Analysis Report Po-covid19 2372#w2..exe

AV Detection:

Antivirus / Scanner detection for submitted sample

Source: Po-covid19 2372#w2..exe

Avira: detected

Found malware configuration

Source: 3.2.Po-covid19 2372#w2..exe.400000.0.unpack

Malware Configuration Extractor: FormBook {"Config: ": ["CONFIG_PATTERNS 0x8bc3", "KEY1_OFFSET 0x1d7db", "CONFIG SIZE : 0xd9", "CONFIG OFFSET 0x1d8dd", "URL SIZE : 28", "searching string pattern", "strings_offset 0x1c383", "searching hashes pattern", "--------------------------------------------------", "Decrypted Function Hashes", "--------------------------------------------------", "0xfd2db44c", "0xf43668a6", "0x980476e5", "0x35a6d50c", "0xf89290dc", "0x94261f57", "0x7d54c891", "0x47cb721", "0xf72d70b3", "0x9f715022", "0xbf0a5e41", "0x2902d074", "0xf653b199", "0xc8c42cc6", "0x2e1b7599", "0x210d4d07", "0x6d2a7921", "0x8ea85a2f", "0x207c50ff", "0xb967410a", "0x1eb17415", "0xb46802f8", "0x11da8518", "0xf42ed5c", "0x2885a3d3", "0x445675fa", "0x5c289b4c", "0x40ede5aa", "0xf24946a2", "0x8559c3e2", "0xb9d34d23", "0xa14d0a19", "0x2d07bbe2", "0xbbd1d68c", "0xb28c29d4", "0x3911edeb", "0xefad046d", "0xa0605497", "0xf5529cbf", "0x5507576a", "0xfa2467c8", "0x5b6423bf", "0xe22409b9", "0xde1eba2", "0xae847e2", "0xa8cfcc9", "0x26fc2c69", "0x5d8a75ac", "0x22eb3474", "0x2b37c918", "0x79402007", "0x7544791c", "0x641b2c94", "0x1db04ecf", "0xf5d02cd8", "0xad0121d2", "0x6206e716", "0x5e4b9b9a", "0xe4e2f5f4", "0x54c93159", "0x25ea79b", "0x5bf29119", "0xd6507db", "0x32ffc9f8", "0xe4cfab72", "0x98db5380", "0xce4cc542", "0x3092a0a2", "0x66053660", "0x2607a133", "0xfcd01541", "0x80b41d4", "0x4102ad8d", "0x857bf6a6", "0xd3ec6064", "0x23145fc4", "0xc026698f", "0x8f5385d8", "0x2430512b", "0x3ebe9086", "0x4c6fddb5", "0x276db13e", "0xe00f0a8e", "0x85cf9404", "0xb2248784", "0xcdc7e023", "0x11f5f50", "0x1dd4bc1c", "0x8235fce2", "0x21b17672", "0xbba64d93", "0x2f0ee0d8", "0x9cb95240", "0x28c21e3f", "0x9347ac57", "0x9d9522dc", "0x911bc70e", "0x74443db9", "0xf04c1aa9", "0x6484bcb5", "0x11fc2f72", "0x2b44324f", "0x9d70beea", "0x59adf952", "0x172ac7b4", "0x5d4b4e66", "0xed297eae", "0xa88492a6", "0xb21b057c", "0x70f35767", "0xb6f4d5a8", "0x67cea859", "0xc1626bff", "0xb4e1ae2", "0x24a48dcf", "0xe11da208", "0x1c920818", "0x65f4449c", "0xc30bc050", "0x3e86e1fb", "0x9e01fc32", "0x216500c2", "0x48e207c9", "0x2decf13e", "0x19996921", "0xb7da3dd7", "0x47f39d2b", "0x6777e2de", "0xd980e37f", "0x963fea3b", "0xacddb7ea", "0x110aec35", "0x647331f3", "0x2e381da4", "0x50f66474", "0xec16e0c0", "0xf9d81a42", "0xd6c6f9db", "0xef3df91", "0x60e0e203", "0x7c81caaf", "0x71c2ec76", "0x25e431cc", "0x106f568f", "0x6a60c8a9", "0xb758aab3", "0x3b34de90", "0x700420f5", "0xee359a7e", "0xd1d808a", "0x47ba47a5", "0xff959c4c", "0x5d30a87d", "0xaa95a900", "0x80b19064", "0x9c5a481a", "0x1dd252d", "0xdb3055fc", "0xe0cf8bf1", "0x3a48eabc", "0xf0472f97", "0x4a6323de", "0x4260edca", "0x53f7fb4f", "0x3d2e9c99", "0xf6879235", "0xe6723cac", "0xe184dfaa", "0xe99ffaa0", "0xf6aebe25", "0xefadf9a5", "0x215de938", "0x757906aa", "0x84f8d766", "0xb6494f65", "0x13a75318", "0x5bde5587", "0xe9eba2a4", "0x6b8a0df3", "0x9c02f250", "0xe52a2a2e", "0xdb96173c", "0x3c0f2fc", "0xd45e157c", "0x4edd1210", "0x2b127ce0", "0xadc887b6", "0xf45a1c52", "0xc84869d7", "0x36dc1f04",

Multi AV Scanner detection for submitted file

Source: Po-covid19 2372#w2..exe

ReversingLabs: Detection: 27%

Yara detected FormBook

Source: Yara match	File source: 0000000E.00000002.616475940.0000000000B40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.297322370.0000000000FB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.614725408.0000000000680000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.616862762.0000000000B70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.296624622.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.298199420.00000000013B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.256080598.000000000406F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 3.2.Po-covid19 2372#w2..exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Po-covid19 2372#w2..exe.400000.0.raw.unpack, type: UNPACKEDPE

Machine Learning detection for sample

Source: Po-covid19 2372#w2..exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 3.2.Po-covid19 2372#w2..exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe

Unpacked PE file: 0.2.Po-covid19 2372#w2..exe.70000.0.unpack

Uses 32bit PE files

Source: Po-covid19 2372#w2..exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: Po-covid19 2372#w2..exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Source:	Binary string: msiexec.pdb source: Po-covid19 2372#w2..exe, 00000003.00000002.298579388.0000000001410000.00000040.00000001.sdmp
Source:	Binary string: msiexec.pdbGCTL source: Po-covid19 2372#w2..exe, 00000003.00000002.298579388.0000000001410000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: Po-covid19 2372#w2..exe, 00000003.00000002.299260110.000000000160F000.00000040.00000001.sdmp, msiexec.exe, 0000000E.00000002.618326850.0000000004560000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: Po-covid19 2372#w2..exe, msiexec.exe

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 4x nop then pop esi		3_2_004172D9
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 4x nop then pop edi		3_2_00417D8F
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then pop esi		14_2_006972D9
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then pop edi		14_2_00697D8F

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49737 -> 165.160.13.20:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49737 -> 165.160.13.20:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49737 -> 165.160.13.20:80

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /p95n/?u6ihA=cjlpdRL8ZtfDvB1&oH5h=BBaWJPlPEO+nvtMqhmqrcRgDtKq1LKrnuc6I0tDI+4mn5icveD46W7DXUUudv5GhOCct HTTP/1.1Host: www.thesaltlifestyle.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /p95n/?oH5h=yIt3vHGcFY19i9LszRbGqv8br4EBNSz7kQseU3pL44UQdgKo/VZu2mbLhFyK51ONzUns&u6ihA=cjlpdRL8ZtfDvB1 HTTP/1.1Host: www.aduhelmfinancialsupport.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /p95n/?u6ihA=cjlpdRL8ZtfDvB1&oH5h=gRhj5HMuZvR/Ec7o8oi+HxLziNFcY38IPUSKESyExHr5bx7zEB/jrV73UqEK091YdqI8 HTTP/1.1Host: www.scientificimaginetics.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /p95n/?oH5h=OkCbzDuuF1pG8/+FjCqUEbhCI/Ef9I/I5jzkOiKX/zkELnGsjuBbK/8sh3SawKW3Kze/&u6ihA=cjlpdRL8ZtfDvB1 HTTP/1.1Host: www.johnemotions.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 34.102.136.180 34.102.136.180

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: POWERLINE-AS-APPOWERLINEDATACENTERHK POWERLINE-AS-APPOWERLINEDATACENTERHK
Source: Joe Sandbox View	ASN Name: GOOGLEUS GOOGLEUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Downloads files from webservers via HTTP

Source: global traffic	HTTP traffic detected: GET /p95n/?u6ihA=cjlpdRL8ZtfDvB1&oH5h=BBaWJPlPEO+nvtMqhmqrcRgDtKq1LKrnuc6I0tDI+4mn5icveD46W7DXUUudv5GhOCct HTTP/1.1Host: www.thesaltlifestyle.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /p95n/?oH5h=yIt3vHGcFY19i9LszRbGqv8br4EBNSz7kQseU3pL44UQdgKo/VZu2mbLhFyK51ONzUns&u6ihA=cjlpdRL8ZtfDvB1 HTTP/1.1Host: www.aduhelmfinancialsupport.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /p95n/?u6ihA=cjlpdRL8ZtfDvB1&oH5h=gRhj5HMuZvR/Ec7o8oi+HxLziNFcY38IPUSKESyExHr5bx7zEB/jrV73UqEK091YdqI8 HTTP/1.1Host: www.scientificimaginetics.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /p95n/?oH5h=OkCbzDuuF1pG8/+FjCqUEbhCI/Ef9I/I5jzkOiKX/zkELnGsjuBbK/8sh3SawKW3Kze/&u6ihA=cjlpdRL8ZtfDvB1 HTTP/1.1Host: www.johnemotions.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Performs DNS lookups

Source: unknown

DNS traffic detected: queries for: www.thesaltlifestyle.com

Urls found in memory or binary data

Source: explorer.exe, 00000004.00000000.281618251.000000000F5C4000.00000004.00000001.sdmp	String found in binary or memory: http://crl.;
Source: explorer.exe, 00000004.00000000.281664878.000000000F5E5000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Po-covid19 2372#w2..exe, 00000000.00000002.262331435.0000000008B22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.277115115.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: Po-covid19 2372#w2..exe, 00000000.00000002.262331435.0000000008B22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.277115115.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Po-covid19 2372#w2..exe, 00000000.00000002.262331435.0000000008B22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.277115115.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: Po-covid19 2372#w2..exe, 00000000.00000003.225055826.000000000791B000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.277115115.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: Po-covid19 2372#w2..exe, 00000000.00000003.226795444.000000000791B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com-
Source: Po-covid19 2372#w2..exe, 00000000.00000003.227104715.000000000791B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com.TTF
Source: Po-covid19 2372#w2..exe, 00000000.00000003.225390108.000000000791B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/
Source: explorer.exe, 00000004.00000000.277115115.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Po-covid19 2372#w2..exe, 00000000.00000003.225055826.000000000791B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/
Source: Po-covid19 2372#w2..exe, 00000000.00000002.262331435.0000000008B22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.277115115.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Po-covid19 2372#w2..exe, 00000000.00000003.226977608.0000000007942000.00000004.00000001.sdmp, Po-covid19 2372#w2..exe, 00000000.00000003.226763972.0000000007942000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
Source: Po-covid19 2372#w2..exe, 00000000.00000002.262331435.0000000008B22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.277115115.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Po-covid19 2372#w2..exe, 00000000.00000003.226091255.000000000791B000.00000004.00000001.sdmp, Po-covid19 2372#w2..exe, 00000000.00000002.262331435.0000000008B22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.277115115.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: Po-covid19 2372#w2..exe, 00000000.00000002.262331435.0000000008B22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.277115115.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Po-covid19 2372#w2..exe, 00000000.00000002.262331435.0000000008B22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.277115115.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Po-covid19 2372#w2..exe, 00000000.00000002.262331435.0000000008B22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.277115115.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Po-covid19 2372#w2..exe, 00000000.00000003.227873217.000000000791B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com0
Source: Po-covid19 2372#w2..exe, 00000000.00000003.226385689.000000000791B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com=
Source: Po-covid19 2372#w2..exe, 00000000.00000003.226385689.000000000791B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comF&
Source: Po-covid19 2372#w2..exe, 00000000.00000003.225516592.000000000791B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comaA
Source: Po-covid19 2372#w2..exe, 00000000.00000003.227873217.000000000791B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comalsF
Source: Po-covid19 2372#w2..exe, 00000000.00000003.226385689.000000000791B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comd
Source: Po-covid19 2372#w2..exe, 00000000.00000003.226385689.000000000791B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comdZ
Source: Po-covid19 2372#w2..exe, 00000000.00000003.226140808.000000000791B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comdic
Source: Po-covid19 2372#w2..exe, 00000000.00000003.227873217.000000000791B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comdl
Source: Po-covid19 2372#w2..exe, 00000000.00000003.227873217.000000000791B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comeH
Source: Po-covid19 2372#w2..exe, 00000000.00000003.226385689.000000000791B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comessed
Source: Po-covid19 2372#w2..exe, 00000000.00000003.225516592.000000000791B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comessedZ
Source: Po-covid19 2372#w2..exe, 00000000.00000003.225158941.000000000791B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comgritoe
Source: Po-covid19 2372#w2..exe, 00000000.00000003.226795444.000000000791B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comlic0
Source: Po-covid19 2372#w2..exe, 00000000.00000003.225055826.000000000791B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comnc./S
Source: Po-covid19 2372#w2..exe, 00000000.00000003.227873217.000000000791B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comoitu
Source: Po-covid19 2372#w2..exe, 00000000.00000003.226385689.000000000791B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comow
Source: Po-covid19 2372#w2..exe, 00000000.00000003.226385689.000000000791B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comzana
Source: Po-covid19 2372#w2..exe, 00000000.00000002.262331435.0000000008B22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.277115115.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: Po-covid19 2372#w2..exe, 00000000.00000002.262331435.0000000008B22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.277115115.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Po-covid19 2372#w2..exe, 00000000.00000003.221689950.0000000007923000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn$
Source: Po-covid19 2372#w2..exe, 00000000.00000002.262331435.0000000008B22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.277115115.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Po-covid19 2372#w2..exe, 00000000.00000002.262331435.0000000008B22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.277115115.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Po-covid19 2372#w2..exe, 00000000.00000003.221689950.0000000007923000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn=
Source: Po-covid19 2372#w2..exe, 00000000.00000003.229096001.000000000791B000.00000004.00000001.sdmp, Po-covid19 2372#w2..exe, 00000000.00000003.228852233.000000000791B000.00000004.00000001.sdmp, Po-covid19 2372#w2..exe, 00000000.00000003.228815722.0000000007942000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/
Source: Po-covid19 2372#w2..exe, 00000000.00000002.262331435.0000000008B22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.277115115.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Po-covid19 2372#w2..exe, 00000000.00000002.262331435.0000000008B22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.277115115.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Po-covid19 2372#w2..exe, 00000000.00000003.229096001.000000000791B000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmpu
Source: Po-covid19 2372#w2..exe, 00000000.00000002.262331435.0000000008B22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.277115115.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: Po-covid19 2372#w2..exe, 00000000.00000003.225055826.000000000791B000.00000004.00000001.sdmp, Po-covid19 2372#w2..exe, 00000000.00000003.222591223.0000000007916000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.277115115.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Po-covid19 2372#w2..exe, 00000000.00000003.223056311.000000000791B000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/-cz
Source: Po-covid19 2372#w2..exe, 00000000.00000003.222363668.0000000007913000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/.
Source: Po-covid19 2372#w2..exe, 00000000.00000003.222591223.0000000007916000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/?
Source: Po-covid19 2372#w2..exe, 00000000.00000003.223056311.000000000791B000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/A
Source: Po-covid19 2372#w2..exe, 00000000.00000003.222719848.000000000791A000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/H
Source: Po-covid19 2372#w2..exe, 00000000.00000003.223056311.000000000791B000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/S
Source: Po-covid19 2372#w2..exe, 00000000.00000003.222591223.0000000007916000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0e
Source: Po-covid19 2372#w2..exe, 00000000.00000003.222591223.0000000007916000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Z
Source: Po-covid19 2372#w2..exe, 00000000.00000003.222591223.0000000007916000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/ghtsl
Source: Po-covid19 2372#w2..exe, 00000000.00000003.222591223.0000000007916000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: Po-covid19 2372#w2..exe, 00000000.00000003.223340232.000000000791B000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/-
Source: Po-covid19 2372#w2..exe, 00000000.00000003.223340232.000000000791B000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/?
Source: Po-covid19 2372#w2..exe, 00000000.00000003.223340232.000000000791B000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/H
Source: Po-covid19 2372#w2..exe, 00000000.00000003.223056311.000000000791B000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/Z
Source: Po-covid19 2372#w2..exe, 00000000.00000003.222591223.0000000007916000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/~
Source: Po-covid19 2372#w2..exe, 00000000.00000003.223056311.000000000791B000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/w
Source: Po-covid19 2372#w2..exe, 00000000.00000003.225451084.000000000791B000.00000004.00000001.sdmp	String found in binary or memory: http://www.monotype.7
Source: Po-covid19 2372#w2..exe, 00000000.00000002.262331435.0000000008B22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.277115115.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Po-covid19 2372#w2..exe, 00000000.00000003.223340232.000000000791B000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.277115115.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Po-covid19 2372#w2..exe, 00000000.00000002.262331435.0000000008B22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.277115115.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000004.00000000.277115115.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: Po-covid19 2372#w2..exe, 00000000.00000002.262331435.0000000008B22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.277115115.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: Po-covid19 2372#w2..exe, 00000000.00000003.225055826.000000000791B000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.de
Source: Po-covid19 2372#w2..exe, 00000000.00000003.227697228.000000000791B000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.de.
Source: Po-covid19 2372#w2..exe, 00000000.00000003.224891432.000000000791B000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.de3z
Source: Po-covid19 2372#w2..exe, 00000000.00000002.262331435.0000000008B22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.277115115.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: Po-covid19 2372#w2..exe, 00000000.00000003.225055826.000000000791B000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deXz
Source: Po-covid19 2372#w2..exe, 00000000.00000003.225055826.000000000791B000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deo
Source: Po-covid19 2372#w2..exe, 00000000.00000002.262331435.0000000008B22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.277115115.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: msiexec.exe, 0000000E.00000002.622832165.000000000501F000.00000004.00000001.sdmp	String found in binary or memory: https://www.johnemotions.com/p95n/?oH5h=OkCbzDuuF1pG8/

E-Banking Fraud:

Yara detected FormBook

Source: Yara match	File source: 0000000E.00000002.616475940.0000000000B40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.297322370.0000000000FB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.614725408.0000000000680000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.616862762.0000000000B70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.296624622.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.298199420.00000000013B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.256080598.000000000406F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 3.2.Po-covid19 2372#w2..exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Po-covid19 2372#w2..exe.400000.0.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Source: 0000000E.00000002.616475940.0000000000B40000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.616475940.0000000000B40000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.297322370.0000000000FB0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.297322370.0000000000FB0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.614725408.0000000000680000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.614725408.0000000000680000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.616862762.0000000000B70000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.616862762.0000000000B70000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.296624622.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.296624622.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.298199420.00000000013B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.298199420.00000000013B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.256080598.000000000406F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.256080598.000000000406F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.Po-covid19 2372#w2..exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.Po-covid19 2372#w2..exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.Po-covid19 2372#w2..exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.Po-covid19 2372#w2..exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Contains functionality to call native functions

Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0041A070 NtClose,		3_2_0041A070
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0041A120 NtAllocateVirtualMemory,		3_2_0041A120
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_00419F40 NtCreateFile,		3_2_00419F40
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_00419FF0 NtReadFile,		3_2_00419FF0
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0041A072 NtClose,		3_2_0041A072
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0041A11B NtAllocateVirtualMemory,		3_2_0041A11B
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_00419F3A NtCreateFile,		3_2_00419F3A
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_00419FEA NtReadFile,		3_2_00419FEA
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01559910 NtAdjustPrivilegesToken,LdrInitializeThunk,		3_2_01559910
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015599A0 NtCreateSection,LdrInitializeThunk,		3_2_015599A0
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01559840 NtDelayExecution,LdrInitializeThunk,		3_2_01559840
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01559860 NtQuerySystemInformation,LdrInitializeThunk,		3_2_01559860
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015598F0 NtReadVirtualMemory,LdrInitializeThunk,		3_2_015598F0
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01559A50 NtCreateFile,LdrInitializeThunk,		3_2_01559A50
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01559A00 NtProtectVirtualMemory,LdrInitializeThunk,		3_2_01559A00
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01559A20 NtResumeThread,LdrInitializeThunk,		3_2_01559A20
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01559540 NtReadFile,LdrInitializeThunk,		3_2_01559540
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015595D0 NtClose,LdrInitializeThunk,		3_2_015595D0
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01559710 NtQueryInformationToken,LdrInitializeThunk,		3_2_01559710
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01559780 NtMapViewOfSection,LdrInitializeThunk,		3_2_01559780
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015597A0 NtUnmapViewOfSection,LdrInitializeThunk,		3_2_015597A0
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01559660 NtAllocateVirtualMemory,LdrInitializeThunk,		3_2_01559660
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015596E0 NtFreeVirtualMemory,LdrInitializeThunk,		3_2_015596E0
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01559950 NtQueueApcThread,		3_2_01559950
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015599D0 NtCreateProcessEx,		3_2_015599D0
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0155B040 NtSuspendThread,		3_2_0155B040
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01559820 NtEnumerateKey,		3_2_01559820
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015598A0 NtWriteVirtualMemory,		3_2_015598A0
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01559B00 NtSetValueKey,		3_2_01559B00
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0155A3B0 NtGetContextThread,		3_2_0155A3B0
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01559A10 NtQuerySection,		3_2_01559A10
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01559A80 NtOpenDirectoryObject,		3_2_01559A80
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01559560 NtWriteFile,		3_2_01559560
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0155AD30 NtSetContextThread,		3_2_0155AD30
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01559520 NtWaitForSingleObject,		3_2_01559520
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015595F0 NtQueryInformationFile,		3_2_015595F0
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0155A770 NtOpenThread,		3_2_0155A770
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01559770 NtSetInformationFile,		3_2_01559770
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01559760 NtOpenProcess,		3_2_01559760
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0155A710 NtOpenProcessToken,		3_2_0155A710
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01559730 NtQueryVirtualMemory,		3_2_01559730
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01559FE0 NtCreateMutant,		3_2_01559FE0
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01559650 NtQueryValueKey,		3_2_01559650
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01559670 NtQueryInformationProcess,		3_2_01559670
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01559610 NtEnumerateValueKey,		3_2_01559610
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015596D0 NtCreateKey,		3_2_015596D0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045C9540 NtReadFile,LdrInitializeThunk,		14_2_045C9540
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045C95D0 NtClose,LdrInitializeThunk,		14_2_045C95D0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045C9650 NtQueryValueKey,LdrInitializeThunk,		14_2_045C9650
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045C9660 NtAllocateVirtualMemory,LdrInitializeThunk,		14_2_045C9660
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045C96D0 NtCreateKey,LdrInitializeThunk,		14_2_045C96D0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045C96E0 NtFreeVirtualMemory,LdrInitializeThunk,		14_2_045C96E0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045C9710 NtQueryInformationToken,LdrInitializeThunk,		14_2_045C9710
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045C9FE0 NtCreateMutant,LdrInitializeThunk,		14_2_045C9FE0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045C9780 NtMapViewOfSection,LdrInitializeThunk,		14_2_045C9780
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045C9840 NtDelayExecution,LdrInitializeThunk,		14_2_045C9840
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045C9860 NtQuerySystemInformation,LdrInitializeThunk,		14_2_045C9860
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045C9910 NtAdjustPrivilegesToken,LdrInitializeThunk,		14_2_045C9910
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045C99A0 NtCreateSection,LdrInitializeThunk,		14_2_045C99A0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045C9A50 NtCreateFile,LdrInitializeThunk,		14_2_045C9A50
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045C9560 NtWriteFile,		14_2_045C9560
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045CAD30 NtSetContextThread,		14_2_045CAD30
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045C9520 NtWaitForSingleObject,		14_2_045C9520
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045C95F0 NtQueryInformationFile,		14_2_045C95F0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045C9670 NtQueryInformationProcess,		14_2_045C9670
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045C9610 NtEnumerateValueKey,		14_2_045C9610
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045CA770 NtOpenThread,		14_2_045CA770
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045C9770 NtSetInformationFile,		14_2_045C9770
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045C9760 NtOpenProcess,		14_2_045C9760
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045CA710 NtOpenProcessToken,		14_2_045CA710
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045C9730 NtQueryVirtualMemory,		14_2_045C9730
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045C97A0 NtUnmapViewOfSection,		14_2_045C97A0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045CB040 NtSuspendThread,		14_2_045CB040
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045C9820 NtEnumerateKey,		14_2_045C9820
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045C98F0 NtReadVirtualMemory,		14_2_045C98F0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045C98A0 NtWriteVirtualMemory,		14_2_045C98A0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045C9950 NtQueueApcThread,		14_2_045C9950
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045C99D0 NtCreateProcessEx,		14_2_045C99D0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045C9A10 NtQuerySection,		14_2_045C9A10
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045C9A00 NtProtectVirtualMemory,		14_2_045C9A00
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045C9A20 NtResumeThread,		14_2_045C9A20
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045C9A80 NtOpenDirectoryObject,		14_2_045C9A80
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045C9B00 NtSetValueKey,		14_2_045C9B00
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045CA3B0 NtGetContextThread,		14_2_045CA3B0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0069A070 NtClose,		14_2_0069A070
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0069A120 NtAllocateVirtualMemory,		14_2_0069A120
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_00699F40 NtCreateFile,		14_2_00699F40
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_00699FF0 NtReadFile,		14_2_00699FF0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0069A072 NtClose,		14_2_0069A072
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0069A11B NtAllocateVirtualMemory,		14_2_0069A11B
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_00699F3A NtCreateFile,		14_2_00699F3A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_00699FEA NtReadFile,		14_2_00699FEA

Detected potential crypto function

Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 0_2_00BC21D9		0_2_00BC21D9
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 0_2_00BC0470		0_2_00BC0470
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 0_2_00BC1770		0_2_00BC1770
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 0_2_00BC0EF8		0_2_00BC0EF8
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 0_2_00BC4000		0_2_00BC4000
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 0_2_00BC5230		0_2_00BC5230
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 0_2_00BC5220		0_2_00BC5220
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 0_2_00BC5438		0_2_00BC5438
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 0_2_00BC5429		0_2_00BC5429
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 0_2_00BC5698		0_2_00BC5698
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 0_2_00BC5689		0_2_00BC5689
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 0_2_00BC5852		0_2_00BC5852
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 0_2_00BC0E78		0_2_00BC0E78
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 0_2_00BC4E78		0_2_00BC4E78
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 0_2_00BC3FF0		0_2_00BC3FF0
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 0_2_04BB2668		0_2_04BB2668
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 0_2_04BB058F		0_2_04BB058F
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 0_2_04BB06B0		0_2_04BB06B0
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 0_2_0974F538		0_2_0974F538
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_00401026		3_2_00401026
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_00401030		3_2_00401030
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0041D183		3_2_0041D183
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0041D186		3_2_0041D186
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0041EB42		3_2_0041EB42
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0041EC05		3_2_0041EC05
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0041E4CE		3_2_0041E4CE
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_00402D87		3_2_00402D87
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_00402D90		3_2_00402D90
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_00409E40		3_2_00409E40
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_00402FB0		3_2_00402FB0
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0151F900		3_2_0151F900
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01534120		3_2_01534120
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015D1002		3_2_015D1002
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015EE824		3_2_015EE824
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015E28EC		3_2_015E28EC
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0152B090		3_2_0152B090
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015420A0		3_2_015420A0
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015E20A8		3_2_015E20A8
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015E2B28		3_2_015E2B28
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015D03DA		3_2_015D03DA
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015DDBD2		3_2_015DDBD2
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0154EBB0		3_2_0154EBB0
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015E22AE		3_2_015E22AE
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015E1D55		3_2_015E1D55
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015E2D07		3_2_015E2D07
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01510D20		3_2_01510D20
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015E25DD		3_2_015E25DD
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0152D5E0		3_2_0152D5E0
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01542581		3_2_01542581
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015DD466		3_2_015DD466
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0152841F		3_2_0152841F
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015EDFCE		3_2_015EDFCE
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015E1FF1		3_2_015E1FF1
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015DD616		3_2_015DD616
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01536E30		3_2_01536E30
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015E2EF7		3_2_015E2EF7
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0464D466		14_2_0464D466
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0459841F		14_2_0459841F
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04651D55		14_2_04651D55
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04652D07		14_2_04652D07
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04580D20		14_2_04580D20
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_046525DD		14_2_046525DD
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0459D5E0		14_2_0459D5E0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045B2581		14_2_045B2581
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045A6E30		14_2_045A6E30
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0464D616		14_2_0464D616
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04652EF7		14_2_04652EF7
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04651FF1		14_2_04651FF1
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04641002		14_2_04641002
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_046528EC		14_2_046528EC
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0459B090		14_2_0459B090
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_046520A8		14_2_046520A8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045B20A0		14_2_045B20A0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0458F900		14_2_0458F900
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045A4120		14_2_045A4120
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_046522AE		14_2_046522AE
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04652B28		14_2_04652B28
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0464DBD2		14_2_0464DBD2
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045BEBB0		14_2_045BEBB0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0069D183		14_2_0069D183
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0069D186		14_2_0069D186
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0069E4CE		14_2_0069E4CE
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_00682D87		14_2_00682D87
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_00682D90		14_2_00682D90
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_00689E40		14_2_00689E40
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_00682FB0		14_2_00682FB0

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: String function: 0151B150 appears 45 times
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: String function: 0458B150 appears 35 times

PE file contains strange resources

Source: Po-covid19 2372#w2..exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Po-covid19 2372#w2..exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Po-covid19 2372#w2..exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: Po-covid19 2372#w2..exe	Binary or memory string: OriginalFilename vs Po-covid19 2372#w2..exe
Source: Po-covid19 2372#w2..exe, 00000000.00000002.250216585.0000000000B10000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameAssemblyReferenceEntry.exeD vs Po-covid19 2372#w2..exe
Source: Po-covid19 2372#w2..exe, 00000000.00000002.248339854.000000000017A000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamefC.exeB vs Po-covid19 2372#w2..exe
Source: Po-covid19 2372#w2..exe, 00000000.00000002.263476801.0000000009000000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs Po-covid19 2372#w2..exe
Source: Po-covid19 2372#w2..exe, 00000002.00000000.244485591.000000000023A000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamefC.exeB vs Po-covid19 2372#w2..exe
Source: Po-covid19 2372#w2..exe, 00000003.00000000.246312953.0000000000ABA000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamefC.exeB vs Po-covid19 2372#w2..exe
Source: Po-covid19 2372#w2..exe, 00000003.00000002.299564260.000000000179F000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Po-covid19 2372#w2..exe
Source: Po-covid19 2372#w2..exe, 00000003.00000002.298645878.000000000141F000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamemsiexec.exeX vs Po-covid19 2372#w2..exe
Source: Po-covid19 2372#w2..exe	Binary or memory string: OriginalFilenamefC.exeB vs Po-covid19 2372#w2..exe

Tries to load missing DLLs

Source: C:\Windows\SysWOW64\msiexec.exe

Section loaded: sfc.dll

Jump to behavior

Uses 32bit PE files

Source: Po-covid19 2372#w2..exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Yara signature match

Source: 0000000E.00000002.616475940.0000000000B40000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000002.616475940.0000000000B40000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.297322370.0000000000FB0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.297322370.0000000000FB0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.614725408.0000000000680000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000002.614725408.0000000000680000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.616862762.0000000000B70000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000002.616862762.0000000000B70000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.296624622.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.296624622.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.298199420.00000000013B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.298199420.00000000013B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.256080598.000000000406F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.256080598.000000000406F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.Po-covid19 2372#w2..exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.Po-covid19 2372#w2..exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.Po-covid19 2372#w2..exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.Po-covid19 2372#w2..exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)

Source: Po-covid19 2372#w2..exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Classification label

Source: classification engine

Classification label: mal100.troj.evad.winEXE@9/1@6/4

Creates files inside the user directory

Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Po-covid19 2372#w2..exe.log

Jump to behavior

Creates mutexes

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7100:120:WilError_01

PE file has an executable .text section and no other executable section

Source: Po-covid19 2372#w2..exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Parts of this applications are using the .NET runtime (Probably coded in C#)

Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Jump to behavior

Reads software policies

Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Reads the hosts file

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Sample is known by Antivirus

Source: Po-covid19 2372#w2..exe

ReversingLabs: Detection: 27%

Spawns processes

Source: unknown	Process created: C:\Users\user\Desktop\Po-covid19 2372#w2..exe 'C:\Users\user\Desktop\Po-covid19 2372#w2..exe'
Source: unknown	Process created: C:\Users\user\Desktop\Po-covid19 2372#w2..exe {path}
Source: unknown	Process created: C:\Users\user\Desktop\Po-covid19 2372#w2..exe {path}
Source: unknown	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Po-covid19 2372#w2..exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Process created: C:\Users\user\Desktop\Po-covid19 2372#w2..exe {path}			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Process created: C:\Users\user\Desktop\Po-covid19 2372#w2..exe {path}			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Po-covid19 2372#w2..exe'			Jump to behavior

Uses an in-process (OLE) Automation server

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C3EE638-B588-4D7D-B30A-E7E36759305D}\InprocServer32

Jump to behavior

Uses Microsoft Silverlight

Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

PE file contains a COM descriptor data directory

Source: Po-covid19 2372#w2..exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

PE file has a big code size

Source: Po-covid19 2372#w2..exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Submission file is bigger than most known malware samples

Source: Po-covid19 2372#w2..exe

Static file information: File size 1304576 > 1048576

PE file has a big raw section

Source: Po-covid19 2372#w2..exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x106200

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: Po-covid19 2372#w2..exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Source:	Binary string: msiexec.pdb source: Po-covid19 2372#w2..exe, 00000003.00000002.298579388.0000000001410000.00000040.00000001.sdmp
Source:	Binary string: msiexec.pdbGCTL source: Po-covid19 2372#w2..exe, 00000003.00000002.298579388.0000000001410000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: Po-covid19 2372#w2..exe, 00000003.00000002.299260110.000000000160F000.00000040.00000001.sdmp, msiexec.exe, 0000000E.00000002.618326850.0000000004560000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: Po-covid19 2372#w2..exe, msiexec.exe

Data Obfuscation:

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe

Unpacked PE file: 0.2.Po-covid19 2372#w2..exe.70000.0.unpack .text:ER;.rsrc:R;.reloc:R; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe

Unpacked PE file: 0.2.Po-covid19 2372#w2..exe.70000.0.unpack

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 0_2_00076008 push ss; iretd		0_2_0007600A
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 0_2_000723E2 push eax; ret		0_2_000723E3
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 0_2_00BC2488 push ss; iretd		0_2_00BC249B
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 0_2_09743122 pushad ; iretd		0_2_09743123
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 2_2_00136008 push ss; iretd		2_2_0013600A
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 2_2_001323E2 push eax; ret		2_2_001323E3
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0041D0E2 push eax; ret		3_2_0041D0E8
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0041D0EB push eax; ret		3_2_0041D152
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0041D095 push eax; ret		3_2_0041D0E8
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0041D14C push eax; ret		3_2_0041D152
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0041D95B push ebp; iretd		3_2_0041D95F
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_004163D5 push ebx; ret		3_2_004163D6
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_009B6008 push ss; iretd		3_2_009B600A
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_009B23E2 push eax; ret		3_2_009B23E3
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0156D0D1 push ecx; ret		3_2_0156D0E4
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045DD0D1 push ecx; ret		14_2_045DD0E4
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0069D0EB push eax; ret		14_2_0069D152
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0069D0E2 push eax; ret		14_2_0069D0E8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0069D095 push eax; ret		14_2_0069D0E8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0069D14C push eax; ret		14_2_0069D152
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0069D95B push ebp; iretd		14_2_0069D95F
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_006963D5 push ebx; ret		14_2_006963D6

Binary may include packed or encrypted code

Source: initial sample

Static PE information: section name: .text entropy: 7.44459929766

Hooking and other Techniques for Hiding and Protection:

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x85 0x5E 0xEA

Disables application error messsages (SetErrorMode)

Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM_3

Source: Yara match	File source: 00000000.00000002.253062095.0000000002708000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Po-covid19 2372#w2..exe PID: 5532, type: MEMORY

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Po-covid19 2372#w2..exe, 00000000.00000002.254634117.00000000027FE000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: Po-covid19 2372#w2..exe, 00000000.00000002.254634117.00000000027FE000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	RDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\msiexec.exe	RDTSC instruction interceptor: First address: 00000000006898E4 second address: 00000000006898EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\msiexec.exe	RDTSC instruction interceptor: First address: 0000000000689B5E second address: 0000000000689B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe

Code function: 3_2_00409A90 rdtsc

3_2_00409A90

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe

Thread delayed: delay time: 922337203685477

Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe TID: 4012	Thread sleep time: -31500s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe TID: 6008	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Windows\explorer.exe TID: 6472	Thread sleep count: 54 > 30			Jump to behavior
Source: C:\Windows\explorer.exe TID: 6472	Thread sleep time: -108000s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3576	Thread sleep count: 33 > 30			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3576	Thread sleep time: -66000s >= -30000s			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\msiexec.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\msiexec.exe	Last function: Thread delayed

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: Po-covid19 2372#w2..exe, 00000000.00000002.254634117.00000000027FE000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: explorer.exe, 00000004.00000000.276172975.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000004.00000000.274761665.0000000008220000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: Po-covid19 2372#w2..exe, 00000000.00000002.254634117.00000000027FE000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: explorer.exe, 00000004.00000000.276172975.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000004.00000002.635752536.0000000005603000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: Po-covid19 2372#w2..exe, 00000000.00000002.254634117.00000000027FE000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000004.00000000.274761665.0000000008220000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: Po-covid19 2372#w2..exe, 00000000.00000002.254634117.00000000027FE000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: Po-covid19 2372#w2..exe, 00000000.00000002.254634117.00000000027FE000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: Po-covid19 2372#w2..exe, 00000000.00000002.254634117.00000000027FE000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: Po-covid19 2372#w2..exe, 00000000.00000002.254634117.00000000027FE000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: explorer.exe, 00000004.00000000.276645530.00000000088C3000.00000004.00000001.sdmp	Binary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATAA
Source: explorer.exe, 00000004.00000002.617345599.0000000001438000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAWal<%SystemRoot%\system32\mswsock.dllkagesB
Source: explorer.exe, 00000004.00000000.276172975.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
Source: explorer.exe, 00000004.00000000.275860033.0000000008640000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: Po-covid19 2372#w2..exe, 00000000.00000002.254634117.00000000027FE000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: Po-covid19 2372#w2..exe, 00000000.00000002.254634117.00000000027FE000.00000004.00000001.sdmp	Binary or memory string: l%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000004.00000000.268460386.00000000055D0000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
Source: explorer.exe, 00000004.00000000.276172975.000000000871F000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
Source: explorer.exe, 00000004.00000000.276275523.00000000087D1000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00ices
Source: explorer.exe, 00000004.00000000.274761665.0000000008220000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: Po-covid19 2372#w2..exe, 00000000.00000002.254634117.00000000027FE000.00000004.00000001.sdmp	Binary or memory string: l"SOFTWARE\VMware, Inc.\VMware Tools
Source: explorer.exe, 00000004.00000000.274761665.0000000008220000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Queries a list of all running processes

Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process queried: DebugPort			Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe

Code function: 3_2_00409A90 rdtsc

3_2_00409A90

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe

Code function: 3_2_0040ACD0 LdrLoadDll,

3_2_0040ACD0

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0153B944 mov eax, dword ptr fs:[00000030h]		3_2_0153B944
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0153B944 mov eax, dword ptr fs:[00000030h]		3_2_0153B944
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0151B171 mov eax, dword ptr fs:[00000030h]		3_2_0151B171
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0151B171 mov eax, dword ptr fs:[00000030h]		3_2_0151B171
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0151C962 mov eax, dword ptr fs:[00000030h]		3_2_0151C962
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01519100 mov eax, dword ptr fs:[00000030h]		3_2_01519100
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01519100 mov eax, dword ptr fs:[00000030h]		3_2_01519100
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01519100 mov eax, dword ptr fs:[00000030h]		3_2_01519100
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0154513A mov eax, dword ptr fs:[00000030h]		3_2_0154513A
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0154513A mov eax, dword ptr fs:[00000030h]		3_2_0154513A
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01534120 mov eax, dword ptr fs:[00000030h]		3_2_01534120
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01534120 mov eax, dword ptr fs:[00000030h]		3_2_01534120
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01534120 mov eax, dword ptr fs:[00000030h]		3_2_01534120
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01534120 mov eax, dword ptr fs:[00000030h]		3_2_01534120
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01534120 mov ecx, dword ptr fs:[00000030h]		3_2_01534120
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0151B1E1 mov eax, dword ptr fs:[00000030h]		3_2_0151B1E1
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0151B1E1 mov eax, dword ptr fs:[00000030h]		3_2_0151B1E1
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0151B1E1 mov eax, dword ptr fs:[00000030h]		3_2_0151B1E1
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015A41E8 mov eax, dword ptr fs:[00000030h]		3_2_015A41E8
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01542990 mov eax, dword ptr fs:[00000030h]		3_2_01542990
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0153C182 mov eax, dword ptr fs:[00000030h]		3_2_0153C182
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0154A185 mov eax, dword ptr fs:[00000030h]		3_2_0154A185
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015951BE mov eax, dword ptr fs:[00000030h]		3_2_015951BE
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015951BE mov eax, dword ptr fs:[00000030h]		3_2_015951BE
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015951BE mov eax, dword ptr fs:[00000030h]		3_2_015951BE
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015951BE mov eax, dword ptr fs:[00000030h]		3_2_015951BE
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015461A0 mov eax, dword ptr fs:[00000030h]		3_2_015461A0
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015461A0 mov eax, dword ptr fs:[00000030h]		3_2_015461A0
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015D49A4 mov eax, dword ptr fs:[00000030h]		3_2_015D49A4
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015D49A4 mov eax, dword ptr fs:[00000030h]		3_2_015D49A4
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015D49A4 mov eax, dword ptr fs:[00000030h]		3_2_015D49A4
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015D49A4 mov eax, dword ptr fs:[00000030h]		3_2_015D49A4
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015969A6 mov eax, dword ptr fs:[00000030h]		3_2_015969A6
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01530050 mov eax, dword ptr fs:[00000030h]		3_2_01530050
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01530050 mov eax, dword ptr fs:[00000030h]		3_2_01530050
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015E1074 mov eax, dword ptr fs:[00000030h]		3_2_015E1074
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015D2073 mov eax, dword ptr fs:[00000030h]		3_2_015D2073
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015E4015 mov eax, dword ptr fs:[00000030h]		3_2_015E4015
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015E4015 mov eax, dword ptr fs:[00000030h]		3_2_015E4015
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01597016 mov eax, dword ptr fs:[00000030h]		3_2_01597016
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01597016 mov eax, dword ptr fs:[00000030h]		3_2_01597016
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01597016 mov eax, dword ptr fs:[00000030h]		3_2_01597016
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0152B02A mov eax, dword ptr fs:[00000030h]		3_2_0152B02A
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0152B02A mov eax, dword ptr fs:[00000030h]		3_2_0152B02A
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0152B02A mov eax, dword ptr fs:[00000030h]		3_2_0152B02A
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0152B02A mov eax, dword ptr fs:[00000030h]		3_2_0152B02A
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0154002D mov eax, dword ptr fs:[00000030h]		3_2_0154002D
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0154002D mov eax, dword ptr fs:[00000030h]		3_2_0154002D
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0154002D mov eax, dword ptr fs:[00000030h]		3_2_0154002D
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0154002D mov eax, dword ptr fs:[00000030h]		3_2_0154002D
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0154002D mov eax, dword ptr fs:[00000030h]		3_2_0154002D
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015AB8D0 mov eax, dword ptr fs:[00000030h]		3_2_015AB8D0
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015AB8D0 mov ecx, dword ptr fs:[00000030h]		3_2_015AB8D0
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015AB8D0 mov eax, dword ptr fs:[00000030h]		3_2_015AB8D0
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015AB8D0 mov eax, dword ptr fs:[00000030h]		3_2_015AB8D0
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015AB8D0 mov eax, dword ptr fs:[00000030h]		3_2_015AB8D0
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015AB8D0 mov eax, dword ptr fs:[00000030h]		3_2_015AB8D0
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015140E1 mov eax, dword ptr fs:[00000030h]		3_2_015140E1
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015140E1 mov eax, dword ptr fs:[00000030h]		3_2_015140E1
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015140E1 mov eax, dword ptr fs:[00000030h]		3_2_015140E1
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015158EC mov eax, dword ptr fs:[00000030h]		3_2_015158EC
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01519080 mov eax, dword ptr fs:[00000030h]		3_2_01519080
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01593884 mov eax, dword ptr fs:[00000030h]		3_2_01593884
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01593884 mov eax, dword ptr fs:[00000030h]		3_2_01593884
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0154F0BF mov ecx, dword ptr fs:[00000030h]		3_2_0154F0BF
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0154F0BF mov eax, dword ptr fs:[00000030h]		3_2_0154F0BF
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0154F0BF mov eax, dword ptr fs:[00000030h]		3_2_0154F0BF
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015420A0 mov eax, dword ptr fs:[00000030h]		3_2_015420A0
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015420A0 mov eax, dword ptr fs:[00000030h]		3_2_015420A0
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015420A0 mov eax, dword ptr fs:[00000030h]		3_2_015420A0
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015420A0 mov eax, dword ptr fs:[00000030h]		3_2_015420A0
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015420A0 mov eax, dword ptr fs:[00000030h]		3_2_015420A0
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015420A0 mov eax, dword ptr fs:[00000030h]		3_2_015420A0
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015590AF mov eax, dword ptr fs:[00000030h]		3_2_015590AF
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015E8B58 mov eax, dword ptr fs:[00000030h]		3_2_015E8B58
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0151F358 mov eax, dword ptr fs:[00000030h]		3_2_0151F358
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0151DB40 mov eax, dword ptr fs:[00000030h]		3_2_0151DB40
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01543B7A mov eax, dword ptr fs:[00000030h]		3_2_01543B7A
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01543B7A mov eax, dword ptr fs:[00000030h]		3_2_01543B7A
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0151DB60 mov ecx, dword ptr fs:[00000030h]		3_2_0151DB60
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015D131B mov eax, dword ptr fs:[00000030h]		3_2_015D131B
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015953CA mov eax, dword ptr fs:[00000030h]		3_2_015953CA
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015953CA mov eax, dword ptr fs:[00000030h]		3_2_015953CA
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015403E2 mov eax, dword ptr fs:[00000030h]		3_2_015403E2
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015403E2 mov eax, dword ptr fs:[00000030h]		3_2_015403E2
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015403E2 mov eax, dword ptr fs:[00000030h]		3_2_015403E2
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015403E2 mov eax, dword ptr fs:[00000030h]		3_2_015403E2
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015403E2 mov eax, dword ptr fs:[00000030h]		3_2_015403E2
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015403E2 mov eax, dword ptr fs:[00000030h]		3_2_015403E2
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0153DBE9 mov eax, dword ptr fs:[00000030h]		3_2_0153DBE9
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01542397 mov eax, dword ptr fs:[00000030h]		3_2_01542397
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0154B390 mov eax, dword ptr fs:[00000030h]		3_2_0154B390
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015D138A mov eax, dword ptr fs:[00000030h]		3_2_015D138A
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015CD380 mov ecx, dword ptr fs:[00000030h]		3_2_015CD380
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01521B8F mov eax, dword ptr fs:[00000030h]		3_2_01521B8F
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01521B8F mov eax, dword ptr fs:[00000030h]		3_2_01521B8F
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01544BAD mov eax, dword ptr fs:[00000030h]		3_2_01544BAD
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01544BAD mov eax, dword ptr fs:[00000030h]		3_2_01544BAD
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01544BAD mov eax, dword ptr fs:[00000030h]		3_2_01544BAD
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015E5BA5 mov eax, dword ptr fs:[00000030h]		3_2_015E5BA5
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015DEA55 mov eax, dword ptr fs:[00000030h]		3_2_015DEA55
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015A4257 mov eax, dword ptr fs:[00000030h]		3_2_015A4257
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01519240 mov eax, dword ptr fs:[00000030h]		3_2_01519240
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01519240 mov eax, dword ptr fs:[00000030h]		3_2_01519240
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01519240 mov eax, dword ptr fs:[00000030h]		3_2_01519240
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01519240 mov eax, dword ptr fs:[00000030h]		3_2_01519240
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0155927A mov eax, dword ptr fs:[00000030h]		3_2_0155927A
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015CB260 mov eax, dword ptr fs:[00000030h]		3_2_015CB260
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015CB260 mov eax, dword ptr fs:[00000030h]		3_2_015CB260
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015E8A62 mov eax, dword ptr fs:[00000030h]		3_2_015E8A62
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01515210 mov eax, dword ptr fs:[00000030h]		3_2_01515210
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01515210 mov ecx, dword ptr fs:[00000030h]		3_2_01515210
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01515210 mov eax, dword ptr fs:[00000030h]		3_2_01515210
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01515210 mov eax, dword ptr fs:[00000030h]		3_2_01515210
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0151AA16 mov eax, dword ptr fs:[00000030h]		3_2_0151AA16
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0151AA16 mov eax, dword ptr fs:[00000030h]		3_2_0151AA16
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015DAA16 mov eax, dword ptr fs:[00000030h]		3_2_015DAA16
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015DAA16 mov eax, dword ptr fs:[00000030h]		3_2_015DAA16
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01533A1C mov eax, dword ptr fs:[00000030h]		3_2_01533A1C
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01528A0A mov eax, dword ptr fs:[00000030h]		3_2_01528A0A
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01554A2C mov eax, dword ptr fs:[00000030h]		3_2_01554A2C
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01554A2C mov eax, dword ptr fs:[00000030h]		3_2_01554A2C
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01542ACB mov eax, dword ptr fs:[00000030h]		3_2_01542ACB
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01542AE4 mov eax, dword ptr fs:[00000030h]		3_2_01542AE4
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0154D294 mov eax, dword ptr fs:[00000030h]		3_2_0154D294
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0154D294 mov eax, dword ptr fs:[00000030h]		3_2_0154D294
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0152AAB0 mov eax, dword ptr fs:[00000030h]		3_2_0152AAB0
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0152AAB0 mov eax, dword ptr fs:[00000030h]		3_2_0152AAB0
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0154FAB0 mov eax, dword ptr fs:[00000030h]		3_2_0154FAB0
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015152A5 mov eax, dword ptr fs:[00000030h]		3_2_015152A5
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015152A5 mov eax, dword ptr fs:[00000030h]		3_2_015152A5
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015152A5 mov eax, dword ptr fs:[00000030h]		3_2_015152A5
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015152A5 mov eax, dword ptr fs:[00000030h]		3_2_015152A5
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015152A5 mov eax, dword ptr fs:[00000030h]		3_2_015152A5
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01537D50 mov eax, dword ptr fs:[00000030h]		3_2_01537D50
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01553D43 mov eax, dword ptr fs:[00000030h]		3_2_01553D43
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01593540 mov eax, dword ptr fs:[00000030h]		3_2_01593540
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015C3D40 mov eax, dword ptr fs:[00000030h]		3_2_015C3D40
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0153C577 mov eax, dword ptr fs:[00000030h]		3_2_0153C577
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0153C577 mov eax, dword ptr fs:[00000030h]		3_2_0153C577
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0151AD30 mov eax, dword ptr fs:[00000030h]		3_2_0151AD30
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015DE539 mov eax, dword ptr fs:[00000030h]		3_2_015DE539
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01523D34 mov eax, dword ptr fs:[00000030h]		3_2_01523D34
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01523D34 mov eax, dword ptr fs:[00000030h]		3_2_01523D34
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01523D34 mov eax, dword ptr fs:[00000030h]		3_2_01523D34
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01523D34 mov eax, dword ptr fs:[00000030h]		3_2_01523D34
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01523D34 mov eax, dword ptr fs:[00000030h]		3_2_01523D34
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01523D34 mov eax, dword ptr fs:[00000030h]		3_2_01523D34
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01523D34 mov eax, dword ptr fs:[00000030h]		3_2_01523D34
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01523D34 mov eax, dword ptr fs:[00000030h]		3_2_01523D34
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01523D34 mov eax, dword ptr fs:[00000030h]		3_2_01523D34
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01523D34 mov eax, dword ptr fs:[00000030h]		3_2_01523D34
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01523D34 mov eax, dword ptr fs:[00000030h]		3_2_01523D34
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01523D34 mov eax, dword ptr fs:[00000030h]		3_2_01523D34
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01523D34 mov eax, dword ptr fs:[00000030h]		3_2_01523D34
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015E8D34 mov eax, dword ptr fs:[00000030h]		3_2_015E8D34
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0159A537 mov eax, dword ptr fs:[00000030h]		3_2_0159A537
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01544D3B mov eax, dword ptr fs:[00000030h]		3_2_01544D3B
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01544D3B mov eax, dword ptr fs:[00000030h]		3_2_01544D3B
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01544D3B mov eax, dword ptr fs:[00000030h]		3_2_01544D3B
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01596DC9 mov eax, dword ptr fs:[00000030h]		3_2_01596DC9
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01596DC9 mov eax, dword ptr fs:[00000030h]		3_2_01596DC9
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01596DC9 mov eax, dword ptr fs:[00000030h]		3_2_01596DC9
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01596DC9 mov ecx, dword ptr fs:[00000030h]		3_2_01596DC9
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01596DC9 mov eax, dword ptr fs:[00000030h]		3_2_01596DC9
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01596DC9 mov eax, dword ptr fs:[00000030h]		3_2_01596DC9
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015C8DF1 mov eax, dword ptr fs:[00000030h]		3_2_015C8DF1
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0152D5E0 mov eax, dword ptr fs:[00000030h]		3_2_0152D5E0
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0152D5E0 mov eax, dword ptr fs:[00000030h]		3_2_0152D5E0
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015DFDE2 mov eax, dword ptr fs:[00000030h]		3_2_015DFDE2
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015DFDE2 mov eax, dword ptr fs:[00000030h]		3_2_015DFDE2
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015DFDE2 mov eax, dword ptr fs:[00000030h]		3_2_015DFDE2
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015DFDE2 mov eax, dword ptr fs:[00000030h]		3_2_015DFDE2
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0154FD9B mov eax, dword ptr fs:[00000030h]		3_2_0154FD9B
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0154FD9B mov eax, dword ptr fs:[00000030h]		3_2_0154FD9B
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01542581 mov eax, dword ptr fs:[00000030h]		3_2_01542581
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01542581 mov eax, dword ptr fs:[00000030h]		3_2_01542581
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01542581 mov eax, dword ptr fs:[00000030h]		3_2_01542581
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01542581 mov eax, dword ptr fs:[00000030h]		3_2_01542581
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01512D8A mov eax, dword ptr fs:[00000030h]		3_2_01512D8A
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01512D8A mov eax, dword ptr fs:[00000030h]		3_2_01512D8A
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01512D8A mov eax, dword ptr fs:[00000030h]		3_2_01512D8A
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01512D8A mov eax, dword ptr fs:[00000030h]		3_2_01512D8A
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01512D8A mov eax, dword ptr fs:[00000030h]		3_2_01512D8A
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01541DB5 mov eax, dword ptr fs:[00000030h]		3_2_01541DB5
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01541DB5 mov eax, dword ptr fs:[00000030h]		3_2_01541DB5
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01541DB5 mov eax, dword ptr fs:[00000030h]		3_2_01541DB5
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015E05AC mov eax, dword ptr fs:[00000030h]		3_2_015E05AC
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015E05AC mov eax, dword ptr fs:[00000030h]		3_2_015E05AC
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015435A1 mov eax, dword ptr fs:[00000030h]		3_2_015435A1
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015AC450 mov eax, dword ptr fs:[00000030h]		3_2_015AC450
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015AC450 mov eax, dword ptr fs:[00000030h]		3_2_015AC450
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0154A44B mov eax, dword ptr fs:[00000030h]		3_2_0154A44B
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0153746D mov eax, dword ptr fs:[00000030h]		3_2_0153746D
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015E740D mov eax, dword ptr fs:[00000030h]		3_2_015E740D
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015E740D mov eax, dword ptr fs:[00000030h]		3_2_015E740D
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015E740D mov eax, dword ptr fs:[00000030h]		3_2_015E740D
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01596C0A mov eax, dword ptr fs:[00000030h]		3_2_01596C0A
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01596C0A mov eax, dword ptr fs:[00000030h]		3_2_01596C0A
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01596C0A mov eax, dword ptr fs:[00000030h]		3_2_01596C0A
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01596C0A mov eax, dword ptr fs:[00000030h]		3_2_01596C0A
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015D1C06 mov eax, dword ptr fs:[00000030h]		3_2_015D1C06
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015D1C06 mov eax, dword ptr fs:[00000030h]		3_2_015D1C06
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015D1C06 mov eax, dword ptr fs:[00000030h]		3_2_015D1C06
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015D1C06 mov eax, dword ptr fs:[00000030h]		3_2_015D1C06
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015D1C06 mov eax, dword ptr fs:[00000030h]		3_2_015D1C06
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015D1C06 mov eax, dword ptr fs:[00000030h]		3_2_015D1C06
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015D1C06 mov eax, dword ptr fs:[00000030h]		3_2_015D1C06
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015D1C06 mov eax, dword ptr fs:[00000030h]		3_2_015D1C06
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015D1C06 mov eax, dword ptr fs:[00000030h]		3_2_015D1C06
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015D1C06 mov eax, dword ptr fs:[00000030h]		3_2_015D1C06
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015D1C06 mov eax, dword ptr fs:[00000030h]		3_2_015D1C06
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015D1C06 mov eax, dword ptr fs:[00000030h]		3_2_015D1C06
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015D1C06 mov eax, dword ptr fs:[00000030h]		3_2_015D1C06
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015D1C06 mov eax, dword ptr fs:[00000030h]		3_2_015D1C06
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0154BC2C mov eax, dword ptr fs:[00000030h]		3_2_0154BC2C
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015E8CD6 mov eax, dword ptr fs:[00000030h]		3_2_015E8CD6
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015D14FB mov eax, dword ptr fs:[00000030h]		3_2_015D14FB
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01596CF0 mov eax, dword ptr fs:[00000030h]		3_2_01596CF0
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01596CF0 mov eax, dword ptr fs:[00000030h]		3_2_01596CF0
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01596CF0 mov eax, dword ptr fs:[00000030h]		3_2_01596CF0
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0152849B mov eax, dword ptr fs:[00000030h]		3_2_0152849B
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0152EF40 mov eax, dword ptr fs:[00000030h]		3_2_0152EF40
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0152FF60 mov eax, dword ptr fs:[00000030h]		3_2_0152FF60
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015E8F6A mov eax, dword ptr fs:[00000030h]		3_2_015E8F6A
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0153F716 mov eax, dword ptr fs:[00000030h]		3_2_0153F716
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015AFF10 mov eax, dword ptr fs:[00000030h]		3_2_015AFF10
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015AFF10 mov eax, dword ptr fs:[00000030h]		3_2_015AFF10
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015E070D mov eax, dword ptr fs:[00000030h]		3_2_015E070D
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015E070D mov eax, dword ptr fs:[00000030h]		3_2_015E070D
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0154A70E mov eax, dword ptr fs:[00000030h]		3_2_0154A70E
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0154A70E mov eax, dword ptr fs:[00000030h]		3_2_0154A70E
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0154E730 mov eax, dword ptr fs:[00000030h]		3_2_0154E730
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01514F2E mov eax, dword ptr fs:[00000030h]		3_2_01514F2E
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01514F2E mov eax, dword ptr fs:[00000030h]		3_2_01514F2E
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015537F5 mov eax, dword ptr fs:[00000030h]		3_2_015537F5
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01528794 mov eax, dword ptr fs:[00000030h]		3_2_01528794
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01597794 mov eax, dword ptr fs:[00000030h]		3_2_01597794
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01597794 mov eax, dword ptr fs:[00000030h]		3_2_01597794
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01597794 mov eax, dword ptr fs:[00000030h]		3_2_01597794
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01527E41 mov eax, dword ptr fs:[00000030h]		3_2_01527E41
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01527E41 mov eax, dword ptr fs:[00000030h]		3_2_01527E41
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01527E41 mov eax, dword ptr fs:[00000030h]		3_2_01527E41
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01527E41 mov eax, dword ptr fs:[00000030h]		3_2_01527E41
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01527E41 mov eax, dword ptr fs:[00000030h]		3_2_01527E41
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01527E41 mov eax, dword ptr fs:[00000030h]		3_2_01527E41
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015DAE44 mov eax, dword ptr fs:[00000030h]		3_2_015DAE44
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015DAE44 mov eax, dword ptr fs:[00000030h]		3_2_015DAE44
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0153AE73 mov eax, dword ptr fs:[00000030h]		3_2_0153AE73
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0153AE73 mov eax, dword ptr fs:[00000030h]		3_2_0153AE73
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0153AE73 mov eax, dword ptr fs:[00000030h]		3_2_0153AE73
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0153AE73 mov eax, dword ptr fs:[00000030h]		3_2_0153AE73
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0153AE73 mov eax, dword ptr fs:[00000030h]		3_2_0153AE73
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0152766D mov eax, dword ptr fs:[00000030h]		3_2_0152766D
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0154A61C mov eax, dword ptr fs:[00000030h]		3_2_0154A61C
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0154A61C mov eax, dword ptr fs:[00000030h]		3_2_0154A61C
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0151C600 mov eax, dword ptr fs:[00000030h]		3_2_0151C600
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0151C600 mov eax, dword ptr fs:[00000030h]		3_2_0151C600
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0151C600 mov eax, dword ptr fs:[00000030h]		3_2_0151C600
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01548E00 mov eax, dword ptr fs:[00000030h]		3_2_01548E00
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015D1608 mov eax, dword ptr fs:[00000030h]		3_2_015D1608
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015CFE3F mov eax, dword ptr fs:[00000030h]		3_2_015CFE3F
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_0151E620 mov eax, dword ptr fs:[00000030h]		3_2_0151E620
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015E8ED6 mov eax, dword ptr fs:[00000030h]		3_2_015E8ED6
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_01558EC7 mov eax, dword ptr fs:[00000030h]		3_2_01558EC7
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015436CC mov eax, dword ptr fs:[00000030h]		3_2_015436CC
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015CFEC0 mov eax, dword ptr fs:[00000030h]		3_2_015CFEC0
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015276E2 mov eax, dword ptr fs:[00000030h]		3_2_015276E2
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015416E0 mov ecx, dword ptr fs:[00000030h]		3_2_015416E0
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015AFE87 mov eax, dword ptr fs:[00000030h]		3_2_015AFE87
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015E0EA5 mov eax, dword ptr fs:[00000030h]		3_2_015E0EA5
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015E0EA5 mov eax, dword ptr fs:[00000030h]		3_2_015E0EA5
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015E0EA5 mov eax, dword ptr fs:[00000030h]		3_2_015E0EA5
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Code function: 3_2_015946A7 mov eax, dword ptr fs:[00000030h]		3_2_015946A7
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045BA44B mov eax, dword ptr fs:[00000030h]		14_2_045BA44B
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0461C450 mov eax, dword ptr fs:[00000030h]		14_2_0461C450
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0461C450 mov eax, dword ptr fs:[00000030h]		14_2_0461C450
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045A746D mov eax, dword ptr fs:[00000030h]		14_2_045A746D
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04641C06 mov eax, dword ptr fs:[00000030h]		14_2_04641C06
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04641C06 mov eax, dword ptr fs:[00000030h]		14_2_04641C06
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04641C06 mov eax, dword ptr fs:[00000030h]		14_2_04641C06
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04641C06 mov eax, dword ptr fs:[00000030h]		14_2_04641C06
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04641C06 mov eax, dword ptr fs:[00000030h]		14_2_04641C06
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04641C06 mov eax, dword ptr fs:[00000030h]		14_2_04641C06
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04641C06 mov eax, dword ptr fs:[00000030h]		14_2_04641C06
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04641C06 mov eax, dword ptr fs:[00000030h]		14_2_04641C06
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04641C06 mov eax, dword ptr fs:[00000030h]		14_2_04641C06
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04641C06 mov eax, dword ptr fs:[00000030h]		14_2_04641C06
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04641C06 mov eax, dword ptr fs:[00000030h]		14_2_04641C06
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04641C06 mov eax, dword ptr fs:[00000030h]		14_2_04641C06
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04641C06 mov eax, dword ptr fs:[00000030h]		14_2_04641C06
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04641C06 mov eax, dword ptr fs:[00000030h]		14_2_04641C06
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0465740D mov eax, dword ptr fs:[00000030h]		14_2_0465740D
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0465740D mov eax, dword ptr fs:[00000030h]		14_2_0465740D
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0465740D mov eax, dword ptr fs:[00000030h]		14_2_0465740D
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04606C0A mov eax, dword ptr fs:[00000030h]		14_2_04606C0A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04606C0A mov eax, dword ptr fs:[00000030h]		14_2_04606C0A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04606C0A mov eax, dword ptr fs:[00000030h]		14_2_04606C0A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04606C0A mov eax, dword ptr fs:[00000030h]		14_2_04606C0A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045BBC2C mov eax, dword ptr fs:[00000030h]		14_2_045BBC2C
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04606CF0 mov eax, dword ptr fs:[00000030h]		14_2_04606CF0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04606CF0 mov eax, dword ptr fs:[00000030h]		14_2_04606CF0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04606CF0 mov eax, dword ptr fs:[00000030h]		14_2_04606CF0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_046414FB mov eax, dword ptr fs:[00000030h]		14_2_046414FB
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04658CD6 mov eax, dword ptr fs:[00000030h]		14_2_04658CD6
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0459849B mov eax, dword ptr fs:[00000030h]		14_2_0459849B
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045A7D50 mov eax, dword ptr fs:[00000030h]		14_2_045A7D50
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045C3D43 mov eax, dword ptr fs:[00000030h]		14_2_045C3D43
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04603540 mov eax, dword ptr fs:[00000030h]		14_2_04603540
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045AC577 mov eax, dword ptr fs:[00000030h]		14_2_045AC577
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045AC577 mov eax, dword ptr fs:[00000030h]		14_2_045AC577
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04658D34 mov eax, dword ptr fs:[00000030h]		14_2_04658D34
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0460A537 mov eax, dword ptr fs:[00000030h]		14_2_0460A537
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0464E539 mov eax, dword ptr fs:[00000030h]		14_2_0464E539
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045B4D3B mov eax, dword ptr fs:[00000030h]		14_2_045B4D3B
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045B4D3B mov eax, dword ptr fs:[00000030h]		14_2_045B4D3B
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045B4D3B mov eax, dword ptr fs:[00000030h]		14_2_045B4D3B
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0458AD30 mov eax, dword ptr fs:[00000030h]		14_2_0458AD30
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04593D34 mov eax, dword ptr fs:[00000030h]		14_2_04593D34
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04593D34 mov eax, dword ptr fs:[00000030h]		14_2_04593D34
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04593D34 mov eax, dword ptr fs:[00000030h]		14_2_04593D34
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04593D34 mov eax, dword ptr fs:[00000030h]		14_2_04593D34
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04593D34 mov eax, dword ptr fs:[00000030h]		14_2_04593D34
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04593D34 mov eax, dword ptr fs:[00000030h]		14_2_04593D34
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04593D34 mov eax, dword ptr fs:[00000030h]		14_2_04593D34
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04593D34 mov eax, dword ptr fs:[00000030h]		14_2_04593D34
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04593D34 mov eax, dword ptr fs:[00000030h]		14_2_04593D34
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04593D34 mov eax, dword ptr fs:[00000030h]		14_2_04593D34
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04593D34 mov eax, dword ptr fs:[00000030h]		14_2_04593D34
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04593D34 mov eax, dword ptr fs:[00000030h]		14_2_04593D34
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04593D34 mov eax, dword ptr fs:[00000030h]		14_2_04593D34
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0464FDE2 mov eax, dword ptr fs:[00000030h]		14_2_0464FDE2
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0464FDE2 mov eax, dword ptr fs:[00000030h]		14_2_0464FDE2
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0464FDE2 mov eax, dword ptr fs:[00000030h]		14_2_0464FDE2
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0464FDE2 mov eax, dword ptr fs:[00000030h]		14_2_0464FDE2
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04638DF1 mov eax, dword ptr fs:[00000030h]		14_2_04638DF1
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04606DC9 mov eax, dword ptr fs:[00000030h]		14_2_04606DC9
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04606DC9 mov eax, dword ptr fs:[00000030h]		14_2_04606DC9
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04606DC9 mov eax, dword ptr fs:[00000030h]		14_2_04606DC9
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04606DC9 mov ecx, dword ptr fs:[00000030h]		14_2_04606DC9
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04606DC9 mov eax, dword ptr fs:[00000030h]		14_2_04606DC9
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04606DC9 mov eax, dword ptr fs:[00000030h]		14_2_04606DC9
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0459D5E0 mov eax, dword ptr fs:[00000030h]		14_2_0459D5E0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0459D5E0 mov eax, dword ptr fs:[00000030h]		14_2_0459D5E0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045BFD9B mov eax, dword ptr fs:[00000030h]		14_2_045BFD9B
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045BFD9B mov eax, dword ptr fs:[00000030h]		14_2_045BFD9B
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_046505AC mov eax, dword ptr fs:[00000030h]		14_2_046505AC
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_046505AC mov eax, dword ptr fs:[00000030h]		14_2_046505AC
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04582D8A mov eax, dword ptr fs:[00000030h]		14_2_04582D8A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04582D8A mov eax, dword ptr fs:[00000030h]		14_2_04582D8A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04582D8A mov eax, dword ptr fs:[00000030h]		14_2_04582D8A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04582D8A mov eax, dword ptr fs:[00000030h]		14_2_04582D8A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04582D8A mov eax, dword ptr fs:[00000030h]		14_2_04582D8A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045B2581 mov eax, dword ptr fs:[00000030h]		14_2_045B2581
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045B2581 mov eax, dword ptr fs:[00000030h]		14_2_045B2581
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045B2581 mov eax, dword ptr fs:[00000030h]		14_2_045B2581
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045B2581 mov eax, dword ptr fs:[00000030h]		14_2_045B2581
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045B1DB5 mov eax, dword ptr fs:[00000030h]		14_2_045B1DB5
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045B1DB5 mov eax, dword ptr fs:[00000030h]		14_2_045B1DB5
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045B1DB5 mov eax, dword ptr fs:[00000030h]		14_2_045B1DB5
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045B35A1 mov eax, dword ptr fs:[00000030h]		14_2_045B35A1
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04597E41 mov eax, dword ptr fs:[00000030h]		14_2_04597E41
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04597E41 mov eax, dword ptr fs:[00000030h]		14_2_04597E41
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04597E41 mov eax, dword ptr fs:[00000030h]		14_2_04597E41
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04597E41 mov eax, dword ptr fs:[00000030h]		14_2_04597E41
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04597E41 mov eax, dword ptr fs:[00000030h]		14_2_04597E41
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04597E41 mov eax, dword ptr fs:[00000030h]		14_2_04597E41
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0464AE44 mov eax, dword ptr fs:[00000030h]		14_2_0464AE44
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0464AE44 mov eax, dword ptr fs:[00000030h]		14_2_0464AE44
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045AAE73 mov eax, dword ptr fs:[00000030h]		14_2_045AAE73
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045AAE73 mov eax, dword ptr fs:[00000030h]		14_2_045AAE73
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045AAE73 mov eax, dword ptr fs:[00000030h]		14_2_045AAE73
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045AAE73 mov eax, dword ptr fs:[00000030h]		14_2_045AAE73
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045AAE73 mov eax, dword ptr fs:[00000030h]		14_2_045AAE73
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0459766D mov eax, dword ptr fs:[00000030h]		14_2_0459766D
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045BA61C mov eax, dword ptr fs:[00000030h]		14_2_045BA61C
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045BA61C mov eax, dword ptr fs:[00000030h]		14_2_045BA61C
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0458C600 mov eax, dword ptr fs:[00000030h]		14_2_0458C600
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0458C600 mov eax, dword ptr fs:[00000030h]		14_2_0458C600
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0458C600 mov eax, dword ptr fs:[00000030h]		14_2_0458C600
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045B8E00 mov eax, dword ptr fs:[00000030h]		14_2_045B8E00
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0463FE3F mov eax, dword ptr fs:[00000030h]		14_2_0463FE3F
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04641608 mov eax, dword ptr fs:[00000030h]		14_2_04641608
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0458E620 mov eax, dword ptr fs:[00000030h]		14_2_0458E620
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045B36CC mov eax, dword ptr fs:[00000030h]		14_2_045B36CC
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045C8EC7 mov eax, dword ptr fs:[00000030h]		14_2_045C8EC7
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0463FEC0 mov eax, dword ptr fs:[00000030h]		14_2_0463FEC0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04658ED6 mov eax, dword ptr fs:[00000030h]		14_2_04658ED6
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045B16E0 mov ecx, dword ptr fs:[00000030h]		14_2_045B16E0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045976E2 mov eax, dword ptr fs:[00000030h]		14_2_045976E2
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04650EA5 mov eax, dword ptr fs:[00000030h]		14_2_04650EA5
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04650EA5 mov eax, dword ptr fs:[00000030h]		14_2_04650EA5
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04650EA5 mov eax, dword ptr fs:[00000030h]		14_2_04650EA5
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_046046A7 mov eax, dword ptr fs:[00000030h]		14_2_046046A7
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0461FE87 mov eax, dword ptr fs:[00000030h]		14_2_0461FE87
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04658F6A mov eax, dword ptr fs:[00000030h]		14_2_04658F6A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0459EF40 mov eax, dword ptr fs:[00000030h]		14_2_0459EF40
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0459FF60 mov eax, dword ptr fs:[00000030h]		14_2_0459FF60
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045AF716 mov eax, dword ptr fs:[00000030h]		14_2_045AF716
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045BA70E mov eax, dword ptr fs:[00000030h]		14_2_045BA70E
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045BA70E mov eax, dword ptr fs:[00000030h]		14_2_045BA70E
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0465070D mov eax, dword ptr fs:[00000030h]		14_2_0465070D
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0465070D mov eax, dword ptr fs:[00000030h]		14_2_0465070D
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045BE730 mov eax, dword ptr fs:[00000030h]		14_2_045BE730
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0461FF10 mov eax, dword ptr fs:[00000030h]		14_2_0461FF10
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0461FF10 mov eax, dword ptr fs:[00000030h]		14_2_0461FF10
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04584F2E mov eax, dword ptr fs:[00000030h]		14_2_04584F2E
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04584F2E mov eax, dword ptr fs:[00000030h]		14_2_04584F2E
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045C37F5 mov eax, dword ptr fs:[00000030h]		14_2_045C37F5
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04598794 mov eax, dword ptr fs:[00000030h]		14_2_04598794
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04607794 mov eax, dword ptr fs:[00000030h]		14_2_04607794
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04607794 mov eax, dword ptr fs:[00000030h]		14_2_04607794
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04607794 mov eax, dword ptr fs:[00000030h]		14_2_04607794
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045A0050 mov eax, dword ptr fs:[00000030h]		14_2_045A0050
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045A0050 mov eax, dword ptr fs:[00000030h]		14_2_045A0050
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04651074 mov eax, dword ptr fs:[00000030h]		14_2_04651074
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04642073 mov eax, dword ptr fs:[00000030h]		14_2_04642073
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04654015 mov eax, dword ptr fs:[00000030h]		14_2_04654015
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04654015 mov eax, dword ptr fs:[00000030h]		14_2_04654015
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0459B02A mov eax, dword ptr fs:[00000030h]		14_2_0459B02A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0459B02A mov eax, dword ptr fs:[00000030h]		14_2_0459B02A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0459B02A mov eax, dword ptr fs:[00000030h]		14_2_0459B02A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0459B02A mov eax, dword ptr fs:[00000030h]		14_2_0459B02A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04607016 mov eax, dword ptr fs:[00000030h]		14_2_04607016
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04607016 mov eax, dword ptr fs:[00000030h]		14_2_04607016
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04607016 mov eax, dword ptr fs:[00000030h]		14_2_04607016
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045B002D mov eax, dword ptr fs:[00000030h]		14_2_045B002D
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045B002D mov eax, dword ptr fs:[00000030h]		14_2_045B002D
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045B002D mov eax, dword ptr fs:[00000030h]		14_2_045B002D
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045B002D mov eax, dword ptr fs:[00000030h]		14_2_045B002D
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045B002D mov eax, dword ptr fs:[00000030h]		14_2_045B002D
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0461B8D0 mov eax, dword ptr fs:[00000030h]		14_2_0461B8D0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0461B8D0 mov ecx, dword ptr fs:[00000030h]		14_2_0461B8D0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0461B8D0 mov eax, dword ptr fs:[00000030h]		14_2_0461B8D0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0461B8D0 mov eax, dword ptr fs:[00000030h]		14_2_0461B8D0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0461B8D0 mov eax, dword ptr fs:[00000030h]		14_2_0461B8D0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0461B8D0 mov eax, dword ptr fs:[00000030h]		14_2_0461B8D0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045858EC mov eax, dword ptr fs:[00000030h]		14_2_045858EC
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04589080 mov eax, dword ptr fs:[00000030h]		14_2_04589080
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045BF0BF mov ecx, dword ptr fs:[00000030h]		14_2_045BF0BF
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045BF0BF mov eax, dword ptr fs:[00000030h]		14_2_045BF0BF
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045BF0BF mov eax, dword ptr fs:[00000030h]		14_2_045BF0BF
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04603884 mov eax, dword ptr fs:[00000030h]		14_2_04603884
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04603884 mov eax, dword ptr fs:[00000030h]		14_2_04603884
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045C90AF mov eax, dword ptr fs:[00000030h]		14_2_045C90AF
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045B20A0 mov eax, dword ptr fs:[00000030h]		14_2_045B20A0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045B20A0 mov eax, dword ptr fs:[00000030h]		14_2_045B20A0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045B20A0 mov eax, dword ptr fs:[00000030h]		14_2_045B20A0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045B20A0 mov eax, dword ptr fs:[00000030h]		14_2_045B20A0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045B20A0 mov eax, dword ptr fs:[00000030h]		14_2_045B20A0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045B20A0 mov eax, dword ptr fs:[00000030h]		14_2_045B20A0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045AB944 mov eax, dword ptr fs:[00000030h]		14_2_045AB944
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045AB944 mov eax, dword ptr fs:[00000030h]		14_2_045AB944
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0458B171 mov eax, dword ptr fs:[00000030h]		14_2_0458B171
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0458B171 mov eax, dword ptr fs:[00000030h]		14_2_0458B171
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0458C962 mov eax, dword ptr fs:[00000030h]		14_2_0458C962
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04589100 mov eax, dword ptr fs:[00000030h]		14_2_04589100
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04589100 mov eax, dword ptr fs:[00000030h]		14_2_04589100
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04589100 mov eax, dword ptr fs:[00000030h]		14_2_04589100
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045B513A mov eax, dword ptr fs:[00000030h]		14_2_045B513A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045B513A mov eax, dword ptr fs:[00000030h]		14_2_045B513A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045A4120 mov eax, dword ptr fs:[00000030h]		14_2_045A4120
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045A4120 mov eax, dword ptr fs:[00000030h]		14_2_045A4120
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045A4120 mov eax, dword ptr fs:[00000030h]		14_2_045A4120
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045A4120 mov eax, dword ptr fs:[00000030h]		14_2_045A4120
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045A4120 mov ecx, dword ptr fs:[00000030h]		14_2_045A4120
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_046141E8 mov eax, dword ptr fs:[00000030h]		14_2_046141E8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0458B1E1 mov eax, dword ptr fs:[00000030h]		14_2_0458B1E1
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0458B1E1 mov eax, dword ptr fs:[00000030h]		14_2_0458B1E1
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0458B1E1 mov eax, dword ptr fs:[00000030h]		14_2_0458B1E1
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_046069A6 mov eax, dword ptr fs:[00000030h]		14_2_046069A6
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045B2990 mov eax, dword ptr fs:[00000030h]		14_2_045B2990
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045AC182 mov eax, dword ptr fs:[00000030h]		14_2_045AC182
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045BA185 mov eax, dword ptr fs:[00000030h]		14_2_045BA185
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_046051BE mov eax, dword ptr fs:[00000030h]		14_2_046051BE
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_046051BE mov eax, dword ptr fs:[00000030h]		14_2_046051BE
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_046051BE mov eax, dword ptr fs:[00000030h]		14_2_046051BE
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_046051BE mov eax, dword ptr fs:[00000030h]		14_2_046051BE
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045B61A0 mov eax, dword ptr fs:[00000030h]		14_2_045B61A0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045B61A0 mov eax, dword ptr fs:[00000030h]		14_2_045B61A0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0463B260 mov eax, dword ptr fs:[00000030h]		14_2_0463B260
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0463B260 mov eax, dword ptr fs:[00000030h]		14_2_0463B260
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04658A62 mov eax, dword ptr fs:[00000030h]		14_2_04658A62
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04589240 mov eax, dword ptr fs:[00000030h]		14_2_04589240
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04589240 mov eax, dword ptr fs:[00000030h]		14_2_04589240
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04589240 mov eax, dword ptr fs:[00000030h]		14_2_04589240
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04589240 mov eax, dword ptr fs:[00000030h]		14_2_04589240
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045C927A mov eax, dword ptr fs:[00000030h]		14_2_045C927A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0464EA55 mov eax, dword ptr fs:[00000030h]		14_2_0464EA55
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04614257 mov eax, dword ptr fs:[00000030h]		14_2_04614257
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045A3A1C mov eax, dword ptr fs:[00000030h]		14_2_045A3A1C
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04585210 mov eax, dword ptr fs:[00000030h]		14_2_04585210
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04585210 mov ecx, dword ptr fs:[00000030h]		14_2_04585210
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04585210 mov eax, dword ptr fs:[00000030h]		14_2_04585210
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04585210 mov eax, dword ptr fs:[00000030h]		14_2_04585210
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0458AA16 mov eax, dword ptr fs:[00000030h]		14_2_0458AA16
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_0458AA16 mov eax, dword ptr fs:[00000030h]		14_2_0458AA16
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_04598A0A mov eax, dword ptr fs:[00000030h]		14_2_04598A0A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045C4A2C mov eax, dword ptr fs:[00000030h]		14_2_045C4A2C
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 14_2_045C4A2C mov eax, dword ptr fs:[00000030h]		14_2_045C4A2C

Enables debug privileges

Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process token adjusted: Debug			Jump to behavior

Creates guard pages, often used to prevent reverse engineering and debugging

Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 154.92.73.140 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 165.160.13.20 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 104.24.109.70 80			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe

Memory written: C:\Users\user\Desktop\Po-covid19 2372#w2..exe base: 400000 value starts with: 4D5A

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Section loaded: unknown target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Section loaded: unknown target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write			Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Thread register set: target process: 3388			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread register set: target process: 3388			Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe

Section unmapped: C:\Windows\SysWOW64\msiexec.exe base address: BF0000

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Process created: C:\Users\user\Desktop\Po-covid19 2372#w2..exe {path}			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Process created: C:\Users\user\Desktop\Po-covid19 2372#w2..exe {path}			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Po-covid19 2372#w2..exe'			Jump to behavior

May try to detect the Windows Explorer process (often used for injection)

Source: explorer.exe, 00000004.00000002.616589320.0000000001398000.00000004.00000020.sdmp	Binary or memory string: ProgmanamF
Source: explorer.exe, 00000004.00000000.256011429.0000000001980000.00000002.00000001.sdmp, msiexec.exe, 0000000E.00000002.617812002.0000000002E10000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000004.00000000.276172975.000000000871F000.00000004.00000001.sdmp, msiexec.exe, 0000000E.00000002.617812002.0000000002E10000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000004.00000000.256011429.0000000001980000.00000002.00000001.sdmp, msiexec.exe, 0000000E.00000002.617812002.0000000002E10000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000004.00000000.256011429.0000000001980000.00000002.00000001.sdmp, msiexec.exe, 0000000E.00000002.617812002.0000000002E10000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Users\user\Desktop\Po-covid19 2372#w2..exe VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation			Jump to behavior

Queries the cryptographic machine GUID

Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected FormBook

Source: Yara match	File source: 0000000E.00000002.616475940.0000000000B40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.297322370.0000000000FB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.614725408.0000000000680000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.616862762.0000000000B70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.296624622.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.298199420.00000000013B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.256080598.000000000406F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 3.2.Po-covid19 2372#w2..exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Po-covid19 2372#w2..exe.400000.0.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected FormBook

Source: Yara match	File source: 0000000E.00000002.616475940.0000000000B40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.297322370.0000000000FB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.614725408.0000000000680000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.616862762.0000000000B70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.296624622.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.298199420.00000000013B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.256080598.000000000406F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 3.2.Po-covid19 2372#w2..exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Po-covid19 2372#w2..exe.400000.0.raw.unpack, type: UNPACKEDPE