disease (COVID-19) CURE.exe, 00000000.00000003.750576454.00000000059AC000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/f
Source: Coronavirus Disease (COVID-19) CURE.exe, 00000000.00000003.750147511.00000000059B0000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnS
Source: Coronavirus Disease (COVID-19) CURE.exe, 00000000.00000003.750349680.00000000059AC000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnei
Source: Coronavirus Disease (COVID-19) CURE.exe, 00000000.00000003.750349680.00000000059AC000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnfou
Source: Coronavirus Disease (COVID-19) CURE.exe, 00000000.00000003.750349680.00000000059AC000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnighYa
Source: Coronavirus Disease (COVID-19) CURE.exe, 00000000.00000003.750147511.00000000059B0000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnpu
Source: Coronavirus Disease (COVID-19) CURE.exe, 00000000.00000002.778427196.0000000005AE6000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
Source: Coronavirus Disease (COVID-19) CURE.exe, 00000000.00000003.755215583.00000000059AF000.00000004.00000001.sdmp, Coronavirus Disease (COVID-19) CURE.exe, 00000000.00000003.754057682.00000000059B1000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Coronavirus Disease (COVID-19) CURE.exe, 00000000.00000003.755215583.00000000059AF000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/F
Source: Coronavirus Disease (COVID-19) CURE.exe, 00000000.00000003.755215583.00000000059AF000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/P
Source: Coronavirus Disease (COVID-19) CURE.exe, 00000000.00000003.755126464.00000000059B9000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/T
Source: Coronavirus Disease (COVID-19) CURE.exe, 00000000.00000003.754402380.00000000059AD000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/b
Source: Coronavirus Disease (COVID-19) CURE.exe, 00000000.00000003.755215583.00000000059AF000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: Coronavirus Disease (COVID-19) CURE.exe, 00000000.00000003.754894588.00000000059BA000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/b
Source: Coronavirus Disease (COVID-19) CURE.exe, 00000000.00000003.754402380.00000000059AD000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/p
Source: Coronavirus Disease (COVID-19) CURE.exe, 00000000.00000003.755215583.00000000059AF000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/l
Source: Coronavirus Disease (COVID-19) CURE.exe, 00000000.00000003.754057682.00000000059B1000.00000004.00000001.sdmp, Coronavirus Disease (COVID-19) CURE.exe, 00000000.00000003.754598295.00000000059B1000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/n-u
Source: Coronavirus Disease (COVID-19) CURE.exe, 00000000.00000003.755126464.00000000059B9000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/p
Source: Coronavirus Disease (COVID-19) CURE.exe, 00000000.00000003.754057682.00000000059B1000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/sd
Source: MSBuild.exe, 00000002.00000002.775990524.0000000003070000.00000004.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
Source: Coronavirus Disease (COVID-19) CURE.exe, 00000000.00000002.778427196.0000000005AE6000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
Source: Coronavirus Disease (COVID-19) CURE.exe, 00000000.00000002.778427196.0000000005AE6000.00000002.00000001.sdmp, Coronavirus Disease (COVID-19) CURE.exe, 00000000.00000003.759164384.00000000059AF000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
Source: Coronavirus Disease (COVID-19) CURE.exe, 00000000.00000003.759334990.00000000059AF000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.comh
Source: Coronavirus Disease (COVID-19) CURE.exe, 00000000.00000003.749339227.00000000059AF000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
Source: Coronavirus Disease (COVID-19) CURE.exe, 00000000.00000003.749339227.00000000059AF000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr$
Source: Coronavirus Disease (COVID-19) CURE.exe, 00000000.00000003.749339227.00000000059AF000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krN.TTF
Source: Coronavirus Disease (COVID-19) CURE.exe, 00000000.00000002.778427196.0000000005AE6000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
Source: Coronavirus Disease (COVID-19) CURE.exe, 00000000.00000003.753039601.00000000059AF000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comic
Source: Coronavirus Disease (COVID-19) CURE.exe, 00000000.00000003.753163529.00000000059AF000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comlG
Source: Coronavirus Disease (COVID-19) CURE.exe, 00000000.00000003.746766965.00000000059AC000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.net
Source: Coronavirus Disease (COVID-19) CURE.exe, 00000000.00000003.746766965.00000000059AC000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.net=n9
Source: Coronavirus Disease (COVID-19) CURE.exe, 00000000.00000002.778427196.0000000005AE6000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
Source: Coronavirus Disease (COVID-19) CURE.exe, 00000000.00000003.746766965.00000000059AC000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netF
Source: Coronavirus Disease (COVID-19) CURE.exe, 00000000.00000003.746766965.00000000059AC000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netrz
Source: Coronavirus Disease (COVID-19) CURE.exe, 00000000.00000003.752859076.00000000059AF000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
Source: Coronavirus Disease (COVID-19) CURE.exe, 00000000.00000003.752149678.00000000059AD000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cno.
Source: MSBuild.exe, 00000002.00000002.778035817.0000000003560000.00000004.00000001.sdmpString found in binary or memory: https://a.pomf.cat/

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected HawkEye KeyloggerShow sources
Source: Yara matchFile source: 00000002.00000002.773814243.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.776785438.00000000048FC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000002.00000002.778110080.0000000003579000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.775257737.00000000045E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 5724, type: MEMORY
Source: Yara matchFile source: Process Memory Space: Coronavirus Disease (COVID-19) CURE.exe PID: 5660, type: MEMORY
Source: Yara matchFile source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE

System Summary:

barindex
Malicious sample detected (through community Yara rule)Show sources
Source: 00000002.00000002.773814243.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 00000000.00000002.776785438.00000000048FC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 00000002.00000002.778110080.0000000003579000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 00000002.00000002.775990524.0000000003070000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 00000000.00000002.775257737.00000000045E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: Process Memory Space: MSBuild.exe PID: 5724, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: Process Memory Space: Coronavirus Disease (COVID-19) CURE.exe PID: 5660, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
Source: 2.2.MSBuild.exe.3070000.1.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 2.2.MSBuild.exe.3070000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeCode function: 0_2_03264F200_2_03264F20
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeCode function: 0_2_032624080_2_03262408
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeCode function: 0_2_032626A00_2_032626A0
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeCode function: 0_2_032632A80_2_032632A8
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeCode function: 0_2_032644F00_2_032644F0
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeCode function: 0_2_03262B190_2_03262B19
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeCode function: 0_2_0326334A0_2_0326334A
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeCode function: 0_2_0326388A0_2_0326388A
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeCode function: 0_2_032645980_2_03264598
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeCode function: 0_2_032623F90_2_032623F9
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeCode function: 0_2_032644DF0_2_032644DF
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_01578B402_2_01578B40
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_015779C82_2_015779C8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_01574FF02_2_01574FF0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_01577E502_2_01577E50
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_01571C582_2_01571C58
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_015732602_2_01573260
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_015774B12_2_015774B1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_01570CA02_2_01570CA0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_015733592_2_01573359
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_01571B722_2_01571B72
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_01573B632_2_01573B63
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_01573B682_2_01573B68
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_015739682_2_01573968
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_01577F322_2_01577F32
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_0157333F2_2_0157333F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_01573FD82_2_01573FD8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_015753C82_2_015753C8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_01572FC82_2_01572FC8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_01573FC82_2_01573FC8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_01574FE02_2_01574FE0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_015799EB2_2_015799EB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_015769902_2_01576990
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_015733802_2_01573380
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_015769802_2_01576980
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_01574BB02_2_01574BB0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_015753B92_2_015753B9
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_01572FB82_2_01572FB8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_015779B82_2_015779B8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_015732502_2_01573250
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_01577E402_2_01577E40
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_015782082_2_01578208
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_015708282_2_01570828
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_015738D02_2_015738D0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_015732DA2_2_015732DA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_015774C02_2_015774C0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_015732F32_2_015732F3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_01570C902_2_01570C90
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_015760B02_2_015760B0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_015732A12_2_015732A1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_015760A82_2_015760A8
Sample file is different than original file name gathered from version infoShow sources
Source: Coronavirus Disease (COVID-19) CURE.exeBinary or memory string: OriginalFilename vs Coronavirus Disease (COVID-19) CURE.exe
Source: Coronavirus Disease (COVID-19) CURE.exe, 00000000.00000002.783356035.0000000007660000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Coronavirus Disease (COVID-19) CURE.exe
Source: Coronavirus Disease (COVID-19) CURE.exe, 00000000.00000002.776785438.00000000048FC000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameRebornX Stub.exe" vs Coronavirus Disease (COVID-19) CURE.exe
Source: Coronavirus Disease (COVID-19) CURE.exeBinary or memory string: OriginalFilenameuhLtUCN.exe< vs Coronavirus Disease (COVID-19) CURE.exe
Yara signature matchShow sources
Source: 00000002.00000002.773814243.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.776785438.00000000048FC000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000002.00000002.778110080.0000000003579000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000002.00000002.775990524.0000000003070000.00000004.00000001.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 00000000.00000002.775257737.00000000045E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: Process Memory Space: MSBuild.exe PID: 5724, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: Process Memory Space: Coronavirus Disease (COVID-19) CURE.exe PID: 5660, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 2.2.MSBuild.exe.3070000.1.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 2.2.MSBuild.exe.3070000.1.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)Show sources
Source: Coronavirus Disease (COVID-19) CURE.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.NET source code contains calls to encryption/decryption functionsShow sources
Source: 2.2.MSBuild.exe.400000.0.unpack, u200c???????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
Source: 2.2.MSBuild.exe.400000.0.unpack, u200d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
Source: 2.2.MSBuild.exe.400000.0.unpack, u200d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
Source: 2.2.MSBuild.exe.400000.0.unpack, u200d????????????????????????????????????????.csCryptographic APIs: 'CreateDecryptor'
.NET source code contains many API calls related to securityShow sources
Source: 2.2.MSBuild.exe.400000.0.unpack, u206f????????????????????????????????????????.csSecurity API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
Source: 2.2.MSBuild.exe.400000.0.unpack, u206f????????????????????????????????????????.csSecurity API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
Source: 2.2.MSBuild.exe.400000.0.unpack, u206f????????????????????????????????????????.csSecurity API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
Source: 2.2.MSBuild.exe.400000.0.unpack, u202d????????????????????????????????????????.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 2.2.MSBuild.exe.400000.0.unpack, u202d????????????????????????????????????????.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 2.2.MSBuild.exe.400000.0.unpack, u206a????????????????????????????????????????.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Binary contains paths to development resourcesShow sources
Source: MSBuild.exe, 00000002.00000002.775151227.00000000013A0000.00000004.00000020.sdmpBinary or memory string: D;.VBp
Classification labelShow sources
Source: classification engineClassification label: mal100.troj.evad.winEXE@5/3@2/1
Contains functionality to adjust token privileges (e.g. debug / backup)Show sources
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeCode function: 0_2_06B2058E AdjustTokenPrivileges,0_2_06B2058E
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeCode function: 0_2_06B20557 AdjustTokenPrivileges,0_2_06B20557
Creates files inside the user directoryShow sources
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Coronavirus Disease (COVID-19) CURE.exe.logJump to behavior
Creates mutexesShow sources
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeMutant created: \Sessions\1\BaseNamedObjects\BpJxWNwjELBgwebIBxaD
Creates temporary filesShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeFile created: C:\Users\user\AppData\Local\Temp\47b80686-5bce-b861-1d58-20829f456353Jump to behavior
PE file has an executable .text section and no other executable sectionShow sources
Source: Coronavirus Disease (COVID-19) CURE.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Parts of this applications are using the .NET runtime (Probably coded in C#)Show sources
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dllJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
Queries process information (via WMI, Win32_Process)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
Reads software policiesShow sources
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Reads the hosts fileShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
SQL strings found in memory and binary dataShow sources
Source: MSBuild.exe, 00000002.00000002.775990524.0000000003070000.00000004.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: MSBuild.exe, 00000002.00000002.775990524.0000000003070000.00000004.00000001.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: MSBuild.exe, 00000002.00000002.775990524.0000000003070000.00000004.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: MSBuild.exe, 00000002.00000002.775990524.0000000003070000.00000004.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: MSBuild.exe, 00000002.00000002.775990524.0000000003070000.00000004.00000001.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: MSBuild.exe, 00000002.00000002.775990524.0000000003070000.00000004.00000001.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: MSBuild.exe, 00000002.00000002.775990524.0000000003070000.00000004.00000001.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Sample is known by AntivirusShow sources
Source: Coronavirus Disease (COVID-19) CURE.exeVirustotal: Detection: 49%
Source: Coronavirus Disease (COVID-19) CURE.exeReversingLabs: Detection: 61%
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exe 'C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exe'
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe {path}
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe {path}
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe {path}Jump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe {path}Jump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
Uses Microsoft SilverlightShow sources
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
PE file contains a COM descriptor data directoryShow sources
Source: Coronavirus Disease (COVID-19) CURE.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Uses new MSVCR DllsShow sources
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
Source: Coronavirus Disease (COVID-19) CURE.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Binary contains paths to debug symbolsShow sources
Source: Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: MSBuild.exe, 00000002.00000002.775990524.0000000003070000.00000004.00000001.sdmp
Source: Binary string: c:\Projects\VS2005\mailpv\Command-Line\mailpv.pdb source: MSBuild.exe, 00000002.00000002.775990524.0000000003070000.00000004.00000001.sdmp
Source: Binary string: mscorrc.pdb source: Coronavirus Disease (COVID-19) CURE.exe, 00000000.00000002.783356035.0000000007660000.00000002.00000001.sdmp

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeCode function: 0_2_00E52C7C push ebx; ret 0_2_00E52CA3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 2_2_01579528 pushad ; iretd 2_2_015799B1
Binary may include packed or encrypted codeShow sources
Source: initial sampleStatic PE information: section name: .text entropy: 7.96765953645

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM_3Show sources
Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 5724, type: MEMORY
Queries memory information (via WMI often done to detect virtual machines)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Capacity FROM Win32_PhysicalMemory
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Manufacturer FROM Win32_BIOS
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT SystemBiosMajorVersion FROM Win32_BIOS
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT SystemBiosMinorVersion FROM Win32_BIOS
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ReleaseDate FROM Win32_BIOS
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT MacAddress FROM Win32_NetworkAdapterConfiguration
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT MacAddress FROM Win32_NetworkAdapterConfiguration
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT MacAddress FROM Win32_NetworkAdapterConfiguration
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Capacity FROM Win32_PhysicalMemory
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Caption FROM Win32_VideoController
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
Source: MSBuild.exe, 00000002.00000002.778035817.0000000003560000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
Source: MSBuild.exe, 00000002.00000002.778035817.0000000003560000.00000004.00000001.sdmpBinary or memory string: WIRESHARK.EXE
Contains long sleeps (>= 3 min)Show sources
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exe TID: 5664Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 4328Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 5728Thread sleep time: -922337203685477s >= -30000sJump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: MSBuild.exe, 00000002.00000002.780410148.00000000085F0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: MSBuild.exe, 00000002.00000002.780410148.00000000085F0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: MSBuild.exe, 00000002.00000002.780410148.00000000085F0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: MSBuild.exe, 00000002.00000002.775246200.00000000013D3000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: MSBuild.exe, 00000002.00000002.780410148.00000000085F0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Queries a list of all running processesShow sources
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Enables debug privilegesShow sources
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeProcess token adjusted: DebugJump to behavior
Creates guard pages, often used to prevent reverse engineering and debuggingShow sources
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeMemory allocated: page read and write | page guardJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
.NET source code references suspicious native API functionsShow sources
Source: 2.2.MSBuild.exe.400000.0.unpack, u202d????????????????????????????????????????.csReference to suspicious API methods: ('?????????????????????????????????????????', 'FindResource@kernel32.dll'), ('?????????????????????????????????????????', 'capGetDriverDescriptionA@avicap32.dll'), ('?????????????????????????????????????????', 'WriteProcessMemory@kernel32.dll'), ('?????????????????????????????????????????', 'LoadLibrary@kernel32.dll'), ('?????????????????????????????????????????', 'VirtualAllocEx@kernel32.dll'), ('?????????????????????????????????????????', 'ReadProcessMemory@kernel32.dll'), ('?????????????????????????????????????????', 'GetProcAddress@kernel32.dll')
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe {path}Jump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe {path}Jump to behavior

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Coronavirus Disease (COVID-19) CURE.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
Queries the cryptographic machine GUIDShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
AV process strings found (often used to terminate AV products)Show sources
Source: MSBuild.exe, 00000002.00000002.778035817.0000000003560000.00000004.00000001.sdmpBinary or memory string: bdagent.exe
Source: MSBuild.exe, 00000002.00000002.778035817.0000000003560000.00000004.00000001.sdmpBinary or memory string: MSASCui.exe
Source: MSBuild.exe, 00000002.00000002.778035817.0000000003560000.00000004.00000001.sdmpBinary or memory string: avguard.exe
Source: MSBuild.exe, 00000002.00000002.778035817.0000000003560000.00000004.00000001.sdmpBinary or memory string: avgrsx.exe
Source: MSBuild.exe, 00000002.00000002.778035817.0000000003560000.00000004.00000001.sdmpBinary or memory string: avcenter.exe
Source: MSBuild.exe, 00000002.00000002.778035817.0000000003560000.00000004.00000001.sdmpBinary or memory string: avp.exe
Source: MSBuild.exe, 00000002.00000002.778035817.0000000003560000.00000004.00000001.sdmpBinary or memory string: zlclient.exe
Source: MSBuild.exe, 00000002.00000002.778035817.0000000003560000.00000004.00000001.sdmpBinary or memory string: wireshark.exe
Source: MSBuild.exe, 00000002.00000002.778035817.0000000003560000.00000004.00000001.sdmpBinary or memory string: avgcsrvx.exe
Source: MSBuild.exe, 00000002.00000002.778035817.0000000003560000.00000004.00000001.sdmpBinary or memory string: avgnt.exe
Source: MSBuild.exe, 00000002.00000002.778035817.0000000003560000.00000004.00000001.sdmpBinary or memory string: hijackthis.exe
Source: MSBuild.exe, 00000002.00000002.778035817.0000000003560000.00000004.00000001.sdmpBinary or memory string: avgui.exe
Source: MSBuild.exe, 00000002.00000002.778035817.0000000003560000.00000004.00000001.sdmpBinary or memory string: avgwdsvc.exe
Source: MSBuild.exe, 00000002.00000002.778035817.0000000003560000.00000004.00000001.sdmpBinary or memory string: mbam.exe
Source: MSBuild.exe, 00000002.00000002.778035817.0000000003560000.00000004.00000001.sdmpBinary or memory string: MsMpEng.exe
Source: MSBuild.exe, 00000002.00000002.778035817.0000000003560000.00000004.00000001.sdmpBinary or memory string: ComboFix.exe

Stealing of Sensitive Information:

barindex
Yara detected HawkEye KeyloggerShow sources
Source: Yara matchFile source: 00000002.00000002.773814243.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.776785438.00000000048FC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000002.00000002.778110080.0000000003579000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.775257737.00000000045E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 5724, type: MEMORY
Source: Yara matchFile source: Process Memory Space: Coronavirus Disease (COVID-19) CURE.exe PID: 5660, type: MEMORY
Source: Yara matchFile source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Yara detected WebBrowserPassView password recovery toolShow sources
Source: Yara matchFile source: 00000002.00000003.766887434.0000000004DD3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000002.00000002.775990524.0000000003070000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 5724, type: MEMORY
Source: Yara matchFile source: 2.2.MSBuild.exe.3070000.1.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 2.2.MSBuild.exe.3070000.1.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Detected HawkEye RatShow sources
Source: Coronavirus Disease (COVID-19) CURE.exe, 00000000.00000002.776785438.00000000048FC000.00000004.00000001.sdmpString found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_KeyStrokeLogger_ClipboardLogger_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles
Source: MSBuild.exe, 00000002.00000002.773814243.0000000000402000.00000040.00000001.sdmpString found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_KeyStrokeLogger_ClipboardLogger_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles
Yara detected HawkEye KeyloggerShow sources
Source: Yara matchFile source: 00000002.00000002.773814243.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.776785438.00000000048FC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000002.00000002.778110080.0000000003579000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.775257737.00000000045E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 5724, type: MEMORY
Source: Yara matchFile source: Process Memory Space: Coronavirus Disease (COVID-19) CURE.exe PID: 5660, type: MEMORY
Source: Yara matchFile source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE

Malware Configuration

Threatname: HawkEye

{"Modules": ["browserpv", "mailpv", "WebBrowserPassView"], "Version": ""}

Behavior Graph

Simulations

Behavior and APIs

TimeTypeDescription
02:09:20API Interceptor2x Sleep call for process: MSBuild.exe modified

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Coronavirus Disease (COVID-19) CURE.exe49%VirustotalBrowse
Coronavirus Disease (COVID-19) CURE.exe61%ReversingLabsByteCode-MSIL.Trojan.Agensla
Coronavirus Disease (COVID-19) CURE.exe100%Joe Sandbox ML