Analysis Report COVID-19-Related Requirements.exe

Overview

General Information

Sample Name: COVID-19-Related Requirements.exe
Analysis ID: 425178
MD5: 7efd588df5d918372c111708f02cc3ce
SHA1: de98b083ed7e8b78be25cacf0715d15dd04228f5
SHA256: de0011128191babcbdb339d2ab7f9568e0b12c5ebc00a99c235fea849885b6a1
Tags: COVID-19exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Found malware configuration
Source: 0000000F.00000002.481749515.0000000000400000.00000040.00000001.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.tiffanysbeautybling.com/cgsp/"], "decoy": ["dzxcsy.com", "communication-digitale.net", "darkspot.pro", "neighborschoicefranchise.com", "mujeresaprendices.com", "ryanita.com", "karmelbali.com", "lengzu.net", "archoneshop.com", "auszeit-online.com", "incredikit.com", "theostermangroup.com", "challengesbringsuccess.com", "thegoddogcure.com", "missshalae.com", "mulherviaje.com", "danieljosephmuldoon.com", "plantitasmke.com", "lyson.info", "boardwalkcafebeaufort.com", "genesisdrumco.com", "bynature4nature.com", "notesfromthelovewars.com", "klimabeyazesyatamiri.xyz", "micatholics4biden.com", "epicdentalacademy.com", "lucrarsemfronteiras.com", "fmgurbanoutlet.com", "tonkuik.fyi", "sfypband.com", "aspeneaterys.com", "obzophigkr.net", "portablesteamsaunas.com", "clubroyals.com", "658194.com", "samuelhere.com", "footfull.info", "riptidetutorials.com", "catanetwork.com", "nocodecrypto.com", "kisukine.com", "tag-less-poets.com", "juxrams.info", "thebrandvoicemagazine.com", "montanablogs.com", "productos-photon.com", "aibetech.com", "wg101.com", "coefficientinsurence.com", "arinasystem.com", "elgrabador.com", "thewanderers.info", "openbracketindia.com", "saya-pai.com", "healthyskepticmd.com", "lumberlandjsc.xyz", "chanelkonferenz.online", "ajretrobg.com", "libittu.com", "oneroofingnearme.com", "pyd.xyz", "aikookuyama1.com", "partners-net.com", "imrichardallan.com"]}
Multi AV Scanner detection for submitted file
Source: COVID-19-Related Requirements.exe Virustotal: Detection: 23% Perma Link
Source: COVID-19-Related Requirements.exe ReversingLabs: Detection: 25%
Yara detected FormBook
Source: Yara match File source: 0000000F.00000002.481749515.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.484219002.0000000001960000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.484584798.0000000001990000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.597531412.0000000002F80000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.597396184.0000000002F50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.434950366.0000000004299000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.596048220.0000000000B10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 15.2.COVID-19-Related Requirements.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.COVID-19-Related Requirements.exe.400000.0.unpack, type: UNPACKEDPE
Machine Learning detection for sample
Source: COVID-19-Related Requirements.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 15.2.COVID-19-Related Requirements.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

barindex
Uses 32bit PE files
Source: COVID-19-Related Requirements.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: COVID-19-Related Requirements.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: wscript.pdbGCTL source: COVID-19-Related Requirements.exe, 0000000F.00000002.485075034.00000000019E0000.00000040.00000001.sdmp
Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000010.00000000.460588172.0000000007CA0000.00000002.00000001.sdmp
Source: Binary string: wntdll.pdbUGP source: COVID-19-Related Requirements.exe, 0000000F.00000002.485261731.0000000001AA0000.00000040.00000001.sdmp, wscript.exe, 00000013.00000002.598596904.0000000004E9F000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: COVID-19-Related Requirements.exe, wscript.exe
Source: Binary string: wscript.pdb source: COVID-19-Related Requirements.exe, 0000000F.00000002.485075034.00000000019E0000.00000040.00000001.sdmp
Source: Binary string: wscui.pdb source: explorer.exe, 00000010.00000000.460588172.0000000007CA0000.00000002.00000001.sdmp

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 4x nop then pop edi 15_2_0040E3C8
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 4x nop then pop edi 15_2_0040E427
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4x nop then pop edi 19_2_00B1E3C8
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4x nop then pop edi 19_2_00B1E427

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.tiffanysbeautybling.com/cgsp/
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /cgsp/?zR-4q=wCZjRreTETPxpz3yzi5aMK9lgrBwWrXWegbflPnh9KjaaDHMPgi5SZz4hafy+YGLKOgeKwGRDg==&hB0=D8yhC83P6d34H HTTP/1.1Host: www.portablesteamsaunas.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 52.58.78.16 52.58.78.16
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AMAZON-02US AMAZON-02US
Source: global traffic HTTP traffic detected: GET /cgsp/?zR-4q=wCZjRreTETPxpz3yzi5aMK9lgrBwWrXWegbflPnh9KjaaDHMPgi5SZz4hafy+YGLKOgeKwGRDg==&hB0=D8yhC83P6d34H HTTP/1.1Host: www.portablesteamsaunas.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: unknown DNS traffic detected: queries for: www.portablesteamsaunas.com
Source: COVID-19-Related Requirements.exe, 00000001.00000002.439653802.0000000006280000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.464256328.000000000B1A0000.00000002.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: COVID-19-Related Requirements.exe, 00000001.00000002.439653802.0000000006280000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.464256328.000000000B1A0000.00000002.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000010.00000000.435521033.000000000095C000.00000004.00000020.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: COVID-19-Related Requirements.exe, 00000001.00000002.439653802.0000000006280000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.464256328.000000000B1A0000.00000002.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: COVID-19-Related Requirements.exe, 00000001.00000002.439653802.0000000006280000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.464256328.000000000B1A0000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000010.00000000.464256328.000000000B1A0000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: COVID-19-Related Requirements.exe, 00000001.00000002.439653802.0000000006280000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.464256328.000000000B1A0000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: COVID-19-Related Requirements.exe, 00000001.00000002.439653802.0000000006280000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.464256328.000000000B1A0000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: COVID-19-Related Requirements.exe, 00000001.00000002.439653802.0000000006280000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.464256328.000000000B1A0000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: COVID-19-Related Requirements.exe, 00000001.00000002.439653802.0000000006280000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.464256328.000000000B1A0000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: COVID-19-Related Requirements.exe, 00000001.00000002.439653802.0000000006280000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.464256328.000000000B1A0000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: COVID-19-Related Requirements.exe, 00000001.00000002.439653802.0000000006280000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.464256328.000000000B1A0000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: COVID-19-Related Requirements.exe, 00000001.00000002.432559159.0000000001877000.00000004.00000040.sdmp String found in binary or memory: http://www.fontbureau.comcom
Source: COVID-19-Related Requirements.exe, 00000001.00000002.432559159.0000000001877000.00000004.00000040.sdmp String found in binary or memory: http://www.fontbureau.commQ
Source: COVID-19-Related Requirements.exe, 00000001.00000002.439653802.0000000006280000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.464256328.000000000B1A0000.00000002.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: COVID-19-Related Requirements.exe, 00000001.00000002.439653802.0000000006280000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.464256328.000000000B1A0000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: COVID-19-Related Requirements.exe, 00000001.00000002.439653802.0000000006280000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.464256328.000000000B1A0000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: COVID-19-Related Requirements.exe, 00000001.00000002.439653802.0000000006280000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.464256328.000000000B1A0000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: COVID-19-Related Requirements.exe, 00000001.00000002.439653802.0000000006280000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.464256328.000000000B1A0000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: COVID-19-Related Requirements.exe, 00000001.00000002.439653802.0000000006280000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.464256328.000000000B1A0000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: COVID-19-Related Requirements.exe, 00000001.00000002.439653802.0000000006280000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.464256328.000000000B1A0000.00000002.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: COVID-19-Related Requirements.exe, 00000001.00000002.439653802.0000000006280000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.464256328.000000000B1A0000.00000002.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: wscript.exe, 00000013.00000002.600969129.000000000579F000.00000004.00000001.sdmp String found in binary or memory: http://www.portablesteamsaunas.com
Source: wscript.exe, 00000013.00000002.600969129.000000000579F000.00000004.00000001.sdmp String found in binary or memory: http://www.portablesteamsaunas.com/
Source: COVID-19-Related Requirements.exe, 00000001.00000002.439653802.0000000006280000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.464256328.000000000B1A0000.00000002.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: COVID-19-Related Requirements.exe, 00000001.00000002.439653802.0000000006280000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.464256328.000000000B1A0000.00000002.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: COVID-19-Related Requirements.exe, 00000001.00000002.439653802.0000000006280000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.464256328.000000000B1A0000.00000002.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000010.00000000.464256328.000000000B1A0000.00000002.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: COVID-19-Related Requirements.exe, 00000001.00000002.439653802.0000000006280000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.464256328.000000000B1A0000.00000002.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: COVID-19-Related Requirements.exe, 00000001.00000002.439653802.0000000006280000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.464256328.000000000B1A0000.00000002.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: COVID-19-Related Requirements.exe, 00000001.00000002.439653802.0000000006280000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.464256328.000000000B1A0000.00000002.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: COVID-19-Related Requirements.exe String found in binary or memory: https://api.imgur.com/3/image/
Source: COVID-19-Related Requirements.exe String found in binary or memory: https://api.imgur.com/oauth2/authorize?client_id=
Source: COVID-19-Related Requirements.exe String found in binary or memory: https://api.imgur.com/oauth2/token

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 0000000F.00000002.481749515.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.484219002.0000000001960000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.484584798.0000000001990000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.597531412.0000000002F80000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.597396184.0000000002F50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.434950366.0000000004299000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.596048220.0000000000B10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 15.2.COVID-19-Related Requirements.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.COVID-19-Related Requirements.exe.400000.0.unpack, type: UNPACKEDPE

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 0000000F.00000002.481749515.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.481749515.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.484219002.0000000001960000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.484219002.0000000001960000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.484584798.0000000001990000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.484584798.0000000001990000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000013.00000002.597531412.0000000002F80000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000013.00000002.597531412.0000000002F80000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000013.00000002.597396184.0000000002F50000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000013.00000002.597396184.0000000002F50000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.434950366.0000000004299000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.434950366.0000000004299000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000013.00000002.596048220.0000000000B10000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000013.00000002.596048220.0000000000B10000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 15.2.COVID-19-Related Requirements.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 15.2.COVID-19-Related Requirements.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 15.2.COVID-19-Related Requirements.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 15.2.COVID-19-Related Requirements.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Contains functionality to call native functions
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_0041A060 NtClose, 15_2_0041A060
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_0041A110 NtAllocateVirtualMemory, 15_2_0041A110
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_00419F30 NtCreateFile, 15_2_00419F30
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_00419FE0 NtReadFile, 15_2_00419FE0
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_00419FDC NtReadFile, 15_2_00419FDC
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B099A0 NtCreateSection,LdrInitializeThunk, 15_2_01B099A0
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B09910 NtAdjustPrivilegesToken,LdrInitializeThunk, 15_2_01B09910
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B098F0 NtReadVirtualMemory,LdrInitializeThunk, 15_2_01B098F0
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B09860 NtQuerySystemInformation,LdrInitializeThunk, 15_2_01B09860
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B09840 NtDelayExecution,LdrInitializeThunk, 15_2_01B09840
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B09A20 NtResumeThread,LdrInitializeThunk, 15_2_01B09A20
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B09A00 NtProtectVirtualMemory,LdrInitializeThunk, 15_2_01B09A00
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B09A50 NtCreateFile,LdrInitializeThunk, 15_2_01B09A50
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B095D0 NtClose,LdrInitializeThunk, 15_2_01B095D0
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B09540 NtReadFile,LdrInitializeThunk, 15_2_01B09540
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B097A0 NtUnmapViewOfSection,LdrInitializeThunk, 15_2_01B097A0
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B09780 NtMapViewOfSection,LdrInitializeThunk, 15_2_01B09780
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B09710 NtQueryInformationToken,LdrInitializeThunk, 15_2_01B09710
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B096E0 NtFreeVirtualMemory,LdrInitializeThunk, 15_2_01B096E0
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B09660 NtAllocateVirtualMemory,LdrInitializeThunk, 15_2_01B09660
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B099D0 NtCreateProcessEx, 15_2_01B099D0
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B09950 NtQueueApcThread, 15_2_01B09950
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B098A0 NtWriteVirtualMemory, 15_2_01B098A0
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B09820 NtEnumerateKey, 15_2_01B09820
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B0B040 NtSuspendThread, 15_2_01B0B040
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B0A3B0 NtGetContextThread, 15_2_01B0A3B0
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B09B00 NtSetValueKey, 15_2_01B09B00
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B09A80 NtOpenDirectoryObject, 15_2_01B09A80
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B09A10 NtQuerySection, 15_2_01B09A10
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B095F0 NtQueryInformationFile, 15_2_01B095F0
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B0AD30 NtSetContextThread, 15_2_01B0AD30
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B09520 NtWaitForSingleObject, 15_2_01B09520
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B09560 NtWriteFile, 15_2_01B09560
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B09FE0 NtCreateMutant, 15_2_01B09FE0
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B09730 NtQueryVirtualMemory, 15_2_01B09730
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B0A710 NtOpenProcessToken, 15_2_01B0A710
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B0A770 NtOpenThread, 15_2_01B0A770
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B09770 NtSetInformationFile, 15_2_01B09770
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B09760 NtOpenProcess, 15_2_01B09760
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B096D0 NtCreateKey, 15_2_01B096D0
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B09610 NtEnumerateValueKey, 15_2_01B09610
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B09670 NtQueryInformationProcess, 15_2_01B09670
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B09650 NtQueryValueKey, 15_2_01B09650
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DE95D0 NtClose,LdrInitializeThunk, 19_2_04DE95D0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DE9540 NtReadFile,LdrInitializeThunk, 19_2_04DE9540
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DE96D0 NtCreateKey,LdrInitializeThunk, 19_2_04DE96D0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DE96E0 NtFreeVirtualMemory,LdrInitializeThunk, 19_2_04DE96E0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DE9650 NtQueryValueKey,LdrInitializeThunk, 19_2_04DE9650
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DE9660 NtAllocateVirtualMemory,LdrInitializeThunk, 19_2_04DE9660
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DE9FE0 NtCreateMutant,LdrInitializeThunk, 19_2_04DE9FE0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DE9780 NtMapViewOfSection,LdrInitializeThunk, 19_2_04DE9780
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DE9710 NtQueryInformationToken,LdrInitializeThunk, 19_2_04DE9710
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DE9840 NtDelayExecution,LdrInitializeThunk, 19_2_04DE9840
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DE9860 NtQuerySystemInformation,LdrInitializeThunk, 19_2_04DE9860
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DE99A0 NtCreateSection,LdrInitializeThunk, 19_2_04DE99A0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DE9910 NtAdjustPrivilegesToken,LdrInitializeThunk, 19_2_04DE9910
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DE9A50 NtCreateFile,LdrInitializeThunk, 19_2_04DE9A50
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DE95F0 NtQueryInformationFile, 19_2_04DE95F0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DE9560 NtWriteFile, 19_2_04DE9560
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DEAD30 NtSetContextThread, 19_2_04DEAD30
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DE9520 NtWaitForSingleObject, 19_2_04DE9520
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DE9670 NtQueryInformationProcess, 19_2_04DE9670
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DE9610 NtEnumerateValueKey, 19_2_04DE9610
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DE97A0 NtUnmapViewOfSection, 19_2_04DE97A0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DEA770 NtOpenThread, 19_2_04DEA770
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DE9770 NtSetInformationFile, 19_2_04DE9770
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DE9760 NtOpenProcess, 19_2_04DE9760
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DEA710 NtOpenProcessToken, 19_2_04DEA710
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DE9730 NtQueryVirtualMemory, 19_2_04DE9730
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DE98F0 NtReadVirtualMemory, 19_2_04DE98F0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DE98A0 NtWriteVirtualMemory, 19_2_04DE98A0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DEB040 NtSuspendThread, 19_2_04DEB040
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DE9820 NtEnumerateKey, 19_2_04DE9820
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DE99D0 NtCreateProcessEx, 19_2_04DE99D0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DE9950 NtQueueApcThread, 19_2_04DE9950
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DE9A80 NtOpenDirectoryObject, 19_2_04DE9A80
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DE9A10 NtQuerySection, 19_2_04DE9A10
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DE9A00 NtProtectVirtualMemory, 19_2_04DE9A00
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DE9A20 NtResumeThread, 19_2_04DE9A20
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DEA3B0 NtGetContextThread, 19_2_04DEA3B0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DE9B00 NtSetValueKey, 19_2_04DE9B00
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_00B2A060 NtClose, 19_2_00B2A060
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_00B2A110 NtAllocateVirtualMemory, 19_2_00B2A110
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_00B29FE0 NtReadFile, 19_2_00B29FE0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_00B29F30 NtCreateFile, 19_2_00B29F30
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_00B29FDC NtReadFile, 19_2_00B29FDC
Detected potential crypto function
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 1_2_018FC194 1_2_018FC194
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 1_2_018FEB28 1_2_018FEB28
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 1_2_018FEB38 1_2_018FEB38
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_0041E85C 15_2_0041E85C
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_00401030 15_2_00401030
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_0041E17E 15_2_0041E17E
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_0041D189 15_2_0041D189
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_0041D587 15_2_0041D587
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_00402D88 15_2_00402D88
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_00402D90 15_2_00402D90
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_00409E40 15_2_00409E40
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_00402FB0 15_2_00402FB0
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AE4120 15_2_01AE4120
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01ACF900 15_2_01ACF900
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AF20A0 15_2_01AF20A0
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B920A8 15_2_01B920A8
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01ADB090 15_2_01ADB090
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B928EC 15_2_01B928EC
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B9E824 15_2_01B9E824
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B81002 15_2_01B81002
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AFEBB0 15_2_01AFEBB0
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B803DA 15_2_01B803DA
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B8DBD2 15_2_01B8DBD2
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B92B28 15_2_01B92B28
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B922AE 15_2_01B922AE
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AF2581 15_2_01AF2581
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01ADD5E0 15_2_01ADD5E0
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B925DD 15_2_01B925DD
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AC0D20 15_2_01AC0D20
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B92D07 15_2_01B92D07
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B91D55 15_2_01B91D55
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AD841F 15_2_01AD841F
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B8D466 15_2_01B8D466
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B91FF1 15_2_01B91FF1
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B9DFCE 15_2_01B9DFCE
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B92EF7 15_2_01B92EF7
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AE6E30 15_2_01AE6E30
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B8D616 15_2_01B8D616
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04E6D466 19_2_04E6D466
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DB841F 19_2_04DB841F
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04E725DD 19_2_04E725DD
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DBD5E0 19_2_04DBD5E0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DD2581 19_2_04DD2581
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04E71D55 19_2_04E71D55
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04E72D07 19_2_04E72D07
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DA0D20 19_2_04DA0D20
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04E72EF7 19_2_04E72EF7
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DC6E30 19_2_04DC6E30
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04E6D616 19_2_04E6D616
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04E71FF1 19_2_04E71FF1
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04E7DFCE 19_2_04E7DFCE
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04E728EC 19_2_04E728EC
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DBB090 19_2_04DBB090
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04E720A8 19_2_04E720A8
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DD20A0 19_2_04DD20A0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04E7E824 19_2_04E7E824
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04E61002 19_2_04E61002
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DAF900 19_2_04DAF900
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DC4120 19_2_04DC4120
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04E722AE 19_2_04E722AE
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04E6DBD2 19_2_04E6DBD2
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DDEBB0 19_2_04DDEBB0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04E72B28 19_2_04E72B28
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_00B2E85C 19_2_00B2E85C
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_00B2E17E 19_2_00B2E17E
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_00B12D90 19_2_00B12D90
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_00B12D88 19_2_00B12D88
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_00B19E40 19_2_00B19E40
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_00B12FB0 19_2_00B12FB0
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\wscript.exe Code function: String function: 04DAB150 appears 35 times
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: String function: 01ACB150 appears 35 times
Sample file is different than original file name gathered from version info
Source: COVID-19-Related Requirements.exe, 00000001.00000002.430989730.0000000000F64000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameCo2vKXXLQkGY.exe@ vs COVID-19-Related Requirements.exe
Source: COVID-19-Related Requirements.exe, 00000001.00000002.433207699.0000000003333000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameWindowsNetwork.dll> vs COVID-19-Related Requirements.exe
Source: COVID-19-Related Requirements.exe, 00000001.00000002.433207699.0000000003333000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameMajorRevision.exe< vs COVID-19-Related Requirements.exe
Source: COVID-19-Related Requirements.exe, 00000001.00000002.448500832.0000000007780000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemscorrc.dllT vs COVID-19-Related Requirements.exe
Source: COVID-19-Related Requirements.exe, 00000001.00000002.432940661.0000000003291000.00000004.00000001.sdmp Binary or memory string: OriginalFilename vs COVID-19-Related Requirements.exe
Source: COVID-19-Related Requirements.exe, 0000000D.00000000.427927529.00000000003C4000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameCo2vKXXLQkGY.exe@ vs COVID-19-Related Requirements.exe
Source: COVID-19-Related Requirements.exe, 0000000E.00000002.429267857.00000000002B4000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameCo2vKXXLQkGY.exe@ vs COVID-19-Related Requirements.exe
Source: COVID-19-Related Requirements.exe, 0000000F.00000002.487052680.0000000001BBF000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs COVID-19-Related Requirements.exe
Source: COVID-19-Related Requirements.exe, 0000000F.00000000.429960231.0000000000FB4000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameCo2vKXXLQkGY.exe@ vs COVID-19-Related Requirements.exe
Source: COVID-19-Related Requirements.exe, 0000000F.00000002.485075034.00000000019E0000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamewscript.exe` vs COVID-19-Related Requirements.exe
Source: COVID-19-Related Requirements.exe Binary or memory string: OriginalFilenameCo2vKXXLQkGY.exe@ vs COVID-19-Related Requirements.exe
Uses 32bit PE files
Source: COVID-19-Related Requirements.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 0000000F.00000002.481749515.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.481749515.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.484219002.0000000001960000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.484219002.0000000001960000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.484584798.0000000001990000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.484584798.0000000001990000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000013.00000002.597531412.0000000002F80000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000013.00000002.597531412.0000000002F80000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000013.00000002.597396184.0000000002F50000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000013.00000002.597396184.0000000002F50000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.434950366.0000000004299000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.434950366.0000000004299000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000013.00000002.596048220.0000000000B10000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000013.00000002.596048220.0000000000B10000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 15.2.COVID-19-Related Requirements.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 15.2.COVID-19-Related Requirements.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 15.2.COVID-19-Related Requirements.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 15.2.COVID-19-Related Requirements.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: COVID-19-Related Requirements.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: COVID-19-Related Requirements.exe, Reboot_IMG/AreaCaptureForm.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 1.0.COVID-19-Related Requirements.exe.ef0000.0.unpack, Reboot_IMG/AreaCaptureForm.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 1.2.COVID-19-Related Requirements.exe.ef0000.0.unpack, Reboot_IMG/AreaCaptureForm.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 13.0.COVID-19-Related Requirements.exe.350000.0.unpack, Reboot_IMG/AreaCaptureForm.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 13.2.COVID-19-Related Requirements.exe.350000.0.unpack, Reboot_IMG/AreaCaptureForm.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 14.0.COVID-19-Related Requirements.exe.240000.0.unpack, Reboot_IMG/AreaCaptureForm.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: classification engine Classification label: mal100.troj.evad.winEXE@11/1@1/1
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\COVID-19-Related Requirements.exe.log Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Mutant created: \Sessions\1\BaseNamedObjects\KggIKjEuKlfWFkr
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1340:120:WilError_01
Source: COVID-19-Related Requirements.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: COVID-19-Related Requirements.exe Virustotal: Detection: 23%
Source: COVID-19-Related Requirements.exe ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe File read: C:\Users\user\Desktop\COVID-19-Related Requirements.exe:Zone.Identifier Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\COVID-19-Related Requirements.exe 'C:\Users\user\Desktop\COVID-19-Related Requirements.exe'
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Process created: C:\Users\user\Desktop\COVID-19-Related Requirements.exe {path}
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Process created: C:\Users\user\Desktop\COVID-19-Related Requirements.exe {path}
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Process created: C:\Users\user\Desktop\COVID-19-Related Requirements.exe {path}
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\wscript.exe
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\COVID-19-Related Requirements.exe'
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Process created: C:\Users\user\Desktop\COVID-19-Related Requirements.exe {path} Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Process created: C:\Users\user\Desktop\COVID-19-Related Requirements.exe {path} Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Process created: C:\Users\user\Desktop\COVID-19-Related Requirements.exe {path} Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\COVID-19-Related Requirements.exe' Jump to behavior
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C3EE638-B588-4D7D-B30A-E7E36759305D}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: COVID-19-Related Requirements.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: COVID-19-Related Requirements.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: wscript.pdbGCTL source: COVID-19-Related Requirements.exe, 0000000F.00000002.485075034.00000000019E0000.00000040.00000001.sdmp
Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000010.00000000.460588172.0000000007CA0000.00000002.00000001.sdmp
Source: Binary string: wntdll.pdbUGP source: COVID-19-Related Requirements.exe, 0000000F.00000002.485261731.0000000001AA0000.00000040.00000001.sdmp, wscript.exe, 00000013.00000002.598596904.0000000004E9F000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: COVID-19-Related Requirements.exe, wscript.exe
Source: Binary string: wscript.pdb source: COVID-19-Related Requirements.exe, 0000000F.00000002.485075034.00000000019E0000.00000040.00000001.sdmp
Source: Binary string: wscui.pdb source: explorer.exe, 00000010.00000000.460588172.0000000007CA0000.00000002.00000001.sdmp

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 1_2_00EF6EF1 push cs; ret 1_2_00EF7078
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 1_2_018FE4E8 pushad ; ret 1_2_018FE4E9
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 13_2_00356EF1 push cs; ret 13_2_00357078
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 14_2_00246EF1 push cs; ret 14_2_00247078
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_0041687A push ebp; retf 15_2_0041687B
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_0041D0D2 push eax; ret 15_2_0041D0D8
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_0041D0DB push eax; ret 15_2_0041D142
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_004048E6 push ebx; retf 15_2_004048E7
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_0041D085 push eax; ret 15_2_0041D0D8
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_0041D13C push eax; ret 15_2_0041D142
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_004164BA pushfd ; retf 15_2_004164BB
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_004165A3 push ds; iretd 15_2_004165A4
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_0041A5B5 push eax; retf 15_2_0041A5B6
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_00416FEF push edi; iretd 15_2_00416FF1
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_00F46EF1 push cs; ret 15_2_00F47078
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B1D0D1 push ecx; ret 15_2_01B1D0E4
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DFD0D1 push ecx; ret 19_2_04DFD0E4
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_00B2D085 push eax; ret 19_2_00B2D0D8
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_00B148E6 push ebx; retf 19_2_00B148E7
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_00B2D0D2 push eax; ret 19_2_00B2D0D8
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_00B2D0DB push eax; ret 19_2_00B2D142
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_00B2687A push ebp; retf 19_2_00B2687B
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_00B2D13C push eax; ret 19_2_00B2D142
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_00B264BA pushfd ; retf 19_2_00B264BB
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_00B2A5B5 push eax; retf 19_2_00B2A5B6
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_00B265A3 push ds; iretd 19_2_00B265A4
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_00B26FEF push edi; iretd 19_2_00B26FF1
Source: initial sample Static PE information: section name: .text entropy: 7.94983598919

Hooking and other Techniques for Hiding and Protection:

barindex
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exe User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x82 0x2E 0xEA
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: COVID-19-Related Requirements.exe PID: 6852, type: MEMORY
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: COVID-19-Related Requirements.exe, 00000001.00000002.433068609.00000000032DE000.00000004.00000001.sdmp Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: COVID-19-Related Requirements.exe, 00000001.00000002.433068609.00000000032DE000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe RDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wscript.exe RDTSC instruction interceptor: First address: 0000000000B198E4 second address: 0000000000B198EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wscript.exe RDTSC instruction interceptor: First address: 0000000000B19B5E second address: 0000000000B19B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_00409A90 rdtsc 15_2_00409A90
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Thread delayed: delay time: 922337203685477 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe TID: 6920 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\wscript.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: explorer.exe, 00000010.00000000.463020458.0000000008430000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000010.00000000.462913500.00000000083E9000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00dRom0
Source: COVID-19-Related Requirements.exe, 00000001.00000002.433068609.00000000032DE000.00000004.00000001.sdmp Binary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
Source: explorer.exe, 00000010.00000000.458024003.00000000062E0000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000010.00000000.455835709.0000000005D50000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: COVID-19-Related Requirements.exe, 00000001.00000002.433068609.00000000032DE000.00000004.00000001.sdmp Binary or memory string: vmware
Source: explorer.exe, 00000010.00000000.462913500.00000000083E9000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00
Source: COVID-19-Related Requirements.exe, 00000001.00000002.433068609.00000000032DE000.00000004.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: COVID-19-Related Requirements.exe, 00000001.00000002.433068609.00000000032DE000.00000004.00000001.sdmp Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: explorer.exe, 00000010.00000000.458024003.00000000062E0000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: COVID-19-Related Requirements.exe, 00000001.00000002.433068609.00000000032DE000.00000004.00000001.sdmp Binary or memory string: VMWARE
Source: explorer.exe, 00000010.00000000.462041063.00000000082E2000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
Source: explorer.exe, 00000010.00000000.454333728.000000000461E000.00000004.00000001.sdmp Binary or memory string: en_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: COVID-19-Related Requirements.exe, 00000001.00000002.433068609.00000000032DE000.00000004.00000001.sdmp Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000010.00000000.455835709.0000000005D50000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000010.00000000.455835709.0000000005D50000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: COVID-19-Related Requirements.exe, 00000001.00000002.433068609.00000000032DE000.00000004.00000001.sdmp Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: COVID-19-Related Requirements.exe, 00000001.00000002.433068609.00000000032DE000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II
Source: COVID-19-Related Requirements.exe, 00000001.00000002.433068609.00000000032DE000.00000004.00000001.sdmp Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: explorer.exe, 00000010.00000000.462041063.00000000082E2000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 00000010.00000000.463020458.0000000008430000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000-;
Source: explorer.exe, 00000010.00000000.455835709.0000000005D50000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: explorer.exe, 00000010.00000000.435521033.000000000095C000.00000004.00000020.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_00409A90 rdtsc 15_2_00409A90
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_0040ACD0 LdrLoadDll, 15_2_0040ACD0
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B451BE mov eax, dword ptr fs:[00000030h] 15_2_01B451BE
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B451BE mov eax, dword ptr fs:[00000030h] 15_2_01B451BE
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B451BE mov eax, dword ptr fs:[00000030h] 15_2_01B451BE
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B451BE mov eax, dword ptr fs:[00000030h] 15_2_01B451BE
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AF61A0 mov eax, dword ptr fs:[00000030h] 15_2_01AF61A0
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AF61A0 mov eax, dword ptr fs:[00000030h] 15_2_01AF61A0
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B469A6 mov eax, dword ptr fs:[00000030h] 15_2_01B469A6
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AFA185 mov eax, dword ptr fs:[00000030h] 15_2_01AFA185
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AEC182 mov eax, dword ptr fs:[00000030h] 15_2_01AEC182
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AF2990 mov eax, dword ptr fs:[00000030h] 15_2_01AF2990
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01ACB1E1 mov eax, dword ptr fs:[00000030h] 15_2_01ACB1E1
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01ACB1E1 mov eax, dword ptr fs:[00000030h] 15_2_01ACB1E1
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01ACB1E1 mov eax, dword ptr fs:[00000030h] 15_2_01ACB1E1
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B541E8 mov eax, dword ptr fs:[00000030h] 15_2_01B541E8
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AE4120 mov eax, dword ptr fs:[00000030h] 15_2_01AE4120
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AE4120 mov eax, dword ptr fs:[00000030h] 15_2_01AE4120
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AE4120 mov eax, dword ptr fs:[00000030h] 15_2_01AE4120
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AE4120 mov eax, dword ptr fs:[00000030h] 15_2_01AE4120
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AE4120 mov ecx, dword ptr fs:[00000030h] 15_2_01AE4120
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AF513A mov eax, dword ptr fs:[00000030h] 15_2_01AF513A
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AF513A mov eax, dword ptr fs:[00000030h] 15_2_01AF513A
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AC9100 mov eax, dword ptr fs:[00000030h] 15_2_01AC9100
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AC9100 mov eax, dword ptr fs:[00000030h] 15_2_01AC9100
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AC9100 mov eax, dword ptr fs:[00000030h] 15_2_01AC9100
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01ACC962 mov eax, dword ptr fs:[00000030h] 15_2_01ACC962
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01ACB171 mov eax, dword ptr fs:[00000030h] 15_2_01ACB171
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01ACB171 mov eax, dword ptr fs:[00000030h] 15_2_01ACB171
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AEB944 mov eax, dword ptr fs:[00000030h] 15_2_01AEB944
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AEB944 mov eax, dword ptr fs:[00000030h] 15_2_01AEB944
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AF20A0 mov eax, dword ptr fs:[00000030h] 15_2_01AF20A0
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AF20A0 mov eax, dword ptr fs:[00000030h] 15_2_01AF20A0
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AF20A0 mov eax, dword ptr fs:[00000030h] 15_2_01AF20A0
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AF20A0 mov eax, dword ptr fs:[00000030h] 15_2_01AF20A0
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AF20A0 mov eax, dword ptr fs:[00000030h] 15_2_01AF20A0
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AF20A0 mov eax, dword ptr fs:[00000030h] 15_2_01AF20A0
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AFF0BF mov ecx, dword ptr fs:[00000030h] 15_2_01AFF0BF
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AFF0BF mov eax, dword ptr fs:[00000030h] 15_2_01AFF0BF
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AFF0BF mov eax, dword ptr fs:[00000030h] 15_2_01AFF0BF
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B090AF mov eax, dword ptr fs:[00000030h] 15_2_01B090AF
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AC9080 mov eax, dword ptr fs:[00000030h] 15_2_01AC9080
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B43884 mov eax, dword ptr fs:[00000030h] 15_2_01B43884
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B43884 mov eax, dword ptr fs:[00000030h] 15_2_01B43884
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AC58EC mov eax, dword ptr fs:[00000030h] 15_2_01AC58EC
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B5B8D0 mov eax, dword ptr fs:[00000030h] 15_2_01B5B8D0
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B5B8D0 mov ecx, dword ptr fs:[00000030h] 15_2_01B5B8D0
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B5B8D0 mov eax, dword ptr fs:[00000030h] 15_2_01B5B8D0
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B5B8D0 mov eax, dword ptr fs:[00000030h] 15_2_01B5B8D0
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B5B8D0 mov eax, dword ptr fs:[00000030h] 15_2_01B5B8D0
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B5B8D0 mov eax, dword ptr fs:[00000030h] 15_2_01B5B8D0
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AF002D mov eax, dword ptr fs:[00000030h] 15_2_01AF002D
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AF002D mov eax, dword ptr fs:[00000030h] 15_2_01AF002D
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AF002D mov eax, dword ptr fs:[00000030h] 15_2_01AF002D
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AF002D mov eax, dword ptr fs:[00000030h] 15_2_01AF002D
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AF002D mov eax, dword ptr fs:[00000030h] 15_2_01AF002D
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01ADB02A mov eax, dword ptr fs:[00000030h] 15_2_01ADB02A
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01ADB02A mov eax, dword ptr fs:[00000030h] 15_2_01ADB02A
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01ADB02A mov eax, dword ptr fs:[00000030h] 15_2_01ADB02A
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01ADB02A mov eax, dword ptr fs:[00000030h] 15_2_01ADB02A
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B47016 mov eax, dword ptr fs:[00000030h] 15_2_01B47016
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B47016 mov eax, dword ptr fs:[00000030h] 15_2_01B47016
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B47016 mov eax, dword ptr fs:[00000030h] 15_2_01B47016
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B94015 mov eax, dword ptr fs:[00000030h] 15_2_01B94015
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B94015 mov eax, dword ptr fs:[00000030h] 15_2_01B94015
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B82073 mov eax, dword ptr fs:[00000030h] 15_2_01B82073
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B91074 mov eax, dword ptr fs:[00000030h] 15_2_01B91074
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AE0050 mov eax, dword ptr fs:[00000030h] 15_2_01AE0050
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AE0050 mov eax, dword ptr fs:[00000030h] 15_2_01AE0050
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AF4BAD mov eax, dword ptr fs:[00000030h] 15_2_01AF4BAD
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AF4BAD mov eax, dword ptr fs:[00000030h] 15_2_01AF4BAD
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AF4BAD mov eax, dword ptr fs:[00000030h] 15_2_01AF4BAD
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B95BA5 mov eax, dword ptr fs:[00000030h] 15_2_01B95BA5
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AD1B8F mov eax, dword ptr fs:[00000030h] 15_2_01AD1B8F
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AD1B8F mov eax, dword ptr fs:[00000030h] 15_2_01AD1B8F
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B8138A mov eax, dword ptr fs:[00000030h] 15_2_01B8138A
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B7D380 mov ecx, dword ptr fs:[00000030h] 15_2_01B7D380
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AF2397 mov eax, dword ptr fs:[00000030h] 15_2_01AF2397
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AFB390 mov eax, dword ptr fs:[00000030h] 15_2_01AFB390
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AEDBE9 mov eax, dword ptr fs:[00000030h] 15_2_01AEDBE9
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AF03E2 mov eax, dword ptr fs:[00000030h] 15_2_01AF03E2
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AF03E2 mov eax, dword ptr fs:[00000030h] 15_2_01AF03E2
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AF03E2 mov eax, dword ptr fs:[00000030h] 15_2_01AF03E2
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AF03E2 mov eax, dword ptr fs:[00000030h] 15_2_01AF03E2
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AF03E2 mov eax, dword ptr fs:[00000030h] 15_2_01AF03E2
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AF03E2 mov eax, dword ptr fs:[00000030h] 15_2_01AF03E2
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B453CA mov eax, dword ptr fs:[00000030h] 15_2_01B453CA
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B453CA mov eax, dword ptr fs:[00000030h] 15_2_01B453CA
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B8131B mov eax, dword ptr fs:[00000030h] 15_2_01B8131B
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01ACDB60 mov ecx, dword ptr fs:[00000030h] 15_2_01ACDB60
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AF3B7A mov eax, dword ptr fs:[00000030h] 15_2_01AF3B7A
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AF3B7A mov eax, dword ptr fs:[00000030h] 15_2_01AF3B7A
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B98B58 mov eax, dword ptr fs:[00000030h] 15_2_01B98B58
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01ACDB40 mov eax, dword ptr fs:[00000030h] 15_2_01ACDB40
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01ACF358 mov eax, dword ptr fs:[00000030h] 15_2_01ACF358
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AC52A5 mov eax, dword ptr fs:[00000030h] 15_2_01AC52A5
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AC52A5 mov eax, dword ptr fs:[00000030h] 15_2_01AC52A5
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AC52A5 mov eax, dword ptr fs:[00000030h] 15_2_01AC52A5
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AC52A5 mov eax, dword ptr fs:[00000030h] 15_2_01AC52A5
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AC52A5 mov eax, dword ptr fs:[00000030h] 15_2_01AC52A5
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01ADAAB0 mov eax, dword ptr fs:[00000030h] 15_2_01ADAAB0
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01ADAAB0 mov eax, dword ptr fs:[00000030h] 15_2_01ADAAB0
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AFFAB0 mov eax, dword ptr fs:[00000030h] 15_2_01AFFAB0
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AFD294 mov eax, dword ptr fs:[00000030h] 15_2_01AFD294
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AFD294 mov eax, dword ptr fs:[00000030h] 15_2_01AFD294
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AF2AE4 mov eax, dword ptr fs:[00000030h] 15_2_01AF2AE4
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AF2ACB mov eax, dword ptr fs:[00000030h] 15_2_01AF2ACB
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B04A2C mov eax, dword ptr fs:[00000030h] 15_2_01B04A2C
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B04A2C mov eax, dword ptr fs:[00000030h] 15_2_01B04A2C
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AD8A0A mov eax, dword ptr fs:[00000030h] 15_2_01AD8A0A
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B8AA16 mov eax, dword ptr fs:[00000030h] 15_2_01B8AA16
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B8AA16 mov eax, dword ptr fs:[00000030h] 15_2_01B8AA16
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AE3A1C mov eax, dword ptr fs:[00000030h] 15_2_01AE3A1C
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01ACAA16 mov eax, dword ptr fs:[00000030h] 15_2_01ACAA16
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01ACAA16 mov eax, dword ptr fs:[00000030h] 15_2_01ACAA16
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AC5210 mov eax, dword ptr fs:[00000030h] 15_2_01AC5210
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AC5210 mov ecx, dword ptr fs:[00000030h] 15_2_01AC5210
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AC5210 mov eax, dword ptr fs:[00000030h] 15_2_01AC5210
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AC5210 mov eax, dword ptr fs:[00000030h] 15_2_01AC5210
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B0927A mov eax, dword ptr fs:[00000030h] 15_2_01B0927A
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B7B260 mov eax, dword ptr fs:[00000030h] 15_2_01B7B260
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B7B260 mov eax, dword ptr fs:[00000030h] 15_2_01B7B260
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B98A62 mov eax, dword ptr fs:[00000030h] 15_2_01B98A62
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B54257 mov eax, dword ptr fs:[00000030h] 15_2_01B54257
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AC9240 mov eax, dword ptr fs:[00000030h] 15_2_01AC9240
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AC9240 mov eax, dword ptr fs:[00000030h] 15_2_01AC9240
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AC9240 mov eax, dword ptr fs:[00000030h] 15_2_01AC9240
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AC9240 mov eax, dword ptr fs:[00000030h] 15_2_01AC9240
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B8EA55 mov eax, dword ptr fs:[00000030h] 15_2_01B8EA55
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AF35A1 mov eax, dword ptr fs:[00000030h] 15_2_01AF35A1
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B905AC mov eax, dword ptr fs:[00000030h] 15_2_01B905AC
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B905AC mov eax, dword ptr fs:[00000030h] 15_2_01B905AC
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AF1DB5 mov eax, dword ptr fs:[00000030h] 15_2_01AF1DB5
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AF1DB5 mov eax, dword ptr fs:[00000030h] 15_2_01AF1DB5
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AF1DB5 mov eax, dword ptr fs:[00000030h] 15_2_01AF1DB5
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AC2D8A mov eax, dword ptr fs:[00000030h] 15_2_01AC2D8A
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AC2D8A mov eax, dword ptr fs:[00000030h] 15_2_01AC2D8A
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AC2D8A mov eax, dword ptr fs:[00000030h] 15_2_01AC2D8A
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AC2D8A mov eax, dword ptr fs:[00000030h] 15_2_01AC2D8A
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AC2D8A mov eax, dword ptr fs:[00000030h] 15_2_01AC2D8A
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AF2581 mov eax, dword ptr fs:[00000030h] 15_2_01AF2581
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AF2581 mov eax, dword ptr fs:[00000030h] 15_2_01AF2581
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AF2581 mov eax, dword ptr fs:[00000030h] 15_2_01AF2581
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AF2581 mov eax, dword ptr fs:[00000030h] 15_2_01AF2581
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AFFD9B mov eax, dword ptr fs:[00000030h] 15_2_01AFFD9B
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AFFD9B mov eax, dword ptr fs:[00000030h] 15_2_01AFFD9B
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B78DF1 mov eax, dword ptr fs:[00000030h] 15_2_01B78DF1
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01ADD5E0 mov eax, dword ptr fs:[00000030h] 15_2_01ADD5E0
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01ADD5E0 mov eax, dword ptr fs:[00000030h] 15_2_01ADD5E0
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B8FDE2 mov eax, dword ptr fs:[00000030h] 15_2_01B8FDE2
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B8FDE2 mov eax, dword ptr fs:[00000030h] 15_2_01B8FDE2
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B8FDE2 mov eax, dword ptr fs:[00000030h] 15_2_01B8FDE2
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B8FDE2 mov eax, dword ptr fs:[00000030h] 15_2_01B8FDE2
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B46DC9 mov eax, dword ptr fs:[00000030h] 15_2_01B46DC9
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B46DC9 mov eax, dword ptr fs:[00000030h] 15_2_01B46DC9
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B46DC9 mov eax, dword ptr fs:[00000030h] 15_2_01B46DC9
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B46DC9 mov ecx, dword ptr fs:[00000030h] 15_2_01B46DC9
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B46DC9 mov eax, dword ptr fs:[00000030h] 15_2_01B46DC9
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B46DC9 mov eax, dword ptr fs:[00000030h] 15_2_01B46DC9
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B8E539 mov eax, dword ptr fs:[00000030h] 15_2_01B8E539
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B4A537 mov eax, dword ptr fs:[00000030h] 15_2_01B4A537
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B98D34 mov eax, dword ptr fs:[00000030h] 15_2_01B98D34
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AF4D3B mov eax, dword ptr fs:[00000030h] 15_2_01AF4D3B
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AF4D3B mov eax, dword ptr fs:[00000030h] 15_2_01AF4D3B
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AF4D3B mov eax, dword ptr fs:[00000030h] 15_2_01AF4D3B
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AD3D34 mov eax, dword ptr fs:[00000030h] 15_2_01AD3D34
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AD3D34 mov eax, dword ptr fs:[00000030h] 15_2_01AD3D34
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AD3D34 mov eax, dword ptr fs:[00000030h] 15_2_01AD3D34
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AD3D34 mov eax, dword ptr fs:[00000030h] 15_2_01AD3D34
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AD3D34 mov eax, dword ptr fs:[00000030h] 15_2_01AD3D34
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AD3D34 mov eax, dword ptr fs:[00000030h] 15_2_01AD3D34
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AD3D34 mov eax, dword ptr fs:[00000030h] 15_2_01AD3D34
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AD3D34 mov eax, dword ptr fs:[00000030h] 15_2_01AD3D34
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AD3D34 mov eax, dword ptr fs:[00000030h] 15_2_01AD3D34
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AD3D34 mov eax, dword ptr fs:[00000030h] 15_2_01AD3D34
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AD3D34 mov eax, dword ptr fs:[00000030h] 15_2_01AD3D34
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AD3D34 mov eax, dword ptr fs:[00000030h] 15_2_01AD3D34
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AD3D34 mov eax, dword ptr fs:[00000030h] 15_2_01AD3D34
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01ACAD30 mov eax, dword ptr fs:[00000030h] 15_2_01ACAD30
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AEC577 mov eax, dword ptr fs:[00000030h] 15_2_01AEC577
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AEC577 mov eax, dword ptr fs:[00000030h] 15_2_01AEC577
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B03D43 mov eax, dword ptr fs:[00000030h] 15_2_01B03D43
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B43540 mov eax, dword ptr fs:[00000030h] 15_2_01B43540
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AE7D50 mov eax, dword ptr fs:[00000030h] 15_2_01AE7D50
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AD849B mov eax, dword ptr fs:[00000030h] 15_2_01AD849B
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B814FB mov eax, dword ptr fs:[00000030h] 15_2_01B814FB
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B46CF0 mov eax, dword ptr fs:[00000030h] 15_2_01B46CF0
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B46CF0 mov eax, dword ptr fs:[00000030h] 15_2_01B46CF0
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B46CF0 mov eax, dword ptr fs:[00000030h] 15_2_01B46CF0
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B98CD6 mov eax, dword ptr fs:[00000030h] 15_2_01B98CD6
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AFBC2C mov eax, dword ptr fs:[00000030h] 15_2_01AFBC2C
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B9740D mov eax, dword ptr fs:[00000030h] 15_2_01B9740D
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B9740D mov eax, dword ptr fs:[00000030h] 15_2_01B9740D
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B9740D mov eax, dword ptr fs:[00000030h] 15_2_01B9740D
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B81C06 mov eax, dword ptr fs:[00000030h] 15_2_01B81C06
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B81C06 mov eax, dword ptr fs:[00000030h] 15_2_01B81C06
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B81C06 mov eax, dword ptr fs:[00000030h] 15_2_01B81C06
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B81C06 mov eax, dword ptr fs:[00000030h] 15_2_01B81C06
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B81C06 mov eax, dword ptr fs:[00000030h] 15_2_01B81C06
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B81C06 mov eax, dword ptr fs:[00000030h] 15_2_01B81C06
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B81C06 mov eax, dword ptr fs:[00000030h] 15_2_01B81C06
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B81C06 mov eax, dword ptr fs:[00000030h] 15_2_01B81C06
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B81C06 mov eax, dword ptr fs:[00000030h] 15_2_01B81C06
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B81C06 mov eax, dword ptr fs:[00000030h] 15_2_01B81C06
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B81C06 mov eax, dword ptr fs:[00000030h] 15_2_01B81C06
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B81C06 mov eax, dword ptr fs:[00000030h] 15_2_01B81C06
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B81C06 mov eax, dword ptr fs:[00000030h] 15_2_01B81C06
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B81C06 mov eax, dword ptr fs:[00000030h] 15_2_01B81C06
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B46C0A mov eax, dword ptr fs:[00000030h] 15_2_01B46C0A
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B46C0A mov eax, dword ptr fs:[00000030h] 15_2_01B46C0A
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B46C0A mov eax, dword ptr fs:[00000030h] 15_2_01B46C0A
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B46C0A mov eax, dword ptr fs:[00000030h] 15_2_01B46C0A
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AE746D mov eax, dword ptr fs:[00000030h] 15_2_01AE746D
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AFA44B mov eax, dword ptr fs:[00000030h] 15_2_01AFA44B
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B5C450 mov eax, dword ptr fs:[00000030h] 15_2_01B5C450
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B5C450 mov eax, dword ptr fs:[00000030h] 15_2_01B5C450
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B47794 mov eax, dword ptr fs:[00000030h] 15_2_01B47794
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B47794 mov eax, dword ptr fs:[00000030h] 15_2_01B47794
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B47794 mov eax, dword ptr fs:[00000030h] 15_2_01B47794
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AD8794 mov eax, dword ptr fs:[00000030h] 15_2_01AD8794
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B037F5 mov eax, dword ptr fs:[00000030h] 15_2_01B037F5
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AC4F2E mov eax, dword ptr fs:[00000030h] 15_2_01AC4F2E
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AC4F2E mov eax, dword ptr fs:[00000030h] 15_2_01AC4F2E
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AFE730 mov eax, dword ptr fs:[00000030h] 15_2_01AFE730
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AFA70E mov eax, dword ptr fs:[00000030h] 15_2_01AFA70E
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AFA70E mov eax, dword ptr fs:[00000030h] 15_2_01AFA70E
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B5FF10 mov eax, dword ptr fs:[00000030h] 15_2_01B5FF10
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B5FF10 mov eax, dword ptr fs:[00000030h] 15_2_01B5FF10
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B9070D mov eax, dword ptr fs:[00000030h] 15_2_01B9070D
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B9070D mov eax, dword ptr fs:[00000030h] 15_2_01B9070D
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AEF716 mov eax, dword ptr fs:[00000030h] 15_2_01AEF716
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01ADFF60 mov eax, dword ptr fs:[00000030h] 15_2_01ADFF60
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B98F6A mov eax, dword ptr fs:[00000030h] 15_2_01B98F6A
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01ADEF40 mov eax, dword ptr fs:[00000030h] 15_2_01ADEF40
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B446A7 mov eax, dword ptr fs:[00000030h] 15_2_01B446A7
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B90EA5 mov eax, dword ptr fs:[00000030h] 15_2_01B90EA5
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B90EA5 mov eax, dword ptr fs:[00000030h] 15_2_01B90EA5
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B90EA5 mov eax, dword ptr fs:[00000030h] 15_2_01B90EA5
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B5FE87 mov eax, dword ptr fs:[00000030h] 15_2_01B5FE87
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AF16E0 mov ecx, dword ptr fs:[00000030h] 15_2_01AF16E0
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AD76E2 mov eax, dword ptr fs:[00000030h] 15_2_01AD76E2
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AF36CC mov eax, dword ptr fs:[00000030h] 15_2_01AF36CC
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B98ED6 mov eax, dword ptr fs:[00000030h] 15_2_01B98ED6
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B7FEC0 mov eax, dword ptr fs:[00000030h] 15_2_01B7FEC0
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B08EC7 mov eax, dword ptr fs:[00000030h] 15_2_01B08EC7
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B7FE3F mov eax, dword ptr fs:[00000030h] 15_2_01B7FE3F
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01ACE620 mov eax, dword ptr fs:[00000030h] 15_2_01ACE620
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01ACC600 mov eax, dword ptr fs:[00000030h] 15_2_01ACC600
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01ACC600 mov eax, dword ptr fs:[00000030h] 15_2_01ACC600
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01ACC600 mov eax, dword ptr fs:[00000030h] 15_2_01ACC600
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AF8E00 mov eax, dword ptr fs:[00000030h] 15_2_01AF8E00
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B81608 mov eax, dword ptr fs:[00000030h] 15_2_01B81608
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AFA61C mov eax, dword ptr fs:[00000030h] 15_2_01AFA61C
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AFA61C mov eax, dword ptr fs:[00000030h] 15_2_01AFA61C
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AD766D mov eax, dword ptr fs:[00000030h] 15_2_01AD766D
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AEAE73 mov eax, dword ptr fs:[00000030h] 15_2_01AEAE73
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AEAE73 mov eax, dword ptr fs:[00000030h] 15_2_01AEAE73
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AEAE73 mov eax, dword ptr fs:[00000030h] 15_2_01AEAE73
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AEAE73 mov eax, dword ptr fs:[00000030h] 15_2_01AEAE73
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AEAE73 mov eax, dword ptr fs:[00000030h] 15_2_01AEAE73
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AD7E41 mov eax, dword ptr fs:[00000030h] 15_2_01AD7E41
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AD7E41 mov eax, dword ptr fs:[00000030h] 15_2_01AD7E41
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AD7E41 mov eax, dword ptr fs:[00000030h] 15_2_01AD7E41
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AD7E41 mov eax, dword ptr fs:[00000030h] 15_2_01AD7E41
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AD7E41 mov eax, dword ptr fs:[00000030h] 15_2_01AD7E41
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01AD7E41 mov eax, dword ptr fs:[00000030h] 15_2_01AD7E41
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B8AE44 mov eax, dword ptr fs:[00000030h] 15_2_01B8AE44
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Code function: 15_2_01B8AE44 mov eax, dword ptr fs:[00000030h] 15_2_01B8AE44
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04E26CF0 mov eax, dword ptr fs:[00000030h] 19_2_04E26CF0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04E26CF0 mov eax, dword ptr fs:[00000030h] 19_2_04E26CF0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04E26CF0 mov eax, dword ptr fs:[00000030h] 19_2_04E26CF0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04E614FB mov eax, dword ptr fs:[00000030h] 19_2_04E614FB
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04E78CD6 mov eax, dword ptr fs:[00000030h] 19_2_04E78CD6
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DB849B mov eax, dword ptr fs:[00000030h] 19_2_04DB849B
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DDA44B mov eax, dword ptr fs:[00000030h] 19_2_04DDA44B
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DC746D mov eax, dword ptr fs:[00000030h] 19_2_04DC746D
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04E3C450 mov eax, dword ptr fs:[00000030h] 19_2_04E3C450
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04E3C450 mov eax, dword ptr fs:[00000030h] 19_2_04E3C450
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04E61C06 mov eax, dword ptr fs:[00000030h] 19_2_04E61C06
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04E61C06 mov eax, dword ptr fs:[00000030h] 19_2_04E61C06
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04E61C06 mov eax, dword ptr fs:[00000030h] 19_2_04E61C06
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04E61C06 mov eax, dword ptr fs:[00000030h] 19_2_04E61C06
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04E61C06 mov eax, dword ptr fs:[00000030h] 19_2_04E61C06
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04E61C06 mov eax, dword ptr fs:[00000030h] 19_2_04E61C06
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04E61C06 mov eax, dword ptr fs:[00000030h] 19_2_04E61C06
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04E61C06 mov eax, dword ptr fs:[00000030h] 19_2_04E61C06
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04E61C06 mov eax, dword ptr fs:[00000030h] 19_2_04E61C06
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04E61C06 mov eax, dword ptr fs:[00000030h] 19_2_04E61C06
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04E61C06 mov eax, dword ptr fs:[00000030h] 19_2_04E61C06
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04E61C06 mov eax, dword ptr fs:[00000030h] 19_2_04E61C06
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04E61C06 mov eax, dword ptr fs:[00000030h] 19_2_04E61C06
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04E61C06 mov eax, dword ptr fs:[00000030h] 19_2_04E61C06
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04E26C0A mov eax, dword ptr fs:[00000030h] 19_2_04E26C0A
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04E26C0A mov eax, dword ptr fs:[00000030h] 19_2_04E26C0A
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04E26C0A mov eax, dword ptr fs:[00000030h] 19_2_04E26C0A
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04E26C0A mov eax, dword ptr fs:[00000030h] 19_2_04E26C0A
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04E7740D mov eax, dword ptr fs:[00000030h] 19_2_04E7740D
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04E7740D mov eax, dword ptr fs:[00000030h] 19_2_04E7740D
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04E7740D mov eax, dword ptr fs:[00000030h] 19_2_04E7740D
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DDBC2C mov eax, dword ptr fs:[00000030h] 19_2_04DDBC2C
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04E6FDE2 mov eax, dword ptr fs:[00000030h] 19_2_04E6FDE2
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04E6FDE2 mov eax, dword ptr fs:[00000030h] 19_2_04E6FDE2
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04E6FDE2 mov eax, dword ptr fs:[00000030h] 19_2_04E6FDE2
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04E6FDE2 mov eax, dword ptr fs:[00000030h] 19_2_04E6FDE2
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04E58DF1 mov eax, dword ptr fs:[00000030h] 19_2_04E58DF1
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04E26DC9 mov eax, dword ptr fs:[00000030h] 19_2_04E26DC9
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04E26DC9 mov eax, dword ptr fs:[00000030h] 19_2_04E26DC9
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04E26DC9 mov eax, dword ptr fs:[00000030h] 19_2_04E26DC9
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04E26DC9 mov ecx, dword ptr fs:[00000030h] 19_2_04E26DC9
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04E26DC9 mov eax, dword ptr fs:[00000030h] 19_2_04E26DC9
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04E26DC9 mov eax, dword ptr fs:[00000030h] 19_2_04E26DC9
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DBD5E0 mov eax, dword ptr fs:[00000030h] 19_2_04DBD5E0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DBD5E0 mov eax, dword ptr fs:[00000030h] 19_2_04DBD5E0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DDFD9B mov eax, dword ptr fs:[00000030h] 19_2_04DDFD9B
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DDFD9B mov eax, dword ptr fs:[00000030h] 19_2_04DDFD9B
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04E705AC mov eax, dword ptr fs:[00000030h] 19_2_04E705AC
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04E705AC mov eax, dword ptr fs:[00000030h] 19_2_04E705AC
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DA2D8A mov eax, dword ptr fs:[00000030h] 19_2_04DA2D8A
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DA2D8A mov eax, dword ptr fs:[00000030h] 19_2_04DA2D8A
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DA2D8A mov eax, dword ptr fs:[00000030h] 19_2_04DA2D8A
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DA2D8A mov eax, dword ptr fs:[00000030h] 19_2_04DA2D8A
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DA2D8A mov eax, dword ptr fs:[00000030h] 19_2_04DA2D8A
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DD2581 mov eax, dword ptr fs:[00000030h] 19_2_04DD2581
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DD2581 mov eax, dword ptr fs:[00000030h] 19_2_04DD2581
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DD2581 mov eax, dword ptr fs:[00000030h] 19_2_04DD2581
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DD2581 mov eax, dword ptr fs:[00000030h] 19_2_04DD2581
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DD1DB5 mov eax, dword ptr fs:[00000030h] 19_2_04DD1DB5
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DD1DB5 mov eax, dword ptr fs:[00000030h] 19_2_04DD1DB5
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DD1DB5 mov eax, dword ptr fs:[00000030h] 19_2_04DD1DB5
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DD35A1 mov eax, dword ptr fs:[00000030h] 19_2_04DD35A1
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DC7D50 mov eax, dword ptr fs:[00000030h] 19_2_04DC7D50
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DE3D43 mov eax, dword ptr fs:[00000030h] 19_2_04DE3D43
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04E23540 mov eax, dword ptr fs:[00000030h] 19_2_04E23540
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DCC577 mov eax, dword ptr fs:[00000030h] 19_2_04DCC577
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DCC577 mov eax, dword ptr fs:[00000030h] 19_2_04DCC577
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04E78D34 mov eax, dword ptr fs:[00000030h] 19_2_04E78D34
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04E2A537 mov eax, dword ptr fs:[00000030h] 19_2_04E2A537
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04E6E539 mov eax, dword ptr fs:[00000030h] 19_2_04E6E539
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DD4D3B mov eax, dword ptr fs:[00000030h] 19_2_04DD4D3B
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DD4D3B mov eax, dword ptr fs:[00000030h] 19_2_04DD4D3B
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DD4D3B mov eax, dword ptr fs:[00000030h] 19_2_04DD4D3B
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DAAD30 mov eax, dword ptr fs:[00000030h] 19_2_04DAAD30
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DB3D34 mov eax, dword ptr fs:[00000030h] 19_2_04DB3D34
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DB3D34 mov eax, dword ptr fs:[00000030h] 19_2_04DB3D34
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DB3D34 mov eax, dword ptr fs:[00000030h] 19_2_04DB3D34
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DB3D34 mov eax, dword ptr fs:[00000030h] 19_2_04DB3D34
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DB3D34 mov eax, dword ptr fs:[00000030h] 19_2_04DB3D34
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DB3D34 mov eax, dword ptr fs:[00000030h] 19_2_04DB3D34
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DB3D34 mov eax, dword ptr fs:[00000030h] 19_2_04DB3D34
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DB3D34 mov eax, dword ptr fs:[00000030h] 19_2_04DB3D34
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DB3D34 mov eax, dword ptr fs:[00000030h] 19_2_04DB3D34
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DB3D34 mov eax, dword ptr fs:[00000030h] 19_2_04DB3D34
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DB3D34 mov eax, dword ptr fs:[00000030h] 19_2_04DB3D34
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DB3D34 mov eax, dword ptr fs:[00000030h] 19_2_04DB3D34
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DB3D34 mov eax, dword ptr fs:[00000030h] 19_2_04DB3D34
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DD36CC mov eax, dword ptr fs:[00000030h] 19_2_04DD36CC
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DE8EC7 mov eax, dword ptr fs:[00000030h] 19_2_04DE8EC7
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04E5FEC0 mov eax, dword ptr fs:[00000030h] 19_2_04E5FEC0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04E78ED6 mov eax, dword ptr fs:[00000030h] 19_2_04E78ED6
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DB76E2 mov eax, dword ptr fs:[00000030h] 19_2_04DB76E2
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DD16E0 mov ecx, dword ptr fs:[00000030h] 19_2_04DD16E0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04E70EA5 mov eax, dword ptr fs:[00000030h] 19_2_04E70EA5
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04E70EA5 mov eax, dword ptr fs:[00000030h] 19_2_04E70EA5
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04E70EA5 mov eax, dword ptr fs:[00000030h] 19_2_04E70EA5
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04E246A7 mov eax, dword ptr fs:[00000030h] 19_2_04E246A7
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04E3FE87 mov eax, dword ptr fs:[00000030h] 19_2_04E3FE87
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DB7E41 mov eax, dword ptr fs:[00000030h] 19_2_04DB7E41
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DB7E41 mov eax, dword ptr fs:[00000030h] 19_2_04DB7E41
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DB7E41 mov eax, dword ptr fs:[00000030h] 19_2_04DB7E41
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DB7E41 mov eax, dword ptr fs:[00000030h] 19_2_04DB7E41
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DB7E41 mov eax, dword ptr fs:[00000030h] 19_2_04DB7E41
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DB7E41 mov eax, dword ptr fs:[00000030h] 19_2_04DB7E41
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04E6AE44 mov eax, dword ptr fs:[00000030h] 19_2_04E6AE44
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04E6AE44 mov eax, dword ptr fs:[00000030h] 19_2_04E6AE44
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DCAE73 mov eax, dword ptr fs:[00000030h] 19_2_04DCAE73
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DCAE73 mov eax, dword ptr fs:[00000030h] 19_2_04DCAE73
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DCAE73 mov eax, dword ptr fs:[00000030h] 19_2_04DCAE73
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DCAE73 mov eax, dword ptr fs:[00000030h] 19_2_04DCAE73
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DCAE73 mov eax, dword ptr fs:[00000030h] 19_2_04DCAE73
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DB766D mov eax, dword ptr fs:[00000030h] 19_2_04DB766D
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DDA61C mov eax, dword ptr fs:[00000030h] 19_2_04DDA61C
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DDA61C mov eax, dword ptr fs:[00000030h] 19_2_04DDA61C
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04E5FE3F mov eax, dword ptr fs:[00000030h] 19_2_04E5FE3F
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DAC600 mov eax, dword ptr fs:[00000030h] 19_2_04DAC600
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DAC600 mov eax, dword ptr fs:[00000030h] 19_2_04DAC600
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DAC600 mov eax, dword ptr fs:[00000030h] 19_2_04DAC600
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DD8E00 mov eax, dword ptr fs:[00000030h] 19_2_04DD8E00
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04E61608 mov eax, dword ptr fs:[00000030h] 19_2_04E61608
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DAE620 mov eax, dword ptr fs:[00000030h] 19_2_04DAE620
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DE37F5 mov eax, dword ptr fs:[00000030h] 19_2_04DE37F5
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DB8794 mov eax, dword ptr fs:[00000030h] 19_2_04DB8794
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04E27794 mov eax, dword ptr fs:[00000030h] 19_2_04E27794
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04E27794 mov eax, dword ptr fs:[00000030h] 19_2_04E27794
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04E27794 mov eax, dword ptr fs:[00000030h] 19_2_04E27794
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04E78F6A mov eax, dword ptr fs:[00000030h] 19_2_04E78F6A
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DBEF40 mov eax, dword ptr fs:[00000030h] 19_2_04DBEF40
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DBFF60 mov eax, dword ptr fs:[00000030h] 19_2_04DBFF60
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DCF716 mov eax, dword ptr fs:[00000030h] 19_2_04DCF716
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DDA70E mov eax, dword ptr fs:[00000030h] 19_2_04DDA70E
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DDA70E mov eax, dword ptr fs:[00000030h] 19_2_04DDA70E
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04E7070D mov eax, dword ptr fs:[00000030h] 19_2_04E7070D
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04E7070D mov eax, dword ptr fs:[00000030h] 19_2_04E7070D
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DDE730 mov eax, dword ptr fs:[00000030h] 19_2_04DDE730
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04E3FF10 mov eax, dword ptr fs:[00000030h] 19_2_04E3FF10
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04E3FF10 mov eax, dword ptr fs:[00000030h] 19_2_04E3FF10
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DA4F2E mov eax, dword ptr fs:[00000030h] 19_2_04DA4F2E
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DA4F2E mov eax, dword ptr fs:[00000030h] 19_2_04DA4F2E
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04E3B8D0 mov eax, dword ptr fs:[00000030h] 19_2_04E3B8D0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04E3B8D0 mov ecx, dword ptr fs:[00000030h] 19_2_04E3B8D0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04E3B8D0 mov eax, dword ptr fs:[00000030h] 19_2_04E3B8D0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04E3B8D0 mov eax, dword ptr fs:[00000030h] 19_2_04E3B8D0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04E3B8D0 mov eax, dword ptr fs:[00000030h] 19_2_04E3B8D0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04E3B8D0 mov eax, dword ptr fs:[00000030h] 19_2_04E3B8D0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DA58EC mov eax, dword ptr fs:[00000030h] 19_2_04DA58EC
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DA9080 mov eax, dword ptr fs:[00000030h] 19_2_04DA9080
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DDF0BF mov ecx, dword ptr fs:[00000030h] 19_2_04DDF0BF
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DDF0BF mov eax, dword ptr fs:[00000030h] 19_2_04DDF0BF
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DDF0BF mov eax, dword ptr fs:[00000030h] 19_2_04DDF0BF
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04E23884 mov eax, dword ptr fs:[00000030h] 19_2_04E23884
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04E23884 mov eax, dword ptr fs:[00000030h] 19_2_04E23884
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DE90AF mov eax, dword ptr fs:[00000030h] 19_2_04DE90AF
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DD20A0 mov eax, dword ptr fs:[00000030h] 19_2_04DD20A0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DD20A0 mov eax, dword ptr fs:[00000030h] 19_2_04DD20A0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DD20A0 mov eax, dword ptr fs:[00000030h] 19_2_04DD20A0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DD20A0 mov eax, dword ptr fs:[00000030h] 19_2_04DD20A0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DD20A0 mov eax, dword ptr fs:[00000030h] 19_2_04DD20A0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DD20A0 mov eax, dword ptr fs:[00000030h] 19_2_04DD20A0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DC0050 mov eax, dword ptr fs:[00000030h] 19_2_04DC0050
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DC0050 mov eax, dword ptr fs:[00000030h] 19_2_04DC0050
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04E71074 mov eax, dword ptr fs:[00000030h] 19_2_04E71074
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04E62073 mov eax, dword ptr fs:[00000030h] 19_2_04E62073
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DD002D mov eax, dword ptr fs:[00000030h] 19_2_04DD002D
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DD002D mov eax, dword ptr fs:[00000030h] 19_2_04DD002D
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DD002D mov eax, dword ptr fs:[00000030h] 19_2_04DD002D
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DD002D mov eax, dword ptr fs:[00000030h] 19_2_04DD002D
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DD002D mov eax, dword ptr fs:[00000030h] 19_2_04DD002D
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DBB02A mov eax, dword ptr fs:[00000030h] 19_2_04DBB02A
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DBB02A mov eax, dword ptr fs:[00000030h] 19_2_04DBB02A
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DBB02A mov eax, dword ptr fs:[00000030h] 19_2_04DBB02A
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DBB02A mov eax, dword ptr fs:[00000030h] 19_2_04DBB02A
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04E74015 mov eax, dword ptr fs:[00000030h] 19_2_04E74015
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04E74015 mov eax, dword ptr fs:[00000030h] 19_2_04E74015
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04E27016 mov eax, dword ptr fs:[00000030h] 19_2_04E27016
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04E27016 mov eax, dword ptr fs:[00000030h] 19_2_04E27016
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04E27016 mov eax, dword ptr fs:[00000030h] 19_2_04E27016
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04E341E8 mov eax, dword ptr fs:[00000030h] 19_2_04E341E8
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DAB1E1 mov eax, dword ptr fs:[00000030h] 19_2_04DAB1E1
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DAB1E1 mov eax, dword ptr fs:[00000030h] 19_2_04DAB1E1
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DAB1E1 mov eax, dword ptr fs:[00000030h] 19_2_04DAB1E1
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04E269A6 mov eax, dword ptr fs:[00000030h] 19_2_04E269A6
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DD2990 mov eax, dword ptr fs:[00000030h] 19_2_04DD2990
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DDA185 mov eax, dword ptr fs:[00000030h] 19_2_04DDA185
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04E251BE mov eax, dword ptr fs:[00000030h] 19_2_04E251BE
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04E251BE mov eax, dword ptr fs:[00000030h] 19_2_04E251BE
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04E251BE mov eax, dword ptr fs:[00000030h] 19_2_04E251BE
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04E251BE mov eax, dword ptr fs:[00000030h] 19_2_04E251BE
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DCC182 mov eax, dword ptr fs:[00000030h] 19_2_04DCC182
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DD61A0 mov eax, dword ptr fs:[00000030h] 19_2_04DD61A0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DD61A0 mov eax, dword ptr fs:[00000030h] 19_2_04DD61A0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DCB944 mov eax, dword ptr fs:[00000030h] 19_2_04DCB944
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DCB944 mov eax, dword ptr fs:[00000030h] 19_2_04DCB944
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DAB171 mov eax, dword ptr fs:[00000030h] 19_2_04DAB171
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DAB171 mov eax, dword ptr fs:[00000030h] 19_2_04DAB171
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DAC962 mov eax, dword ptr fs:[00000030h] 19_2_04DAC962
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DA9100 mov eax, dword ptr fs:[00000030h] 19_2_04DA9100
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DA9100 mov eax, dword ptr fs:[00000030h] 19_2_04DA9100
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DA9100 mov eax, dword ptr fs:[00000030h] 19_2_04DA9100
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DD513A mov eax, dword ptr fs:[00000030h] 19_2_04DD513A
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DD513A mov eax, dword ptr fs:[00000030h] 19_2_04DD513A
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DC4120 mov eax, dword ptr fs:[00000030h] 19_2_04DC4120
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DC4120 mov eax, dword ptr fs:[00000030h] 19_2_04DC4120
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DC4120 mov eax, dword ptr fs:[00000030h] 19_2_04DC4120
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DC4120 mov eax, dword ptr fs:[00000030h] 19_2_04DC4120
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DC4120 mov ecx, dword ptr fs:[00000030h] 19_2_04DC4120
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DD2ACB mov eax, dword ptr fs:[00000030h] 19_2_04DD2ACB
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DD2AE4 mov eax, dword ptr fs:[00000030h] 19_2_04DD2AE4
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DDD294 mov eax, dword ptr fs:[00000030h] 19_2_04DDD294
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DDD294 mov eax, dword ptr fs:[00000030h] 19_2_04DDD294
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DBAAB0 mov eax, dword ptr fs:[00000030h] 19_2_04DBAAB0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DBAAB0 mov eax, dword ptr fs:[00000030h] 19_2_04DBAAB0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DDFAB0 mov eax, dword ptr fs:[00000030h] 19_2_04DDFAB0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DA52A5 mov eax, dword ptr fs:[00000030h] 19_2_04DA52A5
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DA52A5 mov eax, dword ptr fs:[00000030h] 19_2_04DA52A5
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DA52A5 mov eax, dword ptr fs:[00000030h] 19_2_04DA52A5
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DA52A5 mov eax, dword ptr fs:[00000030h] 19_2_04DA52A5
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DA52A5 mov eax, dword ptr fs:[00000030h] 19_2_04DA52A5
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04E78A62 mov eax, dword ptr fs:[00000030h] 19_2_04E78A62
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04E5B260 mov eax, dword ptr fs:[00000030h] 19_2_04E5B260
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04E5B260 mov eax, dword ptr fs:[00000030h] 19_2_04E5B260
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DA9240 mov eax, dword ptr fs:[00000030h] 19_2_04DA9240
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DA9240 mov eax, dword ptr fs:[00000030h] 19_2_04DA9240
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DA9240 mov eax, dword ptr fs:[00000030h] 19_2_04DA9240
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DA9240 mov eax, dword ptr fs:[00000030h] 19_2_04DA9240
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DE927A mov eax, dword ptr fs:[00000030h] 19_2_04DE927A
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04E6EA55 mov eax, dword ptr fs:[00000030h] 19_2_04E6EA55
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04E34257 mov eax, dword ptr fs:[00000030h] 19_2_04E34257
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DC3A1C mov eax, dword ptr fs:[00000030h] 19_2_04DC3A1C
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DA5210 mov eax, dword ptr fs:[00000030h] 19_2_04DA5210
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DA5210 mov ecx, dword ptr fs:[00000030h] 19_2_04DA5210
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DA5210 mov eax, dword ptr fs:[00000030h] 19_2_04DA5210
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DA5210 mov eax, dword ptr fs:[00000030h] 19_2_04DA5210
Source: C:\Windows\SysWOW64\wscript.exe Code function: 19_2_04DAAA16 mov eax, dword ptr fs:[00000030h] 19_2_04DAAA16
Enables debug privileges
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 52.58.78.16 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.portablesteamsaunas.com
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Memory written: C:\Users\user\Desktop\COVID-19-Related Requirements.exe base: 400000 value starts with: 4D5A Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Section loaded: unknown target: C:\Windows\SysWOW64\wscript.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Section loaded: unknown target: C:\Windows\SysWOW64\wscript.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Thread register set: target process: 3440 Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Thread register set: target process: 3440 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Section unmapped: C:\Windows\SysWOW64\wscript.exe base address: E20000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Process created: C:\Users\user\Desktop\COVID-19-Related Requirements.exe {path} Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Process created: C:\Users\user\Desktop\COVID-19-Related Requirements.exe {path} Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Process created: C:\Users\user\Desktop\COVID-19-Related Requirements.exe {path} Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\COVID-19-Related Requirements.exe' Jump to behavior
Source: explorer.exe, 00000010.00000002.610856927.0000000004F80000.00000004.00000001.sdmp, wscript.exe, 00000013.00000002.598056801.0000000003630000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000010.00000000.435313818.00000000008B8000.00000004.00000020.sdmp, wscript.exe, 00000013.00000002.598056801.0000000003630000.00000002.00000001.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000010.00000002.598251507.0000000000EE0000.00000002.00000001.sdmp, wscript.exe, 00000013.00000002.598056801.0000000003630000.00000002.00000001.sdmp Binary or memory string: &Program Manager
Source: explorer.exe, 00000010.00000002.598251507.0000000000EE0000.00000002.00000001.sdmp, wscript.exe, 00000013.00000002.598056801.0000000003630000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Users\user\Desktop\COVID-19-Related Requirements.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 0000000F.00000002.481749515.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.484219002.0000000001960000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.484584798.0000000001990000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.597531412.0000000002F80000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.597396184.0000000002F50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.434950366.0000000004299000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.596048220.0000000000B10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 15.2.COVID-19-Related Requirements.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.COVID-19-Related Requirements.exe.400000.0.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 0000000F.00000002.481749515.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.484219002.0000000001960000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.484584798.0000000001990000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.597531412.0000000002F80000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.597396184.0000000002F50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.434950366.0000000004299000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.596048220.0000000000B10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 15.2.COVID-19-Related Requirements.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.COVID-19-Related Requirements.exe.400000.0.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 425178 Sample: COVID-19-Related Requirements.exe Startdate: 26/05/2021 Architecture: WINDOWS Score: 100 36 Found malware configuration 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 7 other signatures 2->42 10 COVID-19-Related Requirements.exe 3 2->10         started        process3 file4 32 C:\...\COVID-19-Related Requirements.exe.log, ASCII 10->32 dropped 52 Injects a PE file into a foreign processes 10->52 14 COVID-19-Related Requirements.exe 10->14         started        17 COVID-19-Related Requirements.exe 10->17         started        19 COVID-19-Related Requirements.exe 10->19         started        signatures5 process6 signatures7 54 Modifies the context of a thread in another process (thread injection) 14->54 56 Maps a DLL or memory area into another process 14->56 58 Sample uses process hollowing technique 14->58 60 Queues an APC in another process (thread injection) 14->60 21 explorer.exe 14->21 injected process8 dnsIp9 34 www.portablesteamsaunas.com 52.58.78.16, 49748, 80 AMAZON-02US United States 21->34 44 System process connects to network (likely due to code injection or exploit) 21->44 25 wscript.exe 21->25         started        signatures10 process11 signatures12 46 Modifies the context of a thread in another process (thread injection) 25->46 48 Maps a DLL or memory area into another process 25->48 50 Tries to detect virtualization through RDTSC time measurements 25->50 28 cmd.exe 1 25->28         started        process13 process14 30 conhost.exe 28->30         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
52.58.78.16
 www.portablesteamsaunas.com United States
16509 AMAZON-02US true

Contacted Domains

Name IP Active
www.portablesteamsaunas.com 52.58.78.16 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
www.tiffanysbeautybling.com/cgsp/ true
  • Avira URL Cloud: safe
 low