Loading ...

Play interactive tourEdit tour

Analysis Report COVID 19 BENEFIT FORM 2.exe

Overview

General Information

Sample Name:COVID 19 BENEFIT FORM 2.exe
Analysis ID:397590
MD5:734dcc6ee873ad6667d9cad4e5040134
SHA1:205b63e53d5789f469bdfafdfb553e74b967f5df
SHA256:cce12e2162f90a88715e50bfa993e9d3233fecaf608fb18cda68f0154f0e1d5b
Tags:AgentTeslaCOVID-19exe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains very large array initializations
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Binary contains a suspicious time stamp
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • COVID 19 BENEFIT FORM 2.exe (PID: 6424 cmdline: 'C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exe' MD5: 734DCC6EE873AD6667D9CAD4E5040134)
    • schtasks.exe (PID: 6880 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\lVGkcjmu' /XML 'C:\Users\user\AppData\Local\Temp\tmp764A.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6936 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "logs@seedchangeinv.commmm777@@mail.privateemail.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000002.596294759.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    0000000A.00000002.599311455.0000000002871000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      0000000A.00000002.599311455.0000000002871000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000000.00000002.377564391.00000000040CD000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000000.00000002.377324089.0000000003F29000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 4 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.COVID 19 BENEFIT FORM 2.exe.4293c80.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              10.2.COVID 19 BENEFIT FORM 2.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                0.2.COVID 19 BENEFIT FORM 2.exe.4293c80.2.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

                  Sigma Overview

                  System Summary:

                  barindex
                  Sigma detected: Scheduled temp file as task from temp locationShow sources
                  Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\lVGkcjmu' /XML 'C:\Users\user\AppData\Local\Temp\tmp764A.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\lVGkcjmu' /XML 'C:\Users\user\AppData\Local\Temp\tmp764A.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exe' , ParentImage: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exe, ParentProcessId: 6424, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\lVGkcjmu' /XML 'C:\Users\user\AppData\Local\Temp\tmp764A.tmp', ProcessId: 6880

                  Signature Overview

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection:

                  barindex
                  Found malware configurationShow sources
                  Source: 0.2.COVID 19 BENEFIT FORM 2.exe.4293c80.2.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "logs@seedchangeinv.commmm777@@mail.privateemail.com"}
                  Multi AV Scanner detection for dropped fileShow sources
                  Source: C:\Users\user\AppData\Roaming\lVGkcjmu.exeReversingLabs: Detection: 36%
                  Multi AV Scanner detection for submitted fileShow sources
                  Source: COVID 19 BENEFIT FORM 2.exeVirustotal: Detection: 43%Perma Link
                  Source: COVID 19 BENEFIT FORM 2.exeReversingLabs: Detection: 36%
                  Machine Learning detection for dropped fileShow sources
                  Source: C:\Users\user\AppData\Roaming\lVGkcjmu.exeJoe Sandbox ML: detected
                  Machine Learning detection for sampleShow sources
                  Source: COVID 19 BENEFIT FORM 2.exeJoe Sandbox ML: detected
                  Source: 10.2.COVID 19 BENEFIT FORM 2.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                  Source: COVID 19 BENEFIT FORM 2.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                  Source: COVID 19 BENEFIT FORM 2.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                  Source: COVID 19 BENEFIT FORM 2.exe, 0000000A.00000002.599311455.0000000002871000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                  Source: COVID 19 BENEFIT FORM 2.exe, 0000000A.00000002.599311455.0000000002871000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                  Source: COVID 19 BENEFIT FORM 2.exe, 0000000A.00000002.599311455.0000000002871000.00000004.00000001.sdmpString found in binary or memory: http://SBRGHbI6v8zShNk.net
                  Source: COVID 19 BENEFIT FORM 2.exe, 0000000A.00000002.599311455.0000000002871000.00000004.00000001.sdmpString found in binary or memory: http://SBRGHbI6v8zShNk.netL2
                  Source: COVID 19 BENEFIT FORM 2.exe, 0000000A.00000002.601224082.0000000002BD1000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                  Source: COVID 19 BENEFIT FORM 2.exe, 0000000A.00000002.601224082.0000000002BD1000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.330293022.0000000005EAA000.00000004.00000001.sdmpString found in binary or memory: http://en.w
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.329792577.0000000005E9B000.00000004.00000001.sdmp, COVID 19 BENEFIT FORM 2.exe, 00000000.00000002.382360322.0000000005F70000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                  Source: COVID 19 BENEFIT FORM 2.exe, 0000000A.00000002.601224082.0000000002BD1000.00000004.00000001.sdmpString found in binary or memory: http://mail.privateemail.com
                  Source: COVID 19 BENEFIT FORM 2.exe, 0000000A.00000002.599311455.0000000002871000.00000004.00000001.sdmpString found in binary or memory: http://mapoex.com
                  Source: COVID 19 BENEFIT FORM 2.exe, 0000000A.00000002.601224082.0000000002BD1000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                  Source: COVID 19 BENEFIT FORM 2.exe, 0000000A.00000002.601224082.0000000002BD1000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.sectigo.com0
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000002.375417166.0000000002F21000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000002.382360322.0000000005F70000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.334907624.0000000005EA3000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.334907624.0000000005EA3000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.htmlBW
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.334231166.0000000005EA3000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.htmlnW/
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.332725617.0000000005E9B000.00000004.00000001.sdmp, COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.332816319.0000000005E9B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.332725617.0000000005E9B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com0
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.333039942.0000000005E9B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comJhEB
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.333039942.0000000005E9B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comNF8
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.332816319.0000000005E9B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comTC
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.332725617.0000000005E9B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comTC(Sr
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.333039942.0000000005E9B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comWF3
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.333146895.0000000005E9B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comac
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.332725617.0000000005E9B000.00000004.00000001.sdmp, COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.332479184.0000000005E9B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.come
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.333146895.0000000005E9B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.come5BV
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.333039942.0000000005E9B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comen
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.333039942.0000000005E9B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comic
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000002.382360322.0000000005F70000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.332725617.0000000005E9B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comlt
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.332725617.0000000005E9B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.como.
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.333146895.0000000005E9B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.compt
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.332725617.0000000005E9B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comtig
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.333146895.0000000005E9B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comx
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000002.375338319.00000000015E7000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.com
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000002.382360322.0000000005F70000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.338116776.0000000005E9B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers#
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.337167523.0000000005E9B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers-Sq
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.336671003.0000000005E9B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000002.382360322.0000000005F70000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000002.382360322.0000000005F70000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.338045037.0000000005EBE000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmld
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.338606084.0000000005EBE000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlh
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.337413588.0000000005EBE000.00000004.00000001.sdmp, COVID 19 BENEFIT FORM 2.exe, 00000000.00000002.382360322.0000000005F70000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.337387930.0000000005E9B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.htmlf
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000002.382360322.0000000005F70000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000002.382360322.0000000005F70000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.345153128.0000000005E9B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersB
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.345153128.0000000005E9B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersES
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.337167523.0000000005E9B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersF
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000002.382360322.0000000005F70000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.338116776.0000000005E9B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersdSF
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000002.375338319.00000000015E7000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comgreta
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000002.375338319.00000000015E7000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comiona
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000002.382360322.0000000005F70000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.331820934.0000000005EA4000.00000004.00000001.sdmp, COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.331864305.0000000005EA0000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.332128006.0000000005E9B000.00000004.00000001.sdmp, COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.331974163.0000000005EA2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.331540177.0000000005E9B000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/FqR
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000002.382360322.0000000005F70000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000002.382360322.0000000005F70000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.332725617.0000000005E9B000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn;
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.332128006.0000000005E9B000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnK
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.332128006.0000000005E9B000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnk
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.332128006.0000000005E9B000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnl
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.332128006.0000000005E9B000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnof
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000002.382360322.0000000005F70000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.341196577.0000000005E9B000.00000004.00000001.sdmp, COVID 19 BENEFIT FORM 2.exe, 00000000.00000002.382360322.0000000005F70000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.331540177.0000000005E9B000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.k
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000002.382360322.0000000005F70000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.331486082.0000000005E9B000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr-c
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.331486082.0000000005E9B000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.krx.
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000002.382360322.0000000005F70000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.341196577.0000000005E9B000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.336815155.0000000005E9B000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.)Qr
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000002.382360322.0000000005F70000.00000002.00000001.sdmp, COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.328572795.0000000005E82000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.328572795.0000000005E82000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comn
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000002.382360322.0000000005F70000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.331486082.0000000005E9B000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.331486082.0000000005E9B000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr)Rr
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.331382313.0000000005E9B000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kra-es)Rr
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.331486082.0000000005E9B000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krn-usur
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.331540177.0000000005E9B000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krq
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000002.382360322.0000000005F70000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.333146895.0000000005E9B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comWE0
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.332246844.00000000015EC000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comn-u3
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000002.382360322.0000000005F70000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.336364737.0000000005E9B000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000002.382360322.0000000005F70000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.338840406.0000000005E9B000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deEEB
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.336364737.0000000005E9B000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deLE;
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.339197866.0000000005EA8000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deWE0
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.336364737.0000000005E9B000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deiEEB
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.332725617.0000000005E9B000.00000004.00000001.sdmp, COVID 19 BENEFIT FORM 2.exe, 00000000.00000002.382360322.0000000005F70000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.332725617.0000000005E9B000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cnK
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.332725617.0000000005E9B000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cna
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.332430336.0000000005E9B000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cno.
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.332430336.0000000005E9B000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cnr-f
                  Source: COVID 19 BENEFIT FORM 2.exe, 0000000A.00000002.599311455.0000000002871000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%
                  Source: COVID 19 BENEFIT FORM 2.exe, 0000000A.00000002.599311455.0000000002871000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                  Source: COVID 19 BENEFIT FORM 2.exe, 0000000A.00000002.601224082.0000000002BD1000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000002.377324089.0000000003F29000.00000004.00000001.sdmp, COVID 19 BENEFIT FORM 2.exe, 0000000A.00000002.596294759.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                  Source: COVID 19 BENEFIT FORM 2.exe, 0000000A.00000002.599311455.0000000002871000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeWindow created: window name: CLIPBRDWNDCLASS

                  System Summary:

                  barindex
                  .NET source code contains very large array initializationsShow sources
                  Source: 10.2.COVID 19 BENEFIT FORM 2.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b3C5ACC4Eu002d4173u002d4CE9u002dA88Eu002d8EFA98FCB099u007d/u003293A124Bu002dAB49u002d44B7u002d9397u002d5CD9CB98E805.csLarge array initialization: .cctor: array initializer size 12037
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 0_2_00B62304
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 0_2_0158C124
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 0_2_0158E570
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 0_2_0158E560
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 0_2_081F1978
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 0_2_081F1C10
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 0_2_081F3D7E
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 0_2_081F0040
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 0_2_081F1969
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 0_2_081F1C00
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 0_2_081F0C78
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 0_2_081F0C6A
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 0_2_081F1E4D
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 0_2_081F1E98
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 0_2_081F3EB6
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 0_2_081F0006
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 0_2_081F0579
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 0_2_081F0588
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 0_2_081F1698
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 0_2_081F16A8
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 7_2_002A2304
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 8_2_00062304
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 9_2_00222304
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 10_2_004C2304
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 10_2_00B50040
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 10_2_00B59990
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 10_2_00B541F8
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 10_2_00B56154
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 10_2_00B55AA8
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 10_2_00B53210
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 10_2_00B5B5AD
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 10_2_00B52590
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 10_2_00B54198
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 10_2_00B5CB70
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 10_2_00C868D8
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 10_2_00C85650
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 10_2_00C85B78
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 10_2_00CA0068
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 10_2_00CA9610
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 10_2_00CA5FB0
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 10_2_00CA70D8
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 10_2_00CAB3D8
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 10_2_00CACD50
                  Source: COVID 19 BENEFIT FORM 2.exeBinary or memory string: OriginalFilename vs COVID 19 BENEFIT FORM 2.exe
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000002.388072223.00000000100F0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs COVID 19 BENEFIT FORM 2.exe
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000002.388072223.00000000100F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs COVID 19 BENEFIT FORM 2.exe
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000002.387855603.000000000FFF0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs COVID 19 BENEFIT FORM 2.exe
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000002.373930838.0000000000B62000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameyY0 vs COVID 19 BENEFIT FORM 2.exe
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000002.375417166.0000000002F21000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSmartFormat.dll8 vs COVID 19 BENEFIT FORM 2.exe
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000002.375417166.0000000002F21000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamelEoaqcxNgfzuerfwjwfBvMgttynocmgZjwmB.exe4 vs COVID 19 BENEFIT FORM 2.exe
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000002.386735033.0000000009940000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs COVID 19 BENEFIT FORM 2.exe
                  Source: COVID 19 BENEFIT FORM 2.exeBinary or memory string: OriginalFilename vs COVID 19 BENEFIT FORM 2.exe
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000007.00000002.368822725.00000000002A2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameyY0 vs COVID 19 BENEFIT FORM 2.exe
                  Source: COVID 19 BENEFIT FORM 2.exeBinary or memory string: OriginalFilename vs COVID 19 BENEFIT FORM 2.exe
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000008.00000000.369729906.0000000000062000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameyY0 vs COVID 19 BENEFIT FORM 2.exe
                  Source: COVID 19 BENEFIT FORM 2.exeBinary or memory string: OriginalFilename vs COVID 19 BENEFIT FORM 2.exe
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000009.00000000.371224608.0000000000222000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameyY0 vs COVID 19 BENEFIT FORM 2.exe
                  Source: COVID 19 BENEFIT FORM 2.exeBinary or memory string: OriginalFilename vs COVID 19 BENEFIT FORM 2.exe
                  Source: COVID 19 BENEFIT FORM 2.exe, 0000000A.00000002.605368510.0000000005DA0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs COVID 19 BENEFIT FORM 2.exe
                  Source: COVID 19 BENEFIT FORM 2.exe, 0000000A.00000002.598377640.0000000000C90000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs COVID 19 BENEFIT FORM 2.exe
                  Source: COVID 19 BENEFIT FORM 2.exe, 0000000A.00000002.596294759.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamelEoaqcxNgfzuerfwjwfBvMgttynocmgZjwmB.exe4 vs COVID 19 BENEFIT FORM 2.exe
                  Source: COVID 19 BENEFIT FORM 2.exe, 0000000A.00000002.596448626.00000000004C2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameyY0 vs COVID 19 BENEFIT FORM 2.exe
                  Source: COVID 19 BENEFIT FORM 2.exe, 0000000A.00000002.598293272.0000000000C70000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx vs COVID 19 BENEFIT FORM 2.exe
                  Source: COVID 19 BENEFIT FORM 2.exeBinary or memory string: OriginalFilenameyY0 vs COVID 19 BENEFIT FORM 2.exe
                  Source: COVID 19 BENEFIT FORM 2.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                  Source: COVID 19 BENEFIT FORM 2.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: lVGkcjmu.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: 10.2.COVID 19 BENEFIT FORM 2.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: 10.2.COVID 19 BENEFIT FORM 2.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@12/3@0/0
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeFile created: C:\Users\user\AppData\Roaming\lVGkcjmu.exeJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeMutant created: \Sessions\1\BaseNamedObjects\qzUKnVUVtEAujFcp
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6936:120:WilError_01
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeFile created: C:\Users\user\AppData\Local\Temp\tmp764A.tmpJump to behavior
                  Source: COVID 19 BENEFIT FORM 2.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000002.373930838.0000000000B62000.00000002.00020000.sdmp, COVID 19 BENEFIT FORM 2.exe, 00000007.00000002.368822725.00000000002A2000.00000002.00020000.sdmp, COVID 19 BENEFIT FORM 2.exe, 00000008.00000000.369729906.0000000000062000.00000002.00020000.sdmp, COVID 19 BENEFIT FORM 2.exe, 00000009.00000000.371224608.0000000000222000.00000002.00020000.sdmp, COVID 19 BENEFIT FORM 2.exe, 0000000A.00000002.596448626.00000000004C2000.00000002.00020000.sdmpBinary or memory string: SELECT id,prizm_code,upc,name,description,brand_id,color,price,tax,tax_id,stock_in_hand,jedinica_mere,is_active FROM pos.items;Error while displaying items!%dataGridViewUpdate
                  Source: COVID 19 BENEFIT FORM 2.exeVirustotal: Detection: 43%
                  Source: COVID 19 BENEFIT FORM 2.exeReversingLabs: Detection: 36%
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeFile read: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exe 'C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exe'
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\lVGkcjmu' /XML 'C:\Users\user\AppData\Local\Temp\tmp764A.tmp'
                  Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess created: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exe {path}
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess created: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exe {path}
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess created: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exe {path}
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess created: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exe {path}
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\lVGkcjmu' /XML 'C:\Users\user\AppData\Local\Temp\tmp764A.tmp'
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess created: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exe {path}
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess created: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exe {path}
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess created: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exe {path}
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess created: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exe {path}
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                  Source: COVID 19 BENEFIT FORM 2.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: COVID 19 BENEFIT FORM 2.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                  Source: COVID 19 BENEFIT FORM 2.exeStatic file information: File size 1059328 > 1048576
                  Source: COVID 19 BENEFIT FORM 2.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x102000
                  Source: COVID 19 BENEFIT FORM 2.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                  Source: COVID 19 BENEFIT FORM 2.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: COVID 19 BENEFIT FORM 2.exeStatic PE information: 0xD4A32624 [Mon Jan 18 01:38:44 2083 UTC]
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 0_2_00B6B071 push es; ret
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 0_2_00B6B06B push es; ret
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 0_2_0158F930 push eax; iretd
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 0_2_081F67E4 push dword ptr [edx+ebp*2-75h]; iretd
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 7_2_002AB06B push es; ret
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 7_2_002AB071 push es; ret
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 8_2_0006B06B push es; ret
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 8_2_0006B071 push es; ret
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 9_2_0022B06B push es; ret
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 9_2_0022B071 push es; ret
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 10_2_004CB06B push es; ret
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 10_2_004CB071 push es; ret
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 10_2_00B59685 push esp; iretd
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 10_2_00C8B5BF push edi; retn 0000h
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 10_2_00CA46F2 push 8BFFFFFFh; retf
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 10_2_00CAE613 push edi; ret
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 10_2_00D9D95C push eax; ret
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 10_2_00D9E348 push eax; ret
                  Source: initial sampleStatic PE information: section name: .text entropy: 7.55509346108
                  Source: initial sampleStatic PE information: section name: .text entropy: 7.55509346108
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeFile created: C:\Users\user\AppData\Roaming\lVGkcjmu.exeJump to dropped file

                  Boot Survival:

                  barindex
                  Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\lVGkcjmu' /XML 'C:\Users\user\AppData\Local\Temp\tmp764A.tmp'
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information set: NOOPENFILEERRORBOX

                  Malware Analysis System Evasion:

                  barindex
                  Yara detected AntiVM3Show sources
                  Source: Yara matchFile source: Process Memory Space: COVID 19 BENEFIT FORM 2.exe PID: 6424, type: MEMORY
                  Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                  Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000002.375417166.0000000002F21000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000002.375417166.0000000002F21000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeWindow / User API: threadDelayed 1059
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeWindow / User API: threadDelayed 8793
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exe TID: 6428Thread sleep time: -31500s >= -30000s
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exe TID: 6448Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exe TID: 3876Thread sleep time: -12912720851596678s >= -30000s
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exe TID: 6504Thread sleep count: 1059 > 30
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exe TID: 6504Thread sleep count: 8793 > 30
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeThread delayed: delay time: 31500
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeThread delayed: delay time: 922337203685477
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000002.375417166.0000000002F21000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000002.375417166.0000000002F21000.00000004.00000001.sdmpBinary or memory string: vmware
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000002.375417166.0000000002F21000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000002.375417166.0000000002F21000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000002.375417166.0000000002F21000.00000004.00000001.sdmpBinary or memory string: VMWARE
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000002.375417166.0000000002F21000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000002.375417166.0000000002F21000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000002.375417166.0000000002F21000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
                  Source: COVID 19 BENEFIT FORM 2.exe, 00000000.00000002.375417166.0000000002F21000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
                  Source: COVID 19 BENEFIT FORM 2.exe, 0000000A.00000002.598943149.0000000000E47000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess information queried: ProcessInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeCode function: 10_2_00B518F8 LdrInitializeThunk,
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess token adjusted: Debug
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess token adjusted: Debug
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeMemory allocated: page read and write | page guard

                  HIPS / PFW / Operating System Protection Evasion:

                  barindex
                  Injects a PE file into a foreign processesShow sources
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeMemory written: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exe base: 400000 value starts with: 4D5A
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\lVGkcjmu' /XML 'C:\Users\user\AppData\Local\Temp\tmp764A.tmp'
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess created: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exe {path}
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess created: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exe {path}
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess created: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exe {path}
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeProcess created: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exe {path}
                  Source: COVID 19 BENEFIT FORM 2.exe, 0000000A.00000002.599020135.00000000012D0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                  Source: COVID 19 BENEFIT FORM 2.exe, 0000000A.00000002.599020135.00000000012D0000.00000002.00000001.sdmpBinary or memory string: Progman
                  Source: COVID 19 BENEFIT FORM 2.exe, 0000000A.00000002.599020135.00000000012D0000.00000002.00000001.sdmpBinary or memory string: &Program Manager
                  Source: COVID 19 BENEFIT FORM 2.exe, 0000000A.00000002.599020135.00000000012D0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exe VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exe VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                  Stealing of Sensitive Information:

                  barindex
                  Yara detected AgentTeslaShow sources
                  Source: Yara matchFile source: 0000000A.00000002.596294759.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.599311455.0000000002871000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.377564391.00000000040CD000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.377324089.0000000003F29000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: COVID 19 BENEFIT FORM 2.exe PID: 6424, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: COVID 19 BENEFIT FORM 2.exe PID: 7000, type: MEMORY
                  Source: Yara matchFile source: 0.2.COVID 19 BENEFIT FORM 2.exe.4293c80.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.COVID 19 BENEFIT FORM 2.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.COVID 19 BENEFIT FORM 2.exe.4293c80.2.raw.unpack, type: UNPACKEDPE
                  Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                  Tries to harvest and steal browser information (history, passwords, etc)Show sources
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                  Tries to harvest and steal ftp login credentialsShow sources
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
                  Tries to steal Mail credentials (via file access)Show sources
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                  Source: C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                  Source: Yara matchFile source: 0000000A.00000002.599311455.0000000002871000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: COVID 19 BENEFIT FORM 2.exe PID: 7000, type: MEMORY

                  Remote Access Functionality:

                  barindex
                  Yara detected AgentTeslaShow sources
                  Source: Yara matchFile source: 0000000A.00000002.596294759.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.599311455.0000000002871000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.377564391.00000000040CD000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.377324089.0000000003F29000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: COVID 19 BENEFIT FORM 2.exe PID: 6424, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: COVID 19 BENEFIT FORM 2.exe PID: 7000, type: MEMORY
                  Source: Yara matchFile source: 0.2.COVID 19 BENEFIT FORM 2.exe.4293c80.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.COVID 19 BENEFIT FORM 2.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.COVID 19 BENEFIT FORM 2.exe.4293c80.2.raw.unpack, type: UNPACKEDPE

                  Mitre Att&ck Matrix

                  Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                  Valid AccountsWindows Management Instrumentation211Scheduled Task/Job1Process Injection112Masquerading1OS Credential Dumping2Query Registry1Remote ServicesEmail Collection1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                  Default AccountsScheduled Task/Job1Boot or Logon Initialization ScriptsScheduled Task/Job1Disable or Modify Tools1Credentials in Registry1Security Software Discovery321Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                  Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion141Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Local System2Automated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                  Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection112NTDSVirtualization/Sandbox Evasion141Distributed Component Object ModelClipboard Data1Scheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                  Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                  Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information2Cached Domain CredentialsFile and Directory Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                  External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing3DCSyncSystem Information Discovery113Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                  Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobTimestomp1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  COVID 19 BENEFIT FORM 2.exe43%VirustotalBrowse
                  COVID 19 BENEFIT FORM 2.exe37%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                  COVID 19 BENEFIT FORM 2.exe100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Roaming\lVGkcjmu.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Roaming\lVGkcjmu.exe37%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

                  Unpacked PE Files

                  SourceDetectionScannerLabelLinkDownload
                  10.2.COVID 19 BENEFIT FORM 2.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                  http://www.ascendercorp.com/typedesigners.htmlnW/0%Avira URL Cloudsafe
                  http://www.goodfont.co.kr-c0%Avira URL Cloudsafe
                  http://www.tiro.comn-u30%Avira URL Cloudsafe
                  http://www.urwpp.deWE00%Avira URL Cloudsafe
                  http://www.carterandcone.comen0%URL Reputationsafe
                  http://www.carterandcone.comen0%URL Reputationsafe
                  http://www.carterandcone.comen0%URL Reputationsafe
                  http://www.carterandcone.comWF30%Avira URL Cloudsafe
                  http://www.sandoll.co.krn-usur0%Avira URL Cloudsafe
                  http://www.zhongyicts.com.cnr-f0%Avira URL Cloudsafe
                  http://www.sajatypeworks.com0%URL Reputationsafe
                  http://www.sajatypeworks.com0%URL Reputationsafe
                  http://www.sajatypeworks.com0%URL Reputationsafe
                  http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                  http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                  http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                  http://www.fontbureau.comgreta0%URL Reputationsafe
                  http://www.fontbureau.comgreta0%URL Reputationsafe
                  http://www.fontbureau.comgreta0%URL Reputationsafe
                  http://www.goodfont.co.krx.0%Avira URL Cloudsafe
                  http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                  http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                  http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                  http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
                  http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
                  http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
                  http://www.urwpp.deDPlease0%URL Reputationsafe
                  http://www.urwpp.deDPlease0%URL Reputationsafe
                  http://www.urwpp.deDPlease0%URL Reputationsafe
                  http://www.zhongyicts.com.cn0%URL Reputationsafe
                  http://www.zhongyicts.com.cn0%URL Reputationsafe
                  http://www.zhongyicts.com.cn0%URL Reputationsafe
                  http://www.tiro.comWE00%Avira URL Cloudsafe
                  http://www.carterandcone.como.0%URL Reputationsafe
                  http://www.carterandcone.como.0%URL Reputationsafe
                  http://www.carterandcone.como.0%URL Reputationsafe
                  https://api.ipify.org%0%URL Reputationsafe
                  https://api.ipify.org%0%URL Reputationsafe
                  https://api.ipify.org%0%URL Reputationsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                  http://www.carterandcone.comtig0%Avira URL Cloudsafe
                  http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
                  http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
                  http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
                  http://www.carterandcone.come0%URL Reputationsafe
                  http://www.carterandcone.come0%URL Reputationsafe
                  http://www.carterandcone.come0%URL Reputationsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                  http://www.sandoll.co.krq0%Avira URL Cloudsafe
                  http://www.urwpp.deLE;0%Avira URL Cloudsafe
                  http://www.carterandcone.comNF80%Avira URL Cloudsafe
                  http://www.carterandcone.compt0%Avira URL Cloudsafe
                  http://www.urwpp.deiEEB0%Avira URL Cloudsafe
                  http://en.w0%URL Reputationsafe
                  http://en.w0%URL Reputationsafe
                  http://en.w0%URL Reputationsafe
                  http://www.carterandcone.coml0%URL Reputationsafe
                  http://www.carterandcone.coml0%URL Reputationsafe
                  http://www.carterandcone.coml0%URL Reputationsafe
                  http://www.founder.com.cn/cn/0%URL Reputationsafe
                  http://www.founder.com.cn/cn/0%URL Reputationsafe
                  http://www.founder.com.cn/cn/0%URL Reputationsafe
                  http://www.zhongyicts.com.cna0%Avira URL Cloudsafe
                  http://www.sandoll.co.kr)Rr0%Avira URL Cloudsafe
                  http://www.carterandcone.comx0%Avira URL Cloudsafe
                  http://www.zhongyicts.com.cnK0%Avira URL Cloudsafe
                  http://www.founder.com.cn/cnK0%Avira URL Cloudsafe
                  http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                  http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                  http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                  http://ocsp.sectigo.com00%URL Reputationsafe
                  http://ocsp.sectigo.com00%URL Reputationsafe
                  http://ocsp.sectigo.com00%URL Reputationsafe
                  http://www.urwpp.deEEB0%Avira URL Cloudsafe
                  http://www.carterandcone.com00%Avira URL Cloudsafe
                  http://www.tiro.com0%URL Reputationsafe
                  http://www.tiro.com0%URL Reputationsafe
                  http://www.tiro.com0%URL Reputationsafe
                  http://www.founder.com.cn/cn;0%Avira URL Cloudsafe
                  http://www.founder.com.cn/cn/FqR0%Avira URL Cloudsafe
                  http://www.goodfont.co.kr0%URL Reputationsafe
                  http://www.goodfont.co.kr0%URL Reputationsafe
                  http://www.goodfont.co.kr0%URL Reputationsafe
                  http://www.carterandcone.com0%URL Reputationsafe
                  http://www.carterandcone.com0%URL Reputationsafe
                  http://www.carterandcone.com0%URL Reputationsafe
                  http://www.carterandcone.comJhEB0%Avira URL Cloudsafe
                  http://www.fontbureau.comiona0%URL Reputationsafe
                  http://www.fontbureau.comiona0%URL Reputationsafe
                  http://www.fontbureau.comiona0%URL Reputationsafe
                  http://www.typography.netD0%URL Reputationsafe
                  http://www.typography.netD0%URL Reputationsafe
                  http://www.typography.netD0%URL Reputationsafe
                  http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                  http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe

                  Domains and IPs

                  Contacted Domains

                  No contacted domains info

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://127.0.0.1:HTTP/1.1COVID 19 BENEFIT FORM 2.exe, 0000000A.00000002.599311455.0000000002871000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  low
                  http://www.ascendercorp.com/typedesigners.htmlnW/COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.334231166.0000000005EA3000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://www.goodfont.co.kr-cCOVID 19 BENEFIT FORM 2.exe, 00000000.00000003.331486082.0000000005E9B000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://www.tiro.comn-u3COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.332246844.00000000015EC000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://www.urwpp.deWE0COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.339197866.0000000005EA8000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://www.carterandcone.comenCOVID 19 BENEFIT FORM 2.exe, 00000000.00000003.333039942.0000000005E9B000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  unknown
                  http://www.fontbureau.com/designersCOVID 19 BENEFIT FORM 2.exe, 00000000.00000002.382360322.0000000005F70000.00000002.00000001.sdmpfalse
                    high
                    http://www.carterandcone.comWF3COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.333039942.0000000005E9B000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    unknown
                    http://www.sandoll.co.krn-usurCOVID 19 BENEFIT FORM 2.exe, 00000000.00000003.331486082.0000000005E9B000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    unknown
                    http://www.zhongyicts.com.cnr-fCOVID 19 BENEFIT FORM 2.exe, 00000000.00000003.332430336.0000000005E9B000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    unknown
                    http://www.sajatypeworks.comCOVID 19 BENEFIT FORM 2.exe, 00000000.00000002.382360322.0000000005F70000.00000002.00000001.sdmp, COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.328572795.0000000005E82000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    unknown
                    http://www.fontbureau.com/designers-SqCOVID 19 BENEFIT FORM 2.exe, 00000000.00000003.337167523.0000000005E9B000.00000004.00000001.sdmpfalse
                      high
                      http://www.founder.com.cn/cn/cTheCOVID 19 BENEFIT FORM 2.exe, 00000000.00000002.382360322.0000000005F70000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      unknown
                      http://www.fontbureau.comgretaCOVID 19 BENEFIT FORM 2.exe, 00000000.00000002.375338319.00000000015E7000.00000004.00000040.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      unknown
                      http://www.goodfont.co.krx.COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.331486082.0000000005E9B000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      unknown
                      http://www.galapagosdesign.com/DPleaseCOVID 19 BENEFIT FORM 2.exe, 00000000.00000002.382360322.0000000005F70000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      unknown
                      http://www.ascendercorp.com/typedesigners.htmlCOVID 19 BENEFIT FORM 2.exe, 00000000.00000003.334907624.0000000005EA3000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      unknown
                      http://www.urwpp.deDPleaseCOVID 19 BENEFIT FORM 2.exe, 00000000.00000002.382360322.0000000005F70000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      unknown
                      http://www.zhongyicts.com.cnCOVID 19 BENEFIT FORM 2.exe, 00000000.00000003.332725617.0000000005E9B000.00000004.00000001.sdmp, COVID 19 BENEFIT FORM 2.exe, 00000000.00000002.382360322.0000000005F70000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      unknown
                      http://www.tiro.comWE0COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.333146895.0000000005E9B000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      unknown
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameCOVID 19 BENEFIT FORM 2.exe, 00000000.00000002.375417166.0000000002F21000.00000004.00000001.sdmpfalse
                        high
                        http://www.carterandcone.como.COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.332725617.0000000005E9B000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        unknown
                        https://api.ipify.org%COVID 19 BENEFIT FORM 2.exe, 0000000A.00000002.599311455.0000000002871000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        low
                        https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipCOVID 19 BENEFIT FORM 2.exe, 00000000.00000002.377324089.0000000003F29000.00000004.00000001.sdmp, COVID 19 BENEFIT FORM 2.exe, 0000000A.00000002.596294759.0000000000402000.00000040.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        unknown
                        http://www.carterandcone.comtigCOVID 19 BENEFIT FORM 2.exe, 00000000.00000003.332725617.0000000005E9B000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#COVID 19 BENEFIT FORM 2.exe, 0000000A.00000002.601224082.0000000002BD1000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        unknown
                        http://www.carterandcone.comeCOVID 19 BENEFIT FORM 2.exe, 00000000.00000003.332725617.0000000005E9B000.00000004.00000001.sdmp, COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.332479184.0000000005E9B000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        unknown
                        http://www.fontbureau.com/designers/frere-jones.htmlfCOVID 19 BENEFIT FORM 2.exe, 00000000.00000003.337387930.0000000005E9B000.00000004.00000001.sdmpfalse
                          high
                          http://www.fontbureau.com/designersESCOVID 19 BENEFIT FORM 2.exe, 00000000.00000003.345153128.0000000005E9B000.00000004.00000001.sdmpfalse
                            high
                            https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haCOVID 19 BENEFIT FORM 2.exe, 0000000A.00000002.599311455.0000000002871000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            unknown
                            http://www.sandoll.co.krqCOVID 19 BENEFIT FORM 2.exe, 00000000.00000003.331540177.0000000005E9B000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            http://www.urwpp.deLE;COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.336364737.0000000005E9B000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            low
                            http://www.carterandcone.comNF8COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.333039942.0000000005E9B000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            http://www.carterandcone.comptCOVID 19 BENEFIT FORM 2.exe, 00000000.00000003.333146895.0000000005E9B000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            http://www.urwpp.deiEEBCOVID 19 BENEFIT FORM 2.exe, 00000000.00000003.336364737.0000000005E9B000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            http://mail.privateemail.comCOVID 19 BENEFIT FORM 2.exe, 0000000A.00000002.601224082.0000000002BD1000.00000004.00000001.sdmpfalse
                              high
                              http://en.wCOVID 19 BENEFIT FORM 2.exe, 00000000.00000003.330293022.0000000005EAA000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              unknown
                              http://www.carterandcone.comlCOVID 19 BENEFIT FORM 2.exe, 00000000.00000002.382360322.0000000005F70000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              unknown
                              http://www.founder.com.cn/cn/COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.332128006.0000000005E9B000.00000004.00000001.sdmp, COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.331974163.0000000005EA2000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              unknown
                              http://www.fontbureau.com/designers/frere-jones.htmlCOVID 19 BENEFIT FORM 2.exe, 00000000.00000003.337413588.0000000005EBE000.00000004.00000001.sdmp, COVID 19 BENEFIT FORM 2.exe, 00000000.00000002.382360322.0000000005F70000.00000002.00000001.sdmpfalse
                                high
                                http://www.zhongyicts.com.cnaCOVID 19 BENEFIT FORM 2.exe, 00000000.00000003.332725617.0000000005E9B000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                unknown
                                http://www.sandoll.co.kr)RrCOVID 19 BENEFIT FORM 2.exe, 00000000.00000003.331486082.0000000005E9B000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                low
                                http://www.carterandcone.comxCOVID 19 BENEFIT FORM 2.exe, 00000000.00000003.333146895.0000000005E9B000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                unknown
                                http://www.zhongyicts.com.cnKCOVID 19 BENEFIT FORM 2.exe, 00000000.00000003.332725617.0000000005E9B000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                unknown
                                http://www.fontbureau.com/designersGCOVID 19 BENEFIT FORM 2.exe, 00000000.00000002.382360322.0000000005F70000.00000002.00000001.sdmpfalse
                                  high
                                  http://www.fontbureau.com/designersFCOVID 19 BENEFIT FORM 2.exe, 00000000.00000003.337167523.0000000005E9B000.00000004.00000001.sdmpfalse
                                    high
                                    http://www.founder.com.cn/cnKCOVID 19 BENEFIT FORM 2.exe, 00000000.00000003.332128006.0000000005E9B000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    unknown
                                    http://www.fontbureau.com/designers/?COVID 19 BENEFIT FORM 2.exe, 00000000.00000002.382360322.0000000005F70000.00000002.00000001.sdmpfalse
                                      high
                                      http://www.founder.com.cn/cn/bTheCOVID 19 BENEFIT FORM 2.exe, 00000000.00000002.382360322.0000000005F70000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      unknown
                                      http://ocsp.sectigo.com0COVID 19 BENEFIT FORM 2.exe, 0000000A.00000002.601224082.0000000002BD1000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      unknown
                                      http://www.fontbureau.com/designers?COVID 19 BENEFIT FORM 2.exe, 00000000.00000002.382360322.0000000005F70000.00000002.00000001.sdmpfalse
                                        high
                                        http://www.urwpp.deEEBCOVID 19 BENEFIT FORM 2.exe, 00000000.00000003.338840406.0000000005E9B000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        unknown
                                        http://www.fontbureau.com/designersBCOVID 19 BENEFIT FORM 2.exe, 00000000.00000003.345153128.0000000005E9B000.00000004.00000001.sdmpfalse
                                          high
                                          http://www.carterandcone.com0COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.332725617.0000000005E9B000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          unknown
                                          http://www.tiro.comCOVID 19 BENEFIT FORM 2.exe, 00000000.00000002.382360322.0000000005F70000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          unknown
                                          http://www.founder.com.cn/cn;COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.332725617.0000000005E9B000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          unknown
                                          http://www.founder.com.cn/cn/FqRCOVID 19 BENEFIT FORM 2.exe, 00000000.00000003.331540177.0000000005E9B000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          unknown
                                          http://www.goodfont.co.krCOVID 19 BENEFIT FORM 2.exe, 00000000.00000002.382360322.0000000005F70000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          unknown
                                          http://www.carterandcone.comCOVID 19 BENEFIT FORM 2.exe, 00000000.00000003.332725617.0000000005E9B000.00000004.00000001.sdmp, COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.332816319.0000000005E9B000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          unknown
                                          http://www.carterandcone.comJhEBCOVID 19 BENEFIT FORM 2.exe, 00000000.00000003.333039942.0000000005E9B000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          unknown
                                          http://www.fontbureau.comionaCOVID 19 BENEFIT FORM 2.exe, 00000000.00000002.375338319.00000000015E7000.00000004.00000040.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          unknown
                                          http://www.typography.netDCOVID 19 BENEFIT FORM 2.exe, 00000000.00000002.382360322.0000000005F70000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          unknown
                                          http://www.galapagosdesign.com/staff/dennis.htmCOVID 19 BENEFIT FORM 2.exe, 00000000.00000003.341196577.0000000005E9B000.00000004.00000001.sdmp, COVID 19 BENEFIT FORM 2.exe, 00000000.00000002.382360322.0000000005F70000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          unknown
                                          http://fontfabrik.comCOVID 19 BENEFIT FORM 2.exe, 00000000.00000003.329792577.0000000005E9B000.00000004.00000001.sdmp, COVID 19 BENEFIT FORM 2.exe, 00000000.00000002.382360322.0000000005F70000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          unknown
                                          http://www.founder.com.cn/cnkCOVID 19 BENEFIT FORM 2.exe, 00000000.00000003.332128006.0000000005E9B000.00000004.00000001.sdmpfalse
                                            unknown
                                            http://www.founder.com.cn/cnlCOVID 19 BENEFIT FORM 2.exe, 00000000.00000003.332128006.0000000005E9B000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            unknown
                                            http://www.goodfont.co.kCOVID 19 BENEFIT FORM 2.exe, 00000000.00000003.331540177.0000000005E9B000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            unknown
                                            https://api.ipify.org%GETMozilla/5.0COVID 19 BENEFIT FORM 2.exe, 0000000A.00000002.599311455.0000000002871000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            low
                                            http://www.fonts.comCOVID 19 BENEFIT FORM 2.exe, 00000000.00000002.382360322.0000000005F70000.00000002.00000001.sdmpfalse
                                              high
                                              http://www.sandoll.co.krCOVID 19 BENEFIT FORM 2.exe, 00000000.00000003.331486082.0000000005E9B000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              unknown
                                              http://www.carterandcone.comTC(SrCOVID 19 BENEFIT FORM 2.exe, 00000000.00000003.332725617.0000000005E9B000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              low
                                              http://www.carterandcone.comacCOVID 19 BENEFIT FORM 2.exe, 00000000.00000003.333146895.0000000005E9B000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              unknown
                                              http://www.urwpp.deCOVID 19 BENEFIT FORM 2.exe, 00000000.00000003.336364737.0000000005E9B000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              unknown
                                              http://www.sakkal.comCOVID 19 BENEFIT FORM 2.exe, 00000000.00000002.382360322.0000000005F70000.00000002.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              unknown
                                              http://www.carterandcone.comicCOVID 19 BENEFIT FORM 2.exe, 00000000.00000003.333039942.0000000005E9B000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              unknown
                                              http://www.sajatypeworks.comnCOVID 19 BENEFIT FORM 2.exe, 00000000.00000003.328572795.0000000005E82000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              unknown
                                              http://www.carterandcone.come5BVCOVID 19 BENEFIT FORM 2.exe, 00000000.00000003.333146895.0000000005E9B000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              unknown
                                              http://www.apache.org/licenses/LICENSE-2.0COVID 19 BENEFIT FORM 2.exe, 00000000.00000002.382360322.0000000005F70000.00000002.00000001.sdmpfalse
                                                high
                                                http://www.fontbureau.comCOVID 19 BENEFIT FORM 2.exe, 00000000.00000002.375338319.00000000015E7000.00000004.00000040.sdmpfalse
                                                  high
                                                  http://DynDns.comDynDNSCOVID 19 BENEFIT FORM 2.exe, 0000000A.00000002.599311455.0000000002871000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  unknown
                                                  https://sectigo.com/CPS0COVID 19 BENEFIT FORM 2.exe, 0000000A.00000002.601224082.0000000002BD1000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  unknown
                                                  http://mapoex.comCOVID 19 BENEFIT FORM 2.exe, 0000000A.00000002.599311455.0000000002871000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  unknown
                                                  http://SBRGHbI6v8zShNk.netL2COVID 19 BENEFIT FORM 2.exe, 0000000A.00000002.599311455.0000000002871000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  unknown
                                                  http://www.carterandcone.comTCCOVID 19 BENEFIT FORM 2.exe, 00000000.00000003.332816319.0000000005E9B000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  unknown
                                                  http://SBRGHbI6v8zShNk.netCOVID 19 BENEFIT FORM 2.exe, 0000000A.00000002.599311455.0000000002871000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  unknown
                                                  http://www.carterandcone.comltCOVID 19 BENEFIT FORM 2.exe, 00000000.00000003.332725617.0000000005E9B000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  unknown
                                                  http://www.ascendercorp.com/typedesigners.htmlBWCOVID 19 BENEFIT FORM 2.exe, 00000000.00000003.334907624.0000000005EA3000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  unknown
                                                  http://www.fontbureau.com/designers/cabarga.htmldCOVID 19 BENEFIT FORM 2.exe, 00000000.00000003.338045037.0000000005EBE000.00000004.00000001.sdmpfalse
                                                    high
                                                    http://www.fontbureau.com/designers/cabarga.htmlhCOVID 19 BENEFIT FORM 2.exe, 00000000.00000003.338606084.0000000005EBE000.00000004.00000001.sdmpfalse
                                                      high
                                                      http://www.fontbureau.com/designers/cabarga.htmlNCOVID 19 BENEFIT FORM 2.exe, 00000000.00000002.382360322.0000000005F70000.00000002.00000001.sdmpfalse
                                                        high
                                                        http://www.founder.com.cn/cnCOVID 19 BENEFIT FORM 2.exe, 00000000.00000003.331820934.0000000005EA4000.00000004.00000001.sdmp, COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.331864305.0000000005EA0000.00000004.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        unknown
                                                        http://www.sandoll.co.kra-es)RrCOVID 19 BENEFIT FORM 2.exe, 00000000.00000003.331382313.0000000005E9B000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        low
                                                        http://www.monotype.)QrCOVID 19 BENEFIT FORM 2.exe, 00000000.00000003.336815155.0000000005E9B000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        low
                                                        http://www.monotype.COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.341196577.0000000005E9B000.00000004.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        unknown
                                                        http://www.jiyu-kobo.co.jp/COVID 19 BENEFIT FORM 2.exe, 00000000.00000002.382360322.0000000005F70000.00000002.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        unknown
                                                        http://www.fontbureau.com/designers#COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.338116776.0000000005E9B000.00000004.00000001.sdmpfalse
                                                          high
                                                          http://www.zhongyicts.com.cno.COVID 19 BENEFIT FORM 2.exe, 00000000.00000003.332430336.0000000005E9B000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          unknown
                                                          http://www.fontbureau.com/designers8COVID 19 BENEFIT FORM 2.exe, 00000000.00000002.382360322.0000000005F70000.00000002.00000001.sdmpfalse
                                                            high
                                                            http://www.fontbureau.com/designersdSFCOVID 19 BENEFIT FORM 2.exe, 00000000.00000003.338116776.0000000005E9B000.00000004.00000001.sdmpfalse
                                                              high
                                                              http://www.founder.com.cn/cnofCOVID 19 BENEFIT FORM 2.exe, 00000000.00000003.332128006.0000000005E9B000.00000004.00000001.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              unknown

                                                              Contacted IPs

                                                              No contacted IP infos

                                                              General Information

                                                              Joe Sandbox Version:31.0.0 Emerald
                                                              Analysis ID:397590
                                                              Start date:26.04.2021
                                                              Start time:08:10:52
                                                              Joe Sandbox Product:CloudBasic
                                                              Overall analysis duration:0h 12m 8s
                                                              Hypervisor based Inspection enabled:false
                                                              Report type:light
                                                              Sample file name:COVID 19 BENEFIT FORM 2.exe
                                                              Cookbook file name:default.jbs
                                                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                              Number of analysed new started processes analysed:27
                                                              Number of new started drivers analysed:0
                                                              Number of existing processes analysed:0
                                                              Number of existing drivers analysed:0
                                                              Number of injected processes analysed:0
                                                              Technologies:
                                                              • HCA enabled
                                                              • EGA enabled
                                                              • HDC enabled
                                                              • AMSI enabled
                                                              Analysis Mode:default
                                                              Analysis stop reason:Timeout
                                                              Detection:MAL
                                                              Classification:mal100.troj.spyw.evad.winEXE@12/3@0/0
                                                              EGA Information:Failed
                                                              HDC Information:
                                                              • Successful, ratio: 0.9% (good quality ratio 0.8%)
                                                              • Quality average: 74.6%
                                                              • Quality standard deviation: 36.2%
                                                              HCA Information:
                                                              • Successful, ratio: 100%
                                                              • Number of executed functions: 0
                                                              • Number of non-executed functions: 0
                                                              Cookbook Comments:
                                                              • Adjust boot time
                                                              • Enable AMSI
                                                              • Found application associated with file extension: .exe
                                                              Warnings:
                                                              Show All
                                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                              • Report size getting too big, too many NtQueryValueKey calls found.

                                                              Simulations

                                                              Behavior and APIs

                                                              TimeTypeDescription
                                                              08:11:53API Interceptor604x Sleep call for process: COVID 19 BENEFIT FORM 2.exe modified

                                                              Joe Sandbox View / Context

                                                              IPs

                                                              No context

                                                              Domains

                                                              No context

                                                              ASN

                                                              No context

                                                              JA3 Fingerprints

                                                              No context

                                                              Dropped Files

                                                              No context

                                                              Created / dropped Files

                                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\COVID 19 BENEFIT FORM 2.exe.log
                                                              Process:C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exe
                                                              File Type:ASCII text, with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):1216
                                                              Entropy (8bit):5.355304211458859
                                                              Encrypted:false
                                                              SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                                              MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                                              SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                                              SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                                              SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                                              Malicious:true
                                                              Reputation:high, very likely benign file
                                                              Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                                              C:\Users\user\AppData\Local\Temp\tmp764A.tmp
                                                              Process:C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exe
                                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):1653
                                                              Entropy (8bit):5.161424567837416
                                                              Encrypted:false
                                                              SSDEEP:24:2dH4+SEqC/S7h2ulNMFp2O/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKB3gtn:cbha7JlNQV/rydbz9I3YODOLNdq3w
                                                              MD5:16A94BE6EBAD3568D9448D68732242F7
                                                              SHA1:469EA4CEFC16BB192AB7B77402726772270AF094
                                                              SHA-256:8AF2CDA081DBA7360EB8167F9838F5E768748461125E9E22F35B6FFD6088EE34
                                                              SHA-512:09DC435C8D28F0C7785AD1A4D8E0399DF68DF84D5A6C61B208449D88B40189156527CAF42CF55CD0C69206A3BC37570AB30177B8812BFFB192C62A040FD46C4C
                                                              Malicious:true
                                                              Reputation:low
                                                              Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvail
                                                              C:\Users\user\AppData\Roaming\lVGkcjmu.exe
                                                              Process:C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exe
                                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):1059328
                                                              Entropy (8bit):7.553054120628421
                                                              Encrypted:false
                                                              SSDEEP:24576:sCoLASBuls9O+ITcyZwBCrKaPW1P6GT4g6T98UAKL4M:22s9OjAyuBQNP6p6T6ZE
                                                              MD5:734DCC6EE873AD6667D9CAD4E5040134
                                                              SHA1:205B63E53D5789F469BDFAFDFB553E74B967F5DF
                                                              SHA-256:CCE12E2162F90A88715E50BFA993E9D3233FECAF608FB18CDA68F0154F0E1D5B
                                                              SHA-512:61B9DD380EFFC682868EE45D7C1A789A6F516409586F93908A3CBC222300AFAA8BC309719E68A63DD0C2095955138C9F75B041DBD0B234FF824D21C8949E7EA5
                                                              Malicious:true
                                                              Antivirus:
                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                              • Antivirus: ReversingLabs, Detection: 37%
                                                              Reputation:low
                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...$&................0.. ...........?... ...@....@.. ....................................@..................................?..O....@.......................`......d?............................................... ............... ..H............text........ ... .................. ..`.rsrc........@......."..............@..@.reloc.......`.......(..............@..B.................?......H.......$....e......s.......pE..........................................".(.....*V.(........(....}....*..0..!.........{....o....o.....o....o.....+..*....0..M.........{....o....o.....o.....o......{....o....o.....o....r...po......{.....o ....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*..{....*^.(........}......}....*....0...........r/..p.+..*..0...........rY..p.+..*".(.....*2.{....o'...*2.{....o(...*..{....*"..}....*..{....*"..}....*..{....*"..}

                                                              Static File Info

                                                              General

                                                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                              Entropy (8bit):7.553054120628421
                                                              TrID:
                                                              • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                              • Win32 Executable (generic) a (10002005/4) 49.75%
                                                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                              • Windows Screen Saver (13104/52) 0.07%
                                                              • Generic Win/DOS Executable (2004/3) 0.01%
                                                              File name:COVID 19 BENEFIT FORM 2.exe
                                                              File size:1059328
                                                              MD5:734dcc6ee873ad6667d9cad4e5040134
                                                              SHA1:205b63e53d5789f469bdfafdfb553e74b967f5df
                                                              SHA256:cce12e2162f90a88715e50bfa993e9d3233fecaf608fb18cda68f0154f0e1d5b
                                                              SHA512:61b9dd380effc682868ee45d7c1a789a6f516409586f93908a3cbc222300afaa8bc309719e68a63dd0c2095955138c9f75b041dbd0b234ff824d21c8949e7ea5
                                                              SSDEEP:24576:sCoLASBuls9O+ITcyZwBCrKaPW1P6GT4g6T98UAKL4M:22s9OjAyuBQNP6p6T6ZE
                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...$&................0.. ...........?... ...@....@.. ....................................@................................

                                                              File Icon

                                                              Icon Hash:00828e8e8686b000

                                                              Static PE Info

                                                              General

                                                              Entrypoint:0x503fd2
                                                              Entrypoint Section:.text
                                                              Digitally signed:false
                                                              Imagebase:0x400000
                                                              Subsystem:windows gui
                                                              Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                              DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                              Time Stamp:0xD4A32624 [Mon Jan 18 01:38:44 2083 UTC]
                                                              TLS Callbacks:
                                                              CLR (.Net) Version:v4.0.30319
                                                              OS Version Major:4
                                                              OS Version Minor:0
                                                              File Version Major:4
                                                              File Version Minor:0
                                                              Subsystem Version Major:4
                                                              Subsystem Version Minor:0
                                                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                              Entrypoint Preview

                                                              Instruction
                                                              jmp dword ptr [00402000h]
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add al, byte ptr [eax]
                                                              adc byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              and byte ptr [eax], al
                                                              add byte ptr [eax+00000018h], al
                                                              push eax
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], 00000000h
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add dword ptr [eax], eax
                                                              add dword ptr [eax], eax
                                                              add byte ptr [eax], al
                                                              cmp byte ptr [eax], al
                                                              add byte ptr [eax+00000000h], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add dword ptr [eax], eax
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], 00000000h
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [ecx], al
                                                              add byte ptr [ecx], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax+00h], ch
                                                              add byte ptr [eax+00000000h], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add dword ptr [eax], eax
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              les eax, fword ptr [ebx]
                                                              add byte ptr [eax], al
                                                              nop
                                                              inc eax
                                                              adc byte ptr [eax], al
                                                              xor al, 03h
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              xor al, 03h
                                                              xor al, 00h
                                                              add byte ptr [eax], al
                                                              push esi
                                                              add byte ptr [ebx+00h], dl

                                                              Data Directories

                                                              NameVirtual AddressVirtual Size Is in Section
                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x103f800x4f.text
                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x1040000x5c4.rsrc
                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x1060000xc.reloc
                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x103f640x1c.text
                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                              Sections

                                                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                              .text0x20000x101fd80x102000False0.79585396227data7.55509346108IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                              .rsrc0x1040000x5c40x600False0.4296875data4.19069643928IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                              .reloc0x1060000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                              Resources

                                                              NameRVASizeTypeLanguageCountry
                                                              RT_VERSION0x1040900x334data
                                                              RT_MANIFEST0x1043d40x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                              Imports

                                                              DLLImport
                                                              mscoree.dll_CorExeMain

                                                              Version Infos

                                                              DescriptionData
                                                              Translation0x0000 0x04b0
                                                              LegalCopyrightCopyright 2020
                                                              Assembly Version1.0.0.0
                                                              InternalName3Y6kOc.exe
                                                              FileVersion1.0.0.0
                                                              CompanyName
                                                              LegalTrademarks
                                                              Comments
                                                              ProductNamePOSCashSystem
                                                              ProductVersion1.0.0.0
                                                              FileDescriptionPOSCashSystem
                                                              OriginalFilename3Y6kOc.exe

                                                              Network Behavior

                                                              No network behavior found

                                                              Code Manipulations

                                                              Statistics

                                                              Behavior

                                                              Click to jump to process

                                                              System Behavior

                                                              General

                                                              Start time:08:11:41
                                                              Start date:26/04/2021
                                                              Path:C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:'C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exe'
                                                              Imagebase:0xb60000
                                                              File size:1059328 bytes
                                                              MD5 hash:734DCC6EE873AD6667D9CAD4E5040134
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:.Net C# or VB.NET
                                                              Yara matches:
                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.377564391.00000000040CD000.00000004.00000001.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.377324089.0000000003F29000.00000004.00000001.sdmp, Author: Joe Security
                                                              Reputation:low

                                                              General

                                                              Start time:08:12:00
                                                              Start date:26/04/2021
                                                              Path:C:\Windows\SysWOW64\schtasks.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\lVGkcjmu' /XML 'C:\Users\user\AppData\Local\Temp\tmp764A.tmp'
                                                              Imagebase:0x1210000
                                                              File size:185856 bytes
                                                              MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high

                                                              General

                                                              Start time:08:12:01
                                                              Start date:26/04/2021
                                                              Path:C:\Windows\System32\conhost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                              Imagebase:0x7ff61de10000
                                                              File size:625664 bytes
                                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high

                                                              General

                                                              Start time:08:12:01
                                                              Start date:26/04/2021
                                                              Path:C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:{path}
                                                              Imagebase:0x2a0000
                                                              File size:1059328 bytes
                                                              MD5 hash:734DCC6EE873AD6667D9CAD4E5040134
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:low

                                                              General

                                                              Start time:08:12:02
                                                              Start date:26/04/2021
                                                              Path:C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:{path}
                                                              Imagebase:0x60000
                                                              File size:1059328 bytes
                                                              MD5 hash:734DCC6EE873AD6667D9CAD4E5040134
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:low

                                                              General

                                                              Start time:08:12:02
                                                              Start date:26/04/2021
                                                              Path:C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:{path}
                                                              Imagebase:0x220000
                                                              File size:1059328 bytes
                                                              MD5 hash:734DCC6EE873AD6667D9CAD4E5040134
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:low

                                                              General

                                                              Start time:08:12:03
                                                              Start date:26/04/2021
                                                              Path:C:\Users\user\Desktop\COVID 19 BENEFIT FORM 2.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:{path}
                                                              Imagebase:0x4c0000
                                                              File size:1059328 bytes
                                                              MD5 hash:734DCC6EE873AD6667D9CAD4E5040134
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:.Net C# or VB.NET
                                                              Yara matches:
                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.596294759.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.599311455.0000000002871000.00000004.00000001.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.599311455.0000000002871000.00000004.00000001.sdmp, Author: Joe Security
                                                              Reputation:low

                                                              Disassembly

                                                              Code Analysis

                                                              Reset < >