Loading ...

Play interactive tourEdit tour

Analysis Report COVID 19 BENEFIT FORM 2.exe

Overview

General Information

Sample Name:COVID 19 BENEFIT FORM 2.exe
Analysis ID:397590
MD5:734dcc6ee873ad6667d9cad4e5040134
SHA1:205b63e53d5789f469bdfafdfb553e74b967f5df
SHA256:cce12e2162f90a88715e50bfa993e9d3233fecaf608fb18cda68f0154f0e1d5b
Tags:AgentTeslaCOVID-19exe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains very large array initializations
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Binary contains a suspicious time stamp
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • COVID 19 BENEFIT FORM 2.exe (PID: 6424 cmdline: 'C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exe' MD5: 734DCC6EE873AD6667D9CAD4E5040134)
    • schtasks.exe (PID: 6880 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\lVGkcjmu' /XML 'C:\Users\user\AppData\Local\Temp\tmp764A.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6936 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "logs@seedchangeinv.commmm777@@mail.privateemail.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000002.596294759.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    0000000A.00000002.599311455.0000000002871000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      0000000A.00000002.599311455.0000000002871000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000000.00000002.377564391.00000000040CD000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000000.00000002.377324089.0000000003F29000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 4 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.COVID 19 BENEFIT FORM 2.exe.4293c80.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              10.2.COVID 19 BENEFIT FORM 2.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                0.2.COVID 19 BENEFIT FORM 2.exe.4293c80.2.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

                  Sigma Overview

                  System Summary:

                  barindex
                  Sigma detected: Scheduled temp file as task from temp locationShow sources
                  Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\lVGkcjmu' /XML 'C:\Users\user\AppData\Local\Temp\tmp764A.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\lVGkcjmu' /XML 'C:\Users\user\AppData\Local\Temp\tmp764A.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exe' , ParentImage: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exe, ParentProcessId: 6424, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\lVGkcjmu' /XML 'C:\Users\user\AppData\Local\Temp\tmp764A.tmp', ProcessId: 6880

                  Signature Overview

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection:

                  barindex
                  Found malware configurationShow sources
                  Source: 0.2.COVID 19 BENEFIT FORM 2.exe.4293c80.2.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "logs@seedchangeinv.commmm777@@mail.privateemail.com"}
                  Multi AV Scanner detection for dropped fileShow sources
                  Source: C:\Users\user\AppData\Roaming\lVGkcjmu.exeReversingLabs: Detection: 36%
                  Multi AV Scanner detection for submitted fileShow sources
                  Source: COVID 19 BENEFIT FORM 2.exeVirustotal: Detection: 43%Perma Link
                  Source: COVID 19 BENEFIT FORM 2.exeReversingLabs: Detection: 36%
                  Machine Learning detection for dropped fileShow sources
                  Source: C:\Users\user\AppData\Roaming\lVGkcjmu.exeJoe Sandbox ML: detected
                  Machine Learning detection for sampleShow sources
                  Source: COVID 19 BENEFIT FORM 2.exeJoe Sandbox ML: detected
                  Source: 10.2.COVID 19 BENEFIT FORM 2.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                  Source: COVID 19 BENEFIT FORM 2.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                  Source: COVID 19 BENEFIT FORM 2.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                  Source: COVID 19 BENEFIT FORM 2.exe, 0000000A.00000002.599311455.0000000002871000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                  Source: COVID 19 BENEFIT FORM 2.exe, 0000000A.00000002.599311455.0000000002871000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                  Source: COVID 19 BENEFIT FORM 2.exe, 0000000A.00000002.599311455.0000000002871000.00000004.00000001.sdmpString found in binary or memory: http://SBRGHbI6v8zShNk.net
                  Source: COVID 19 BENEFIT FORM 2.exe, 0000000A.00000002.599311455.0000000002871000.00000004.00000001.sdmpString found in binary or memory: http://SBRGHbI6v8zShNk.netL2
                  Source: COVID 19 BENEFIT FORM 2.exe, 0000000A.00000002.601224082.0000000002BD1000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                  Source: COVID 19 BENEFIT FORM 2.exe, 0000000A.00000002.601224082.0000000002BD1000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.330293022.0000000005EAA000.00000004.00000001.sdmpString found in binary or memory: http://en.w
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.329792577.0000000005E9B000.00000004.00000001.sdmp, COVID 19 BENEFIT FORM 2.exe, 00000000.00000002.382360322.0000000005F70000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                  Source: COVID 19 BENEFIT FORM 2.exe, 0000000A.00000002.601224082.0000000002BD1000.00000004.00000001.sdmpString found in binary or memory: http://mail.privateemail.com
                  Source: COVID 19 BENEFIT FORM 2.exe, 0000000A.00000002.599311455.0000000002871000.00000004.00000001.sdmpString found in binary or memory: http://mapoex.com
                  Source: COVID 19 BENEFIT FORM 2.exe, 0000000A.00000002.601224082.0000000002BD1000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                  Source: COVID 19 BENEFIT FORM 2.exe, 0000000A.00000002.601224082.0000000002BD1000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.sectigo.com0
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000002.375417166.0000000002F21000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000002.382360322.0000000005F70000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.334907624.0000000005EA3000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.334907624.0000000005EA3000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.htmlBW
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.334231166.0000000005EA3000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.htmlnW/
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.332725617.0000000005E9B000.00000004.00000001.sdmp, COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.332816319.0000000005E9B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.332725617.0000000005E9B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com0
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.333039942.0000000005E9B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comJhEB
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.333039942.0000000005E9B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comNF8
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.332816319.0000000005E9B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comTC
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.332725617.0000000005E9B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comTC(Sr
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.333039942.0000000005E9B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comWF3
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.333146895.0000000005E9B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comac
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.332725617.0000000005E9B000.00000004.00000001.sdmp, COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.332479184.0000000005E9B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.come
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.333146895.0000000005E9B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.come5BV
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.333039942.0000000005E9B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comen
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.333039942.0000000005E9B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comic
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000002.382360322.0000000005F70000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.332725617.0000000005E9B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comlt
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.332725617.0000000005E9B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.como.
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.333146895.0000000005E9B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.compt
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.332725617.0000000005E9B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comtig
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.333146895.0000000005E9B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comx
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000002.375338319.00000000015E7000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.com
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000002.382360322.0000000005F70000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.338116776.0000000005E9B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers#
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.337167523.0000000005E9B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers-Sq
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.336671003.0000000005E9B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000002.382360322.0000000005F70000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000002.382360322.0000000005F70000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.338045037.0000000005EBE000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmld
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.338606084.0000000005EBE000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlh
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.337413588.0000000005EBE000.00000004.00000001.sdmp, COVID 19 BENEFIT FORM 2.exe, 00000000.00000002.382360322.0000000005F70000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.337387930.0000000005E9B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.htmlf
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000002.382360322.0000000005F70000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000002.382360322.0000000005F70000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.345153128.0000000005E9B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersB
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.345153128.0000000005E9B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersES
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.337167523.0000000005E9B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersF
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000002.382360322.0000000005F70000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.338116776.0000000005E9B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersdSF
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000002.375338319.00000000015E7000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comgreta
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000002.375338319.00000000015E7000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comiona
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000002.382360322.0000000005F70000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.331820934.0000000005EA4000.00000004.00000001.sdmp, COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.331864305.0000000005EA0000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.332128006.0000000005E9B000.00000004.00000001.sdmp, COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.331974163.0000000005EA2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.331540177.0000000005E9B000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/FqR
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000002.382360322.0000000005F70000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000002.382360322.0000000005F70000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.332725617.0000000005E9B000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn;
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.332128006.0000000005E9B000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnK
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.332128006.0000000005E9B000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnk
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.332128006.0000000005E9B000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnl
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.332128006.0000000005E9B000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnof
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000002.382360322.0000000005F70000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.341196577.0000000005E9B000.00000004.00000001.sdmp, COVID 19 BENEFIT FORM 2.exe, 00000000.00000002.382360322.0000000005F70000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.331540177.0000000005E9B000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.k
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000002.382360322.0000000005F70000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.331486082.0000000005E9B000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr-c
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.331486082.0000000005E9B000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.krx.
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000002.382360322.0000000005F70000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.341196577.0000000005E9B000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.336815155.0000000005E9B000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.)Qr
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000002.382360322.0000000005F70000.00000002.00000001.sdmp, COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.328572795.0000000005E82000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.328572795.0000000005E82000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comn
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000002.382360322.0000000005F70000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.331486082.0000000005E9B000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.331486082.0000000005E9B000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr)Rr
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.331382313.0000000005E9B000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kra-es)Rr
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.331486082.0000000005E9B000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krn-usur
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.331540177.0000000005E9B000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krq
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000002.382360322.0000000005F70000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.333146895.0000000005E9B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comWE0
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.332246844.00000000015EC000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comn-u3
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000002.382360322.0000000005F70000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.336364737.0000000005E9B000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000002.382360322.0000000005F70000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.338840406.0000000005E9B000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deEEB
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.336364737.0000000005E9B000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deLE;
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.339197866.0000000005EA8000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deWE0
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.336364737.0000000005E9B000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deiEEB
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.332725617.0000000005E9B000.00000004.00000001.sdmp, COVID 19 BENEFIT FORM 2.exe, 00000000.00000002.382360322.0000000005F70000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.332725617.0000000005E9B000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cnK
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.332725617.0000000005E9B000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cna
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.332430336.0000000005E9B000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cno.
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.332430336.0000000005E9B000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cnr-f
                  Source: COVID 19 BENEFIT FORM 2.exe, 0000000A.00000002.599311455.0000000002871000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%
                  Source: COVID 19 BENEFIT FORM 2.exe, 0000000A.00000002.599311455.0000000002871000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                  Source: COVID 19 BENEFIT FORM 2.exe, 0000000A.00000002.601224082.0000000002BD1000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000002.377324089.0000000003F29000.00000004.00000001.sdmp, COVID 19 BENEFIT FORM 2.exe, 0000000A.00000002.596294759.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                  Source: COVID 19 BENEFIT FORM 2.exe, 0000000A.00000002.599311455.0000000002871000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                  System Summary:

                  barindex
                  .NET source code contains very large array initializationsShow sources
                  Source: 10.2.COVID 19 BENEFIT FORM 2.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b3C5ACC4Eu002d4173u002d4CE9u002dA88Eu002d8EFA98FCB099u007d/u003293A124Bu002dAB49u002d44B7u002d9397u002d5CD9CB98E805.csLarge array initialization: .cctor: array initializer size 12037
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 0_2_00B623040_2_00B62304
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 0_2_0158C1240_2_0158C124
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 0_2_0158E5700_2_0158E570
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 0_2_0158E5600_2_0158E560
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 0_2_081F19780_2_081F1978
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 0_2_081F1C100_2_081F1C10
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 0_2_081F3D7E0_2_081F3D7E
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 0_2_081F00400_2_081F0040
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 0_2_081F19690_2_081F1969
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 0_2_081F1C000_2_081F1C00
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 0_2_081F0C780_2_081F0C78
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 0_2_081F0C6A0_2_081F0C6A
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 0_2_081F1E4D0_2_081F1E4D
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 0_2_081F1E980_2_081F1E98
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 0_2_081F3EB60_2_081F3EB6
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 0_2_081F00060_2_081F0006
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 0_2_081F05790_2_081F0579
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 0_2_081F05880_2_081F0588
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 0_2_081F16980_2_081F1698
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 0_2_081F16A80_2_081F16A8
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 7_2_002A23047_2_002A2304
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 8_2_000623048_2_00062304
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 9_2_002223049_2_00222304
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 10_2_004C230410_2_004C2304
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 10_2_00B5004010_2_00B50040
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 10_2_00B5999010_2_00B59990
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 10_2_00B541F810_2_00B541F8
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 10_2_00B5615410_2_00B56154
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 10_2_00B55AA810_2_00B55AA8
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 10_2_00B5321010_2_00B53210
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 10_2_00B5B5AD10_2_00B5B5AD
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 10_2_00B5259010_2_00B52590
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 10_2_00B5419810_2_00B54198
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 10_2_00B5CB7010_2_00B5CB70
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 10_2_00C868D810_2_00C868D8
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 10_2_00C8565010_2_00C85650
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 10_2_00C85B7810_2_00C85B78
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 10_2_00CA006810_2_00CA0068
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 10_2_00CA961010_2_00CA9610
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 10_2_00CA5FB010_2_00CA5FB0
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 10_2_00CA70D810_2_00CA70D8
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 10_2_00CAB3D810_2_00CAB3D8
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 10_2_00CACD5010_2_00CACD50
                  Source: COVID 19 BENEFIT FORM 2.exeBinary or memory string: OriginalFilename vs COVID 19 BENEFIT FORM 2.exe
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000002.388072223.00000000100F0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs COVID 19 BENEFIT FORM 2.exe
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000002.388072223.00000000100F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs COVID 19 BENEFIT FORM 2.exe
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000002.387855603.000000000FFF0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs COVID 19 BENEFIT FORM 2.exe
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000002.373930838.0000000000B62000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameyY0 vs COVID 19 BENEFIT FORM 2.exe
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000002.375417166.0000000002F21000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSmartFormat.dll8 vs COVID 19 BENEFIT FORM 2.exe
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000002.375417166.0000000002F21000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamelEoaqcxNgfzuerfwjwfBvMgttynocmgZjwmB.exe4 vs COVID 19 BENEFIT FORM 2.exe
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000002.386735033.0000000009940000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs COVID 19 BENEFIT FORM 2.exe
                  Source: COVID 19 BENEFIT FORM 2.exeBinary or memory string: OriginalFilename vs COVID 19 BENEFIT FORM 2.exe
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000007.00000002.368822725.00000000002A2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameyY0 vs COVID 19 BENEFIT FORM 2.exe
                  Source: COVID 19 BENEFIT FORM 2.exeBinary or memory string: OriginalFilename vs COVID 19 BENEFIT FORM 2.exe
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000008.00000000.369729906.0000000000062000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameyY0 vs COVID 19 BENEFIT FORM 2.exe
                  Source: COVID 19 BENEFIT FORM 2.exeBinary or memory string: OriginalFilename vs COVID 19 BENEFIT FORM 2.exe
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000009.00000000.371224608.0000000000222000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameyY0 vs COVID 19 BENEFIT FORM 2.exe
                  Source: COVID 19 BENEFIT FORM 2.exeBinary or memory string: OriginalFilename vs COVID 19 BENEFIT FORM 2.exe
                  Source: COVID 19 BENEFIT FORM 2.exe, 0000000A.00000002.605368510.0000000005DA0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs COVID 19 BENEFIT FORM 2.exe
                  Source: COVID 19 BENEFIT FORM 2.exe, 0000000A.00000002.598377640.0000000000C90000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs COVID 19 BENEFIT FORM 2.exe
                  Source: COVID 19 BENEFIT FORM 2.exe, 0000000A.00000002.596294759.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamelEoaqcxNgfzuerfwjwfBvMgttynocmgZjwmB.exe4 vs COVID 19 BENEFIT FORM 2.exe
                  Source: COVID 19 BENEFIT FORM 2.exe, 0000000A.00000002.596448626.00000000004C2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameyY0 vs COVID 19 BENEFIT FORM 2.exe
                  Source: COVID 19 BENEFIT FORM 2.exe, 0000000A.00000002.598293272.0000000000C70000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx vs COVID 19 BENEFIT FORM 2.exe
                  Source: COVID 19 BENEFIT FORM 2.exeBinary or memory string: OriginalFilenameyY0 vs COVID 19 BENEFIT FORM 2.exe
                  Source: COVID 19 BENEFIT FORM 2.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                  Source: COVID 19 BENEFIT FORM 2.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: lVGkcjmu.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: 10.2.COVID 19 BENEFIT FORM 2.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: 10.2.COVID 19 BENEFIT FORM 2.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@12/3@0/0
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeFile created: C:\Users\user\AppData\Roaming\lVGkcjmu.exeJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeMutant created: \Sessions\1\BaseNamedObjects\qzUKnVUVtEAujFcp
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6936:120:WilError_01
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeFile created: C:\Users\user\AppData\Local\Temp\tmp764A.tmpJump to behavior
                  Source: COVID 19 BENEFIT FORM 2.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000002.373930838.0000000000B62000.00000002.00020000.sdmp, COVID 19 BENEFIT FORM 2.exe, 00000007.00000002.368822725.00000000002A2000.00000002.00020000.sdmp, COVID 19 BENEFIT FORM 2.exe, 00000008.00000000.369729906.0000000000062000.00000002.00020000.sdmp, COVID 19 BENEFIT FORM 2.exe, 00000009.00000000.371224608.0000000000222000.00000002.00020000.sdmp, COVID 19 BENEFIT FORM 2.exe, 0000000A.00000002.596448626.00000000004C2000.00000002.00020000.sdmpBinary or memory string: SELECT id,prizm_code,upc,name,description,brand_id,color,price,tax,tax_id,stock_in_hand,jedinica_mere,is_active FROM pos.items;Error while displaying items!%dataGridViewUpdate
                  Source: COVID 19 BENEFIT FORM 2.exeVirustotal: Detection: 43%
                  Source: COVID 19 BENEFIT FORM 2.exeReversingLabs: Detection: 36%
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeFile read: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exe 'C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exe'
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\lVGkcjmu' /XML 'C:\Users\user\AppData\Local\Temp\tmp764A.tmp'
                  Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess created: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exe {path}
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess created: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exe {path}
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess created: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exe {path}
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess created: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exe {path}
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\lVGkcjmu' /XML 'C:\Users\user\AppData\Local\Temp\tmp764A.tmp'Jump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess created: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exe {path}Jump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess created: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exe {path}Jump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess created: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exe {path}Jump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess created: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exe {path}Jump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: COVID 19 BENEFIT FORM 2.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: COVID 19 BENEFIT FORM 2.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                  Source: COVID 19 BENEFIT FORM 2.exeStatic file information: File size 1059328 > 1048576
                  Source: COVID 19 BENEFIT FORM 2.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x102000
                  Source: COVID 19 BENEFIT FORM 2.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                  Source: COVID 19 BENEFIT FORM 2.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: COVID 19 BENEFIT FORM 2.exeStatic PE information: 0xD4A32624 [Mon Jan 18 01:38:44 2083 UTC]
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 0_2_00B6B071 push es; ret 0_2_00B6B072
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 0_2_00B6B06B push es; ret 0_2_00B6B06C
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 0_2_0158F930 push eax; iretd 0_2_0158F931
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 0_2_081F67E4 push dword ptr [edx+ebp*2-75h]; iretd 0_2_081F67EF
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 7_2_002AB06B push es; ret 7_2_002AB06C
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 7_2_002AB071 push es; ret 7_2_002AB072
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 8_2_0006B06B push es; ret 8_2_0006B06C
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 8_2_0006B071 push es; ret 8_2_0006B072
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 9_2_0022B06B push es; ret 9_2_0022B06C
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 9_2_0022B071 push es; ret 9_2_0022B072
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 10_2_004CB06B push es; ret 10_2_004CB06C
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 10_2_004CB071 push es; ret 10_2_004CB072
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 10_2_00B59685 push esp; iretd 10_2_00B59686
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 10_2_00C8B5BF push edi; retn 0000h10_2_00C8B5C1
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 10_2_00CA46F2 push 8BFFFFFFh; retf 10_2_00CA46F8
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 10_2_00CAE613 push edi; ret 10_2_00CAE616
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 10_2_00D9D95C push eax; ret 10_2_00D9D95D
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 10_2_00D9E348 push eax; ret 10_2_00D9E349
                  Source: initial sampleStatic PE information: section name: .text entropy: 7.55509346108
                  Source: initial sampleStatic PE information: section name: .text entropy: 7.55509346108
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeFile created: C:\Users\user\AppData\Roaming\lVGkcjmu.exeJump to dropped file

                  Boot Survival:

                  barindex
                  Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\lVGkcjmu' /XML 'C:\Users\user\AppData\Local\Temp\tmp764A.tmp'
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion:

                  barindex
                  Yara detected AntiVM3Show sources
                  Source: Yara matchFile source: Process Memory Space: COVID 19 BENEFIT FORM 2.exe PID: 6424, type: MEMORY
                  Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                  Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000002.375417166.0000000002F21000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000002.375417166.0000000002F21000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeWindow / User API: threadDelayed 1059Jump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeWindow / User API: threadDelayed 8793Jump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exe TID: 6428Thread sleep time: -31500s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exe TID: 6448Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exe TID: 3876Thread sleep time: -12912720851596678s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exe TID: 6504Thread sleep count: 1059 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exe TID: 6504Thread sleep count: 8793 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeThread delayed: delay time: 31500Jump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000002.375417166.0000000002F21000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000002.375417166.0000000002F21000.00000004.00000001.sdmpBinary or memory string: vmware
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000002.375417166.0000000002F21000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000002.375417166.0000000002F21000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000002.375417166.0000000002F21000.00000004.00000001.sdmpBinary or memory string: VMWARE
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000002.375417166.0000000002F21000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000002.375417166.0000000002F21000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000002.375417166.0000000002F21000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000002.375417166.0000000002F21000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
                  Source: COVID 19 BENEFIT FORM 2.exe, 0000000A.00000002.598943149.0000000000E47000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 10_2_00B518F8 LdrInitializeThunk,10_2_00B518F8
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion:

                  barindex
                  Injects a PE file into a foreign processesShow sources
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeMemory written: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exe base: 400000 value starts with: 4D5AJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\lVGkcjmu' /XML 'C:\Users\user\AppData\Local\Temp\tmp764A.tmp'Jump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess created: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exe {path}Jump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess created: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exe {path}Jump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess created: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exe {path}Jump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess created: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exe {path}Jump to behavior
                  Source: COVID 19 BENEFIT FORM 2.exe, 0000000A.00000002.599020135.00000000012D0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                  Source: COVID 19 BENEFIT FORM 2.exe, 0000000A.00000002.599020135.00000000012D0000.00000002.00000001.sdmpBinary or memory string: Progman
                  Source: COVID 19 BENEFIT FORM 2.exe, 0000000A.00000002.599020135.00000000012D0000.00000002.00000001.sdmpBinary or memory string: &Program Manager
                  Source: COVID 19 BENEFIT FORM 2.exe, 0000000A.00000002.599020135.00000000012D0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation