General Info

File name

Corona-virus-Map.com.bin

Full analysis
https://app.any.run/tasks/00854d4b-0f62-45d7-966f-25cd232ece56
Verdict
Malicious activity
Analysis date
01/12/2020, 17:49:36
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

covid19

stealer

evasion

autoit

trojan

qulab

Indicators:

MIME:
application/x-dosexec
File info:
PE32 executable (GUI) Intel 80386, for MS Windows
MD5

73da2c02c6f8bfd4662dc84820dcd983

SHA1

949b69bf87515ad8945ce9a79f68f8b788c0ae39

SHA256

2b35aa9c70ef66197abfb9bc409952897f9f70818633ab43da85b3825b256307

SSDEEP

98304:r2cPK8o4ZhHpmaFDh62Z4BDksIslSOkXvR:iCKCZho6k2IDks/b8Z

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
40 seconds
Additional time used
none
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 11.0.9600.17843 KB3058515
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (75.0.3770.100)
  • Google Update Helper (1.3.34.7)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.7.2 (4.7.03062)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
  • Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (German) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
  • Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
  • Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
  • Mozilla Firefox 68.0.1 (x86 en-US) (68.0.1)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)
  • srvpost (2.12.72)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Hyphenation Parent Package English
  • IE Spelling Parent Package English
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • InternetExplorer Package TopLevel
  • KB2533623
  • KB2534111
  • KB2639308
  • KB2729094
  • KB2731771
  • KB2786081
  • KB2834140
  • KB2882822
  • KB2888049
  • KB2999226
  • KB4019990
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • PlatformUpdate Win7 SRV08R2 Package TopLevel
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Changes settings of System certificates
  • Corona-virus-Map.com.exe (PID: 3100)
Application was dropped or rewritten from another process
  • Corona.sfx.exe (PID: 3956)
  • Corona-virus-Map.com.exe (PID: 3100)
  • Corona.exe (PID: 2452)
  • Windows.Globalization.Fontgroups.exe (PID: 2160)
  • bin.exe (PID: 588)
  • Build.exe (PID: 2488)
  • Corona.exe (PID: 2384)
Drops executable file immediately after starts
  • Corona.exe (PID: 2452)
  • Corona.sfx.exe (PID: 3956)
  • Corona.exe (PID: 2384)
Stealing of credential data
  • Windows.Globalization.Fontgroups.exe (PID: 2160)
Actions looks like stealing of personal data
  • Windows.Globalization.Fontgroups.exe (PID: 2160)
Loads the Task Scheduler COM API
  • Build.exe (PID: 2488)
  • Windows.Globalization.Fontgroups.exe (PID: 2160)
QULAB was detected
  • Windows.Globalization.Fontgroups.exe (PID: 2160)
Reads internet explorer settings
  • Corona-virus-Map.com.exe (PID: 3100)
Adds / modifies Windows certificates
  • Corona-virus-Map.com.exe (PID: 3100)
Drops a file that was compiled in debug mode
  • Corona.exe (PID: 2452)
  • Corona-virus-Map.com.bin.exe (PID: 2528)
Starts CMD.EXE for commands execution
  • Corona.exe (PID: 2452)
Creates files in the user directory
  • Corona-virus-Map.com.bin.exe (PID: 2528)
  • Corona.exe (PID: 2384)
  • Build.exe (PID: 2488)
  • Windows.Globalization.Fontgroups.exe (PID: 2160)
  • Windows.Globalization.Fontgroups.module.exe (PID: 2604)
Executable content was dropped or overwritten
  • Corona-virus-Map.com.bin.exe (PID: 2528)
  • Corona.exe (PID: 2452)
  • Corona.sfx.exe (PID: 3956)
  • Corona.exe (PID: 2384)
  • Build.exe (PID: 2488)
Drops a file with too old compile date
  • Corona-virus-Map.com.bin.exe (PID: 2528)
Reads the cookies of Mozilla Firefox
  • Windows.Globalization.Fontgroups.exe (PID: 2160)
Starts itself from another location
  • Build.exe (PID: 2488)
Reads the cookies of Google Chrome
  • Windows.Globalization.Fontgroups.exe (PID: 2160)
Drops a file with a compile date too recent
  • Corona.exe (PID: 2384)
Uses ATTRIB.EXE to modify file attributes
  • Windows.Globalization.Fontgroups.exe (PID: 2160)
Drops Coronavirus (possible) decoy
  • Corona-virus-Map.com.bin.exe (PID: 2528)
  • Corona.exe (PID: 2452)
  • Corona.sfx.exe (PID: 3956)
Reads settings of System Certificates
  • Windows.Globalization.Fontgroups.exe (PID: 2160)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.exe
|   Win64 Executable (generic) (64.6%)
.dll
|   Win32 Dynamic Link Library (generic) (15.4%)
.exe
|   Win32 Executable (generic) (10.5%)
.exe
|   Generic Win/DOS Executable (4.6%)
.exe
|   DOS Executable Generic (4.6%)
EXIF
EXE
CharacterSet:
Unicode
LanguageCode:
English (British)
FileSubtype:
null
ObjectFileType:
Executable application
FileOS:
Win32
FileFlags:
(none)
FileFlagsMask:
0x0000
ProductVersionNumber:
0.0.0.0
FileVersionNumber:
0.0.0.0
Subsystem:
Windows GUI
SubsystemVersion:
5.1
ImageVersion:
null
OSVersion:
5.1
EntryPoint:
0x2800a
UninitializedDataSize:
null
InitializedDataSize:
2839040
CodeSize:
581632
LinkerVersion:
12
PEType:
PE32
TimeStamp:
2020:03:02 17:21:09+01:00
MachineType:
Intel 386 or later, and compatibles
Summary
Architecture:
IMAGE_FILE_MACHINE_I386
Subsystem:
IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:
02-Mar-2020 16:21:09
Detected languages
English - United Kingdom
DOS Header
Magic number:
MZ
Bytes on last page of file:
0x0090
Pages in file:
0x0003
Relocations:
0x0000
Size of header:
0x0004
Min extra paragraphs:
0x0000
Max extra paragraphs:
0xFFFF
Initial SS value:
0x0000
Initial SP value:
0x00B8
Checksum:
0x0000
Initial IP value:
0x0000
Initial CS value:
0x0000
Overlay number:
0x0000
OEM identifier:
0x0000
OEM information:
0x0000
Address of NE header:
0x00000110
PE Headers
Signature:
PE
Machine:
IMAGE_FILE_MACHINE_I386
Number of sections:
5
Time date stamp:
02-Mar-2020 16:21:09
Pointer to Symbol Table:
0x00000000
Number of symbols:
0
Size of Optional Header:
0x00E0
Characteristics
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
Sections
Name Virtual Address Virtual Size Raw Size Charateristics Entropy
.text 0x00001000 0x0008DFDD 0x0008E000 IMAGE_SCN_CNT_CODE,IMAGE_SCN_MEM_EXECUTE,IMAGE_SCN_MEM_READ 6.67525
.rdata 0x0008F000 0x0002FD8E 0x0002FE00 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 5.76324
.data 0x000BF000 0x00008F74 0x00005200 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 1.19638
.rsrc 0x000C8000 0x00278FF4 0x00279000 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 7.94383
.reloc 0x00341000 0x00007134 0x00007200 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_DISCARDABLE,IMAGE_SCN_MEM_READ 6.78396
Resources
1

2

7

8

9

10

11

12

99

169

313

SCRIPT

Imports
    WSOCK32.dll

    VERSION.dll

    WINMM.dll

    COMCTL32.dll

    MPR.dll

    WININET.dll

    PSAPI.DLL

    IPHLPAPI.DLL

    USERENV.dll

    UxTheme.dll

    KERNEL32.dll

    USER32.dll

    GDI32.dll

    COMDLG32.dll

    ADVAPI32.dll

    SHELL32.dll

    ole32.dll

    OLEAUT32.dll

Exports

    No exports.

Screenshots

Processes

Total processes
48
Monitored processes
11
Malicious processes
7
Suspicious processes
1

Behavior graph

+
drop and start drop and start start drop and start drop and start drop and start drop and start corona-virus-map.com.bin.exe corona.exe corona-virus-map.com.exe cmd.exe no specs corona.sfx.exe corona.exe bin.exe no specs build.exe #QULAB windows.globalization.fontgroups.exe windows.globalization.fontgroups.module.exe no specs attrib.exe no specs
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
2528
CMD
"C:\Users\admin\AppData\Local\Temp\Corona-virus-Map.com.bin.exe"
Path
C:\Users\admin\AppData\Local\Temp\Corona-virus-Map.com.bin.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\systemroot\system32\ntdll.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\userenv.dll
c:\windows\system32\ole32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\imm32.dll
c:\users\admin\appdata\local\temp\corona-virus-map.com.bin.exe
c:\windows\system32\shell32.dll
c:\windows\system32\wsock32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\version.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\lpk.dll
c:\windows\system32\sechost.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\winmm.dll
c:\windows\system32\mpr.dll
c:\windows\system32\psapi.dll
c:\windows\system32\msctf.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\propsys.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\user32.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\wininet.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\devobj.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\apphelp.dll
c:\users\admin\appdata\roaming\z11062600\corona-virus-map.com.exe
c:\windows\system32\sfc.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\shdocvw.dll
c:\users\admin\appdata\roaming\z11062600\corona.exe
c:\windows\system32\secur32.dll
c:\windows\system32\setupapi.dll

PID
2452
CMD
"C:\Users\admin\AppData\Roaming\Z11062600\Corona.exe"
Path
C:\Users\admin\AppData\Roaming\Z11062600\Corona.exe
Indicators
Parent process
Corona-virus-Map.com.bin.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\windows\system32\riched20.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\oleaut32.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\lpk.dll
c:\windows\system32\shell32.dll
c:\windows\system32\user32.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\sechost.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\users\admin\appdata\roaming\z11062600\corona.exe
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\imm32.dll
c:\windows\system32\sfc_os.dll
c:\systemroot\system32\ntdll.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\version.dll
c:\windows\system32\kernel32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msctf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\wininet.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\profapi.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\secur32.dll
c:\windows\system32\devobj.dll
c:\program files\filezilla ftp client\fzshellext.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\netutils.dll
c:\windows\system32\slc.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll

PID
3100
CMD
"C:\Users\admin\AppData\Roaming\Z11062600\Corona-virus-Map.com.exe"
Path
C:\Users\admin\AppData\Roaming\Z11062600\Corona-virus-Map.com.exe
Indicators
Parent process
Corona-virus-Map.com.bin.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Description
WindowsFormsApp2
Version
1.0.0.0
Modules
Image
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\mscoree.dll
c:\systemroot\system32\ntdll.dll
c:\windows\system32\sechost.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\kernelbase.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\users\admin\appdata\roaming\z11062600\corona-virus-map.com.exe
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\lpk.dll
c:\windows\system32\imm32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v4.0.30319\nlssorting.dll
c:\windows\system32\shell32.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ole32.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\microsoft.net\assembly\gac_msil\system.windows.forms\v4.0_4.0.0.0__b77a5c561934e089\system.windows.forms.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.core\21a1606b6c00f9abe7db55c02e0f87c9\system.core.ni.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\wininet.dll
c:\windows\system32\propsys.dll
c:\windows\system32\oleaut32.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.xml\7c8f75f367134a030cba4a127dc62a2f\system.xml.ni.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l2-1-0.dll
c:\windows\system32\sspicli.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.configuration\cd03f9386e02f56502e01a25ddd7e0a7\system.configuration.ni.dll
c:\windows\system32\psapi.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.drawing\61dfb69c9ad6ed96809170d54d80b8a6\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.windows.forms\2dc6cfd856864312d563098f9486361c\system.windows.forms.ni.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\profapi.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\normaliz.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system\e071297bb06faa961bef045ae5f25fdc\system.ni.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\secur32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\uxtheme.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\userenv.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\mscorlib\97e047cf68e9a7d90e196d072cd49cac\mscorlib.ni.dll
c:\windows\system32\api-ms-win-core-xstate-l2-1-0.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\sxs.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\wshqos.dll
c:\windows\system32\webio.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\wship6.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\iconcodecservice.dll
c:\windows\system32\credssp.dll
c:\windows\system32\schannel.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\cryptnet.dll
c:\windows\system32\cabinet.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\devobj.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\jscript9.dll
c:\windows\system32\mlang.dll
c:\windows\system32\msimtf.dll
c:\windows\assembly\gac\microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\microsoft.mshtml.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\d2d1.dll
c:\windows\system32\dwrite.dll
c:\windows\system32\dxgi.dll
c:\windows\system32\d3d10warp.dll
c:\windows\system32\xmllite.dll
c:\windows\system32\d3d11.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\uianimation.dll

PID
2764
CMD
cmd /c ""C:\Users\admin\AppData\Local\Temp\RarSFX0\Corona.bat" "
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
Corona.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\rpcrt4.dll
c:\systemroot\system32\ntdll.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cmd.exe
c:\windows\system32\imm32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\advapi32.dll
c:\users\admin\appdata\local\temp\rarsfx0\corona.sfx.exe

PID
3956
CMD
Corona.sfx.exe -p3D2oetdNuZUqQHPJmcMDDHYoqkyNVsFk9r -dC:\Windows\System32
Path
C:\Users\admin\AppData\Local\Temp\RarSFX0\Corona.sfx.exe
Indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shell32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\lpk.dll
c:\windows\system32\crypt32.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\user32.dll
c:\windows\system32\version.dll
c:\windows\system32\sechost.dll
c:\windows\system32\propsys.dll
c:\users\admin\appdata\local\temp\rarsfx0\corona.sfx.exe
c:\windows\system32\ole32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\advapi32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\profapi.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\riched20.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\devobj.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\userenv.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\users\admin\appdata\local\temp\rarsfx1\corona.exe
c:\windows\system32\urlmon.dll
c:\windows\system32\secur32.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\wininet.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\ntshrui.dll
c:\program files\filezilla ftp client\fzshellext.dll
c:\windows\system32\slc.dll
c:\windows\system32\netutils.dll
c:\windows\system32\cscapi.dll

PID
2384
CMD
"C:\Users\admin\AppData\Local\Temp\RarSFX1\Corona.exe"
Path
C:\Users\admin\AppData\Local\Temp\RarSFX1\Corona.exe
Indicators
Parent process
Corona.sfx.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\windows\system32\ws2_32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\userenv.dll
c:\windows\system32\msctf.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\nsi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\version.dll
c:\windows\system32\propsys.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\wininet.dll
c:\windows\system32\sechost.dll
c:\windows\system32\psapi.dll
c:\users\admin\appdata\local\temp\rarsfx1\corona.exe
c:\windows\system32\winmm.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\lpk.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\usp10.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\ntmarta.dll
c:\systemroot\system32\ntdll.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\mpr.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\secur32.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\sspicli.dll
c:\users\admin\appdata\roaming\z58538177\build.exe
c:\windows\system32\cfgmgr32.dll
c:\users\admin\appdata\roaming\z58538177\bin.exe
c:\windows\system32\urlmon.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\devobj.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll

PID
588
CMD
"C:\Users\admin\AppData\Roaming\Z58538177\bin.exe"
Path
C:\Users\admin\AppData\Roaming\Z58538177\bin.exe
Indicators
No indicators
Parent process
Corona.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft® Cabinet File API
Description
MFC Language Specific Resources
Version
5.7.2.8
Modules
Image
c:\systemroot\system32\ntdll.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\napinsp.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\imm32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l2-1-0.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\profapi.dll
c:\windows\system32\rasadhlp.dll
c:\users\admin\appdata\roaming\z58538177\bin.exe
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\winrnr.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\user32.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\nsi.dll
c:\windows\system32\wship6.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\pnrpnsp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\system32\secur32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\shell32.dll
c:\windows\system32\wininet.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
c:\windows\system32\webio.dll
c:\windows\system32\crtdll.dll
c:\windows\system32\mswsock.dll

PID
2488
CMD
"C:\Users\admin\AppData\Roaming\Z58538177\Build.exe"
Path
C:\Users\admin\AppData\Roaming\Z58538177\Build.exe
Indicators
Parent process
Corona.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
DLL помощника сетевой оболочки для winHttp
Description
Журналы и оповещения производительности
Version
4.8.9.9
Modules
Image
c:\windows\system32\version.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\iphlpapi.dll
c:\users\admin\appdata\roaming\z58538177\build.exe
c:\windows\system32\cryptbase.dll
c:\systemroot\system32\ntdll.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\winmm.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\nsi.dll
c:\windows\system32\user32.dll
c:\windows\system32\mpr.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\wininet.dll
c:\windows\system32\imm32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\psapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\webio.dll
c:\windows\system32\napinsp.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\xmllite.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\wbem\wmiutils.dll
c:\windows\system32\wbem\wbemdisp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\winrnr.dll
c:\windows\system32\taskschd.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\sxs.dll
c:\windows\system32\pnrpnsp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll

PID
2160
CMD
C:\Users\admin\AppData\Roaming\amd64_netfx4-system.runti..dowsruntime.ui.xaml\Windows.Globalization.Fontgroups.exe
Path
C:\Users\admin\AppData\Roaming\amd64_netfx4-system.runti..dowsruntime.ui.xaml\Windows.Globalization.Fontgroups.exe
Indicators
Parent process
Build.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
DLL помощника сетевой оболочки для winHttp
Description
Журналы и оповещения производительности
Version
4.8.9.9
Modules
Image
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\msvcrt.dll
c:\systemroot\system32\ntdll.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\user32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shell32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\usp10.dll
c:\users\admin\appdata\roaming\amd64_netfx4-system.runti..dowsruntime.ui.xaml\windows.globalization.fontgroups.exe
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\userenv.dll
c:\windows\system32\psapi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\mpr.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\wshqos.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\ole32.dll
c:\windows\system32\version.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\secur32.dll
c:\windows\system32\wininet.dll
c:\windows\system32\napinsp.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\profapi.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
c:\windows\system32\pnrpnsp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\imm32.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\webio.dll
c:\windows\system32\winrnr.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l2-1-0.dll
c:\windows\system32\wbem\wbemdisp.dll
c:\windows\system32\wbem\wmiutils.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wship6.dll
c:\windows\system32\msctf.dll
c:\windows\system32\winmm.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\wbem\fastprox.dll
c:\users\admin\appdata\roaming\amd64_netfx4-system.runti..dowsruntime.ui.xaml\windows.globalization.fontgroups.sqlite3.module.dll
c:\windows\system32\sxs.dll
c:\windows\system32\windowscodecs.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\schannel.dll
c:\windows\system32\credssp.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cabinet.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\cryptnet.dll
c:\windows\system32\slc.dll
c:\program files\filezilla ftp client\fzshellext.dll
c:\windows\system32\ntmarta.dll
c:\users\admin\appdata\roaming\amd64_netfx4-system.runti..dowsruntime.ui.xaml\windows.globalization.fontgroups.module.exe
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\propsys.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\mssprxy.dll
c:\windows\system32\netutils.dll
c:\windows\system32\taskschd.dll

PID
2604
CMD
C:\Users\admin\AppData\Roaming\amd64_netfx4-system.runti..dowsruntime.ui.xaml\Windows.Globalization.Fontgroups.module.exe a -y -mx9 -ssw "C:\Users\admin\AppData\Roaming\amd64_netfx4-system.runti..dowsruntime.ui.xaml\ENU_6887FE9730D2535E9D41.7z" "C:\Users\admin\AppData\Roaming\amd64_netfx4-system.runti..dowsruntime.ui.xaml\1\*"
Path
C:\Users\admin\AppData\Roaming\amd64_netfx4-system.runti..dowsruntime.ui.xaml\Windows.Globalization.Fontgroups.module.exe
Indicators
No indicators
Parent process
Windows.Globalization.Fontgroups.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\users\admin\appdata\roaming\amd64_netfx4-system.runti..dowsruntime.ui.xaml\windows.globalization.fontgroups.module.exe
c:\windows\system32\ole32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msctf.dll
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\imm32.dll
c:\windows\system32\kernel32.dll

PID
860
CMD
attrib +s +h "C:\Users\admin\AppData\Roaming\amd64_netfx4-system.runti..dowsruntime.ui.xaml"
Path
C:\Windows\system32\attrib.exe
Indicators
No indicators
Parent process
Windows.Globalization.Fontgroups.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Attribute Utility
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\kernel32.dll
c:\windows\system32\msctf.dll
c:\systemroot\system32\ntdll.dll
c:\windows\system32\attrib.exe
c:\windows\system32\ulib.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imm32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\lpk.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll

Registry activity

Total events
1725
Read events
0
Write events
66
Delete events
1

Modification events

PID
Process
Operation
Key
Name
Value
2528
Corona-virus-Map.com.bin.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2528
Corona-virus-Map.com.bin.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2452
Corona.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2452
Corona.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3100
Corona-virus-Map.com.exe
delete key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25
(default)
3100
Corona-virus-Map.com.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3100
Corona-virus-Map.com.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
CachePrefix
3100
Corona-virus-Map.com.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
CachePrefix
Visited:
3100
Corona-virus-Map.com.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
3100
Corona-virus-Map.com.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3100
Corona-virus-Map.com.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
46000000A5000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
3100
Corona-virus-Map.com.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
CachePrefix
Cookie:
3100
Corona-virus-Map.com.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\13B\52C64B7E
LanguageList
en-US
3100
Corona-virus-Map.com.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25
Blob
040000000100000010000000D474DE575C39B2D39C8583C5C065498A0F0000000100000014000000E35EF08D884F0A0ADE2F75E96301CE6230F213A80300000001000000140000005FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC251D00000001000000100000008F76B981D528AD4770088245E2031B630B0000000100000012000000440069006700690043006500720074000000140000000100000014000000B13EC36903F8BF4701D498261A0802EF63642BC36200000001000000200000007431E5F4C3C1CE4690774F0B61E05440883BA9A01ED00BA6ABD7806ED3B118CF5300000001000000230000003021301F06096086480186FD6C020130123010060A2B0601040182373C0101030200C0090000000100000034000000303206082B0601050507030106082B0601050507030206082B0601050507030406082B0601050507030306082B06010505070308190000000100000010000000BA4F3972E7AED9DCCDC210DB59DA13C92000000001000000C9030000308203C5308202ADA003020102021002AC5C266A0B409B8F0B79F2AE462577300D06092A864886F70D0101050500306C310B300906035504061302555331153013060355040A130C446967694365727420496E6331193017060355040B13107777772E64696769636572742E636F6D312B30290603550403132244696769436572742048696768204173737572616E636520455620526F6F74204341301E170D3036313131303030303030305A170D3331313131303030303030305A306C310B300906035504061302555331153013060355040A130C446967694365727420496E6331193017060355040B13107777772E64696769636572742E636F6D312B30290603550403132244696769436572742048696768204173737572616E636520455620526F6F7420434130820122300D06092A864886F70D01010105000382010F003082010A0282010100C6CCE573E6FBD4BBE52D2D32A6DFE5813FC9CD2549B6712AC3D5943467A20A1CB05F69A640B1C4B7B28FD098A4A941593AD3DC94D63CDB7438A44ACC4D2582F74AA5531238EEF3496D71917E63B6ABA65FC3A484F84F6251BEF8C5ECDB3892E306E508910CC4284155FBCB5A89157E71E835BF4D72093DBE3A38505B77311B8DB3C724459AA7AC6D00145A04B7BA13EB510A984141224E656187814150A6795C89DE194A57D52EE65D1C532C7E98CD1A0616A46873D03404135CA171D35A7C55DB5E64E13787305604E511B4298012F1793988A202117C2766B788B778F2CA0AA838AB0A64C2BF665D9584C1A1251E875D1A500B2012CC41BB6E0B5138B84BCB0203010001A3633061300E0603551D0F0101FF040403020186300F0603551D130101FF040530030101FF301D0603551D0E04160414B13EC36903F8BF4701D498261A0802EF63642BC3301F0603551D23041830168014B13EC36903F8BF4701D498261A0802EF63642BC3300D06092A864886F70D010105050003820101001C1A0697DCD79C9F3C886606085721DB2147F82A67AABF183276401057C18AF37AD911658E35FA9EFC45B59ED94C314BB891E8432C8EB378CEDBE3537971D6E5219401DA55879A2464F68A66CCDE9C37CDA834B1699B23C89E78222B7043E35547316119EF58C5852F4E30F6A0311623C8E7E2651633CBBF1A1BA03DF8CA5E8B318B6008892D0C065C52B7C4F90A98D1155F9F12BE7C366338BD44A47FE4262B0AC497690DE98CE2C01057B8C876129155F24869D8BC2A025B0F44D42031DBF4BA70265D90609EBC4B17092FB4CB1E4368C90727C1D25CF7EA21B968129C3C9CBF9EFC805C9B63CDEC47AA252767A037F300827D54D7A9F8E92E13A377E81F4A
3100
Corona-virus-Map.com.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\DOMStorage\arcgis.com
NumberOfSubdomains
1
3956
Corona.sfx.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3956
Corona.sfx.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2384
Corona.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2384
Corona.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
588
bin.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
588
bin.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
CachePrefix
Visited:
588
bin.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
588
bin.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
588
bin.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
CachePrefix
Cookie:
588
bin.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
46000000A6000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
588
bin.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
CachePrefix
2160
Windows.Globalization.Fontgroups.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2160
Windows.Globalization.Fontgroups.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2160
Windows.Globalization.Fontgroups.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
CachePrefix
2160
Windows.Globalization.Fontgroups.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
CachePrefix
Cookie:
2160
Windows.Globalization.Fontgroups.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
2160
Windows.Globalization.Fontgroups.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
46000000A7000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
2160
Windows.Globalization.Fontgroups.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
CachePrefix
Visited:
2160
Windows.Globalization.Fontgroups.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\13B\52C64B7E
LanguageList
en-US

Files activity

Executable files
7
Suspicious files
7
Text files
77
Unknown types
34

Dropped files

PID
Process
Filename
Type
2528
Corona-virus-Map.com.bin.exe
C:\Users\admin\AppData\Roaming\Z11062600\Corona-virus-Map.com.exe
executable
MD5: 07b819b4d602635365e361b96749ac3e
SHA256: 203c7e843936469ecf0f5dec989d690b0c770f803e46062ad0a9885a1105a2b8
2488
Build.exe
C:\Users\admin\AppData\Roaming\amd64_netfx4-system.runti..dowsruntime.ui.xaml\Windows.Globalization.Fontgroups.exe
executable
MD5: f6a5e02f46d761d3890debd8f2084d37
SHA256: 126569286f8a4caeeaba372c0bdba93a9b0639beaad9c250b8223f8ecc1e8040
3956
Corona.sfx.exe
C:\Users\admin\AppData\Local\Temp\RarSFX1\Corona.exe
executable
MD5: 27ad5971933d514c3a0e90fe2a0f0389
SHA256: 13c0165703482dd521e1c1185838a6a12ed5e980e7951a130444cf2feed1102e
2452
Corona.exe
C:\Users\admin\AppData\Local\Temp\RarSFX0\Corona.sfx.exe
executable
MD5: 3cb9fc1ee05f49438455ba1aea3bca4e
SHA256: 148520c746aee00d7330e8c639a0bcd576c9a431acb197e36f27529f5e897fb4
2528
Corona-virus-Map.com.bin.exe
C:\Users\admin\AppData\Roaming\Z11062600\Corona.exe
executable
MD5: 1beba1640f5573cbac5552ae02c38f33
SHA256: 0b3e7faa3ad28853bb2b2ef188b310a67663a96544076cd71c32ac088f9af74d
2384
Corona.exe
C:\Users\admin\AppData\Roaming\Z58538177\Build.exe
executable
MD5: f6a5e02f46d761d3890debd8f2084d37
SHA256: 126569286f8a4caeeaba372c0bdba93a9b0639beaad9c250b8223f8ecc1e8040
2384
Corona.exe
C:\Users\admin\AppData\Roaming\Z58538177\bin.exe
executable
MD5: c4852ee6589252c601bc2922a35dd7da
SHA256: fda64c0ac9be3d10c28035d12ac0f63d85bb0733e78fe634a51474c83d0a0df8
3100
Corona-virus-Map.com.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\31e0c094-e345-4a54-a797-d5f1a5885572[1].woff
woff
MD5: 6a50b2f73c597d467f0fb33f06e049d2
SHA256: 6b4956524a42ce7c942860139263b338450a37c310e6622a70243237d3755cbe
3100
Corona-virus-Map.com.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\colors[2].js
text
MD5: c4bf6c0f880fd1feab2e27713f2a2cda
SHA256: 66a9e41deb61ef96b500e3b1c2f1605851766815b99df58a94954fe7f345661b
3100
Corona-virus-Map.com.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\ClassificationDefinition[1].js
text
MD5: d94cebb18c289b3220760291c5c09937
SHA256: c12c266b07094a10b6f2d96116c51ac00e611985b94bb1a65d0526829eedcef5
3100
Corona-virus-Map.com.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\_ListMouseMixin[1].js
text
MD5: 4d441f6e20495063a3061408c9e92ec4
SHA256: d8d5b6a5031f19d2bef805c6d280c099d42ee52f29b94ffc867c604a27940fec
3100
Corona-virus-Map.com.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\HorizontalRule[1].js
text
MD5: ad404584cdfd0f212432d640aa739fce
SHA256: ab539fe6b4ec5e3abd3d4fd96dc442baf32631b37cd7ccd6582551fd3690ef2d
3100
Corona-virus-Map.com.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\MappedTextBox[1].js
text
MD5: 3c918510115134c321d61a6a37a3ff7f
SHA256: b73047138fd6534ec3f6b7e8fbceed0e68b17fe32e7e8db96888e00b5d0bf237
3100
Corona-virus-Map.com.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\move[1].js
text
MD5: 51fba84a1d498fd52ec26e3d361373a8
SHA256: 7b5debf1e0841aee293dab972d0266a7d8f842947dc3b317fa754f73355e5f1f
3100
Corona-virus-Map.com.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\vendor-5580dd4ccaee1ef828987599d43084b9[1].js
text
MD5: 5580dd4ccaee1ef828987599d43084b9
SHA256: 575b43f29aab0ad4ee7f827232af74a1370164a7fabb2ff391c423acc424242c
3100
Corona-virus-Map.com.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\RangeBoundTextBox[1].js
text
MD5: 02e7f23dfe3068fd2ac627043822049f
SHA256: 64241a8a248d60d28b3b4d06364c1f071f7d6b92c515c0f7b020743bc705c4b9
3100
Corona-virus-Map.com.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\lite[1].js
text
MD5: ab27e17c8bd58f7f79a34d34b8d92e67
SHA256: 1b393c19ca7693894e9f69dac4efefc6958318cea90cd6b3036978b0a07e5365
3100
Corona-virus-Map.com.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\main[1].js
text
MD5: 9b75021f959f198041553d94f0f24318
SHA256: 4366a13e1a54ae42e01de38f49447d8831bf1685e30ffe08615ead570c5042c8
3100
Corona-virus-Map.com.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\_CheckBoxMixin[1].js
text
MD5: d7d01bd35900fc5b653a0f02a30151e5
SHA256: 27e479db85f768dc2ddaf2f507a087518a43dae349c0bf383f4d915bd11dd1e7
3100
Corona-virus-Map.com.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\VectorTileLayerImpl_en-us[1].js
text
MD5: e390d3a966aa1c21075441dcdcdbf883
SHA256: d605cbcd3c6b5e4b2e9c62f3db9f328e63e66e2b7f7552181516443975349a8f
3100
Corona-virus-Map.com.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\_ListBase[1].js
text
MD5: 8488c04d0070c4f67f96a5711a2f7010
SHA256: b3231572c20138d2852832d427bc1cd416f6eb6d116beab7f8c45cd3ebc4f3fe
3100
Corona-virus-Map.com.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\_RadioButtonMixin[1].js
text
MD5: d99451237acb73c488417efacb565883
SHA256: 6cf940935fa6733a0d562a06a5f1ba87c7d5566044475f2e41db7d8fd4f69e20
3100
Corona-virus-Map.com.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\CheckBox[1].js
text
MD5: 2d6d52a749ff601d3c98af4c91603aa8
SHA256: b8d7f66f519328eacbec6ad03f916a19ecf91989ffa8a5279dbd6c127d9c0fcb
3100
Corona-virus-Map.com.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\f1799750-0952-403f-8108-b2402eed0f62[1].woff
woff
MD5: d90b3fe2f94dedd55f39fcb8a32d5cfd
SHA256: 0d9611ab9656b8db4adb79bd6a336e103a585b6a8b6258a277d82403fa36bc05
3100
Corona-virus-Map.com.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\CalendarLite[1].js
text
MD5: 027c9ec36d9363f21b2f30c2d3e35fae
SHA256: 9b7c105d8c636a5f3e53faf0f300d7ea7de567462f71bedf67a6761da3426738
3100
Corona-virus-Map.com.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\HorizontalSlider[1].js
text
MD5: 60bd3bb63b7381b0da551cb7b6b5c4dd
SHA256: d30b7db34d5417522889a67617170cf2bd720f9424189d9f8ed4d34228e27df2
3100
Corona-virus-Map.com.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\121524c1-8d82-4155-bfb3-fd2f15f09e93[1].woff
woff
MD5: ea3da2388b69f5d8d06c910b9044e860
SHA256: 6b035465f7883f7b90c14c2553c198c7aff1a724129c1f290d43d7c631c00ab5
3100
Corona-virus-Map.com.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\VectorTileLayerImpl[1].js
text
MD5: c06ec8a62633e708f245108f05846a4e
SHA256: 5e3942da5ff124198bd8769aa160eef2c826110b27ffd4402117f01665c12748
3100
Corona-virus-Map.com.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\d9e4040d-32ff-4a1c-ac04-927a781da1f5[1].woff
woff
MD5: 548dcacaa3aa1c54e6ac87f35e23ba8b
SHA256: 35003862402d7412468dbc14b40f9b16ea56676a9eb87f09b70f4032c10bb5f9
3100
Corona-virus-Map.com.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\WorkerClient[1].js
text
MD5: 671844b9bf7de7e97c5eba8232b00faa
SHA256: 8cadc572a0f5837430b89bb18f3a3a9feb3dc9d907e6415af362854ad8f23a99
3100
Corona-virus-Map.com.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\fa71df11-7b19-4baf-8ff7-3537dea718f0[1].woff
woff
MD5: d05573378157a0569b7dfa6438cb4c1e
SHA256: 9f8140f53cba95c53b116502741f9ec754ae0c75a81e12d48e37140c1ce5bd69
3100
Corona-virus-Map.com.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\f4a085c3-1c64-4fc0-a598-26f3e658c2b0[1].woff
woff
MD5: 3285c445453bf62dbfaf42e3cda58dd4
SHA256: ad2abef5dd91d6702f321150f09fa8d9fb4d77e48857c7f15f35a96a30b1dd7b
3100
Corona-virus-Map.com.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\HorizontalRuleLabels[1].js
text
MD5: e8c5878c6a8e8c808644bc05a08e69c9
SHA256: 0ca1b995759faa230266368cd368caa702cae774d786671f467d3d853507d4dd
3100
Corona-virus-Map.com.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\d98fb015-7ef6-404f-a58a-5c9242d79770[1].woff
woff
MD5: c960580e2ccb80b3a240a555a3766dc1
SHA256: e13c80472b25ac5b722d30deaec5fa4a71349641d9bb471cf8fc10f6d91ba141
3100
Corona-virus-Map.com.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\heatmapCalculator[1].js
text
MD5: 05d44c8cddddf9fe5bdc9a3334095178
SHA256: 338273869047cf9d2c1ac9698d26f6c8fa51c570870de9e6295085d7bda67396
3100
Corona-virus-Map.com.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\generateRenderer[1].js
text
MD5: a9bc756e83da739e6562b2da1cdebcbd
SHA256: 7758cd9ad3159aadf010ebad8b446850c7e0c18da76788da18d733c28f8f025d
3100
Corona-virus-Map.com.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\ClassBreaksDefinition[1].js
text
MD5: cee9ece0076354d80cd4f8f999e55c7b
SHA256: 2a687613dbde6990d8797fe284f94b8d1d8200cbb54b1612ba0ea0c021514483
3100
Corona-virus-Map.com.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\ProjectParameters[1].js
text
MD5: 09a8707a842698c4c65172fcdc0515ca
SHA256: 9a2c095697b8593900f20d08173afd50198dd1389cf1ea089ac563963d047a04
3100
Corona-virus-Map.com.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\GenerateRendererParameters[1].js
text
MD5: 68f364d7e488bb0591f76d822a6de50e
SHA256: fe920193f775dbda7923b2d987c682e52145039f9c714891f24003a57f563c61
3100
Corona-virus-Map.com.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\8b01637a-f445-4f10-92ea-b84a355f7690[1].woff
woff
MD5: 2bd3ab2300bd36a3c98aa198b1e55ed3
SHA256: 35e459f061bdc4a84c82136739ae9b264d10772a416c8933f6cf8e01f706bcbe
3100
Corona-virus-Map.com.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\UniqueValueDefinition[1].js
text
MD5: cdcdd890a0caf09d2b5f02203f9b6db7
SHA256: ab162f5831563dad61ce47ffac19eb0850e32e492255976a0962831774b4b993
3100
Corona-virus-Map.com.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\GenerateRendererTask[1].js
text
MD5: aefa210a11aa2d9840e2514d3eb94ab2
SHA256: 3a79dc30230eafeb8ec39ba910f9396ff890ce8b33bd3c83c63d23cb8cd23952
3100
Corona-virus-Map.com.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\_toolbar[1].js
text
MD5: 69cafd4abcd7ae1175e536dffb283fc0
SHA256: d71d5e0fd265fd15e1f0921cf072f4793975df3e9f8f3ea853fe554a969ea178
3100
Corona-virus-Map.com.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\AddressCandidate[1].js
text
MD5: b8010477236427b73e00928c389466be
SHA256: b3cd87dc56dd486e5f38921bc30af395aa5e074fb2a613afd9080234b4a36731
3100
Corona-virus-Map.com.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\basic[1].js
text
MD5: 1ef1ba1c3b19b44ba7a1294e4f098aec
SHA256: 5bd430e09f7d9f77b9d3945aee98126b3be57a629e065ebfd12fced8cdc30553
3100
Corona-virus-Map.com.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\a8aeea1b-1a9d-45b7-8ad9-7c71824599e2[1].woff
woff
MD5: 65a7a2f9f1c61df06420831e5872ae62
SHA256: 74d8637ba446bb99ebfef6d37685e28405ba5be10dac258ad6151ac9f58b1e47
3100
Corona-virus-Map.com.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\_base[1].js
text
MD5: 290e043b86103aa558a52e018f5824c9
SHA256: da5d4fbbee3005362e99f4450ae70e0d3568a277904d3b3e4a8a822c34fb91c3
3100
Corona-virus-Map.com.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\dc10b3bd-5076-4df5-a5f5-e5961f4a6938[1].woff
woff
MD5: e17abc84041bfe5405f11c1cecca195b
SHA256: a25cb7ced3cb9839a6bc26b73812d56df6c0586cee31103a2f1a0396ff754814
3100
Corona-virus-Map.com.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\BasemapGallery_en-us[1].js
text
MD5: 2b3657fa4941382bd81dcc7db3704eb3
SHA256: d3f022fe662302379beebc309a78df9f521e10a6d5628e59339cbd99f80aff52
3100
Corona-virus-Map.com.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\_DateTimeTextBox[1].js
text
MD5: 101d2a25861d9df2f17df0238857494c
SHA256: c26e9053c9d41bb30b90492ccc090037e32418ed389c35c3b9a5b161c9e5be53
3100
Corona-virus-Map.com.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\5729f02e-f6b0-4f35-8ee5-c2cffa65fa76[1].woff
woff
MD5: dd23a4e98802b3db32dd2586d1313d25
SHA256: ad41b96bbfcdc287d9088cdd08714b93f25ca9a5a2f37c670ce37d6fd6ebe2c0
3100
Corona-virus-Map.com.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\colorUtil[1].js
text
MD5: deffff1308ccd5a1187121d15a7cd211
SHA256: 1f7aec96919e6ed98f09895f3d203238714185a4322f5f3d5773c9f1746ad72e
3100
Corona-virus-Map.com.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\HorizontalSlider[1].js
text
MD5: 666569f65d7a1ce8c5282f5bf82fa102
SHA256: 99df1f714865cf8491dc53b792f3bbbf042b1c5671f49aa1538c86e3958e7ef6
3100
Corona-virus-Map.com.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\Calendar[1].js
text
MD5: 0f0e01170e6860970f1806978995ba91
SHA256: 88e06600180f7c6c0d15b366775a423d364e606d251b1bb01be148107de1fe82
3100
Corona-virus-Map.com.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\_Tooltip[1].js
text
MD5: c9392e4e9d24d41f5a9a92925324dc16
SHA256: 9915fa40429385da1d25db85213da057d5c39ee7f130f77028a43c6738d2f4a7
3100
Corona-virus-Map.com.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\4ab86b35-c0c2-42b5-98ad-4b6eba66b197[1].woff
woff
MD5: 594c5cdfe4a525fedfdb75da2f659253
SHA256: 7dab3e72dbe1d717ed0eb1d2d9751c260e95e9becb353206392274b55661829f
3100
Corona-virus-Map.com.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\45b78f45-e639-4836-8612-e0892e120f14[1].woff
woff
MD5: 26abda57aa4f147ed0051cc10082f019
SHA256: 445eab989145b1d6e92f0c5a747da46711b15da8acd22ce986d8cdb00ebec2e8
3100
Corona-virus-Map.com.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\RadioButton[1].js
text
MD5: 2f589835b9944fc912ec6b0f84052c29
SHA256: 4febba3d38968f9582ce70d2fdaec56aaa975519a953cd02283fd91abc96e5fa
3100
Corona-virus-Map.com.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\4d1d0d0d-9ea6-4117-901f-8b32ca1ab936[1].woff
woff
MD5: 7ffc334acb6ed6bf931250071db75e1a
SHA256: 5d12647f27a505c6c28ddf34fffd4d0cf6095041f65d8e86575e679b54339ada
3100
Corona-virus-Map.com.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\57a79aa3-9b06-4ba7-a9a4-2b766d826ecf[1].woff
woff
MD5: 5cfd714bb4aae201507f9cf9255afa0f
SHA256: 1f330fbae10067942961dfb1729e78f4c9934c03c131a472fc2ce1765ef2b921
3100
Corona-virus-Map.com.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\svgext[1].js
text
MD5: f8db74a4be21c70ab2ae8351d8ae44ca
SHA256: 1f72e34a3b297546006dc51aeb75d5564a265b5808372ea9b70c81254296f872
3100
Corona-virus-Map.com.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\_TimePicker[1].js
text
MD5: da3e2025ebfa227b82faf5ea03ca848c
SHA256: 93877e3e7be19fc93dbe681dc84ebc3d0426e873bfeef1d6daab25d9a7664181
3100
Corona-virus-Map.com.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\filters[1].js
text
MD5: f0bfe64bddab84050c192ff6c8662ed4
SHA256: 422137ccf839c7fd8c8c3f3dfb841fcbaa8fcc9744d8d4792b6b5eb292f6337e
3100
Corona-virus-Map.com.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\geometryEngine[1].js
text
MD5: cfe5d4f24a23e233d4cef8866f5f4f69
SHA256: 8fd2ec8934da768755ea521acddf42a533746ab4d7ce69cd60ca6158c3e19e76
3100
Corona-virus-Map.com.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\geometryEngineAsync[1].js
text
MD5: d2ad7acdaf273428e9ecbe982621223f
SHA256: 02e753493bf81d28342eda8dd9fd3910a699893d8756fc3bc1a64fe72786d091
3100
Corona-virus-Map.com.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\FeatureLayerStatistics[1].js
text
MD5: 96d2b2f1f2fa3c9bf89d4566e347f86d
SHA256: d7ef2c09ccb820ed249fd0920d4047b22c2316357b113e7250d30198331579d6
3100
Corona-virus-Map.com.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\d4ffabb3-dd7c-472a-bdfb-6700383c6354-greek[1].woff
woff
MD5: f4f4ea95ababdfc59780d965d076d276
SHA256: 4556a65aaf5e6c863dbd1985e9ce7d13267ead72ce61e638f5b39092e3f5b908
3100
Corona-virus-Map.com.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\Portal[1].js
text
MD5: dde9f9b57e0992ee5913dc376f59bb4e
SHA256: 1db6f1255a451c1546c4393848669a47c5593dad0ca196e57bf828de51e3b127
3100
Corona-virus-Map.com.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\colors[1].js
text
MD5: 833e8626d680b63867664f05387d9cb6
SHA256: e62743f63e6f2ac707cd9d1d8234068259e0df41d9a50f1bb0750d87f3d97247
3100
Corona-virus-Map.com.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\12b00842-ec20-4c7f-aa72-802fb00f6cc4-greek[1].woff
woff
MD5: 9856e73bf16d1bfcf1a49d4e2752b7be
SHA256: 9f3227c7ee24010632dc1539e0a88413f2012c15c6e742a0d4e47f3f4b13ce7a
3100
Corona-virus-Map.com.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\e388ac99-8c6a-4451-8690-1d15b4d45adb-greek[1].woff
woff
MD5: 30648e54fba07ef6d6317639b054804a
SHA256: 6febcc0053c0f88f55854d0222d993e17dc9f48a1471cac20b9660c3d7ddee0d
3100
Corona-virus-Map.com.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\Search[1].js
text
MD5: b0e0d30d78fe40f544b663e539396382
SHA256: bf678b0cc33ab16e883d86e468e8cc396276392ae171a6aa8ceccc43b285c7d3
3100
Corona-virus-Map.com.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\easing[1].js
text
MD5: a82a448eed54e041d0529bc2ae3849f9
SHA256: 0bfcc5429bec83325636d1e224347d644c6e27a89d869fe2331b07008841046c
3100
Corona-virus-Map.com.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\draw[1].js
text
MD5: 80a64c28376cdade651c7b9051910d82
SHA256: 25c20e4bf606648e5de224fef81f117b17fbf1f2d24c0b37dc27bf95cf179548
3100
Corona-virus-Map.com.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\BasemapGallery[1].js
text
MD5: 07c2e75b126f7148f504804ddb22cf75
SHA256: ba061b60cc36384bcfdd609dd4c6c14200a636d153453881c6ca0ad34fa823dc
3100
Corona-virus-Map.com.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\locator[1].js
text
MD5: ad86327c207cac7686733be77d366293
SHA256: c60d11f0d94207691853b143b96d142b89daea230d45420240a76322220a9db7
3100
Corona-virus-Map.com.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\d4ffabb3-dd7c-472a-bdfb-6700383c6354-ext[1].woff
woff
MD5: ce33458ba47cbb2fa007648c7fd022b4
SHA256: f213a10e8c73483b2de3cedd02b46834936f8f4f49104f6e3cee3c5bf773c4a3
3100
Corona-virus-Map.com.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\cebce072-9561-4c6d-8c89-f0cefec63289-ext[1].woff
woff
MD5: 5cdffc766ab591b82843c7c44f176077
SHA256: f0df5a41d6e336fbff07bcce59cf1a1ac5e21557cc316d1c141b66ee4b52f6c5
3100
Corona-virus-Map.com.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\3d5260a1-e4cd-4567-80ed-69d23c40355f-greek[1].woff
woff
MD5: ff7268ae997164ac6cd658ad919eb4f4
SHA256: 07d3f377e5198b020e4bb5cbec34070101a77b26bebdef67f1e052fc7cb11f75
3100
Corona-virus-Map.com.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\12b00842-ec20-4c7f-aa72-802fb00f6cc4-ext[1].woff
woff
MD5: be054f9afdec72a948ded00b59b6b7ce
SHA256: 0ed481ffd67f0c56d2fd22bbbe56baeb277f60b1fa255d6c063aed383d51e05a
3100
Corona-virus-Map.com.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\LayerList[1].js
text
MD5: 8c67ba67c7d6ab3e9193e523c20170dd
SHA256: cebe36d62c0af375a00384e5916a1427c857cbf477d55601f05c148f2f08ebcf
3100
Corona-virus-Map.com.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\Legend[1].js
text
MD5: 567611549541b1030e3670ad21f19294
SHA256: 388afb4207a442d20dcc6e786700a0648cadb9f60657c63a3940161e4a81351e
3100
Corona-virus-Map.com.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\Scalebar[1].js
text
MD5: 2fffaa8b2b0f9c21f93161ba08ecbd49
SHA256: d5bc1db6ec8e70237986d46cd58851a123deab69e2f44fafb1120324d6ec8416
3100
Corona-virus-Map.com.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\e388ac99-8c6a-4451-8690-1d15b4d45adb-ext[1].woff
woff
MD5: 2b4b146c8f777d606206a835350866af
SHA256: 19c3de219d9241020dfb742fe9bdb151d46f1008c5e206074d5ac75dedbab2c3
3100
Corona-virus-Map.com.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\color[1].js
text
MD5: eaf6fea9347b7dc2cede5cb90a813b7b
SHA256: 1a59329497187b99641cf0cd1eb55d3d4b2324ef9e5d037b8c00347d1692b23c
3100
Corona-virus-Map.com.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\TimeTextBox[1].js
text
MD5: 2a059b9a6cff114212f21f23406923bd
SHA256: c09fb1577f4e4dbb6bf7b93ed0dc44f8f430437522b81d22e18285e53632918f
3100
Corona-virus-Map.com.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\DateTextBox[1].js
text
MD5: 48426b87c8bba196645cd77321b358de
SHA256: 9346137917230c2daf742c1d0eb891e1e826e66d4005787cf670f00f8095fc19
3100
Corona-virus-Map.com.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\HexPalette[1].js
text
MD5: 59cc43b94fb16ebb5bf32df4c14960d0
SHA256: fee3e724450b321f60ad24dd50410b51a7f77a0a2e140f486555f90ca94b4be3
3100
Corona-virus-Map.com.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\12b00842-ec20-4c7f-aa72-802fb00f6cc4[1].woff
woff
MD5: 0307d586c73c7b342c8408b21e36e926
SHA256: ee9dfaeddb76bcaa3c8a31551ade9d9f528b98153bf7b9335f91b461b8d22f1c
3100
Corona-virus-Map.com.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\d4ffabb3-dd7c-472a-bdfb-6700383c6354[1].woff
woff
MD5: e72348ef3368475bfe3a9b86a083d112
SHA256: fbde6b3678840ec8bd1320750b0a93cdd2df26e5ff570223b567bb8ee486c331
3100
Corona-virus-Map.com.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\3d5260a1-e4cd-4567-80ed-69d23c40355f-ext[1].woff
woff
MD5: 78e8e7907bd62d8ef31bd64999ef0115
SHA256: 0f5f5b8919997331c4f19dc6cba9761ccd5fb6869292ba747804b132d3c9016e
3100
Corona-virus-Map.com.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\svg[1].js
text
MD5: 2dfd05d2b0bd269e21fdb5e7fd22da66
SHA256: 82f624436dc823b6d3f3b0c33b8d11d68c8dc02f01b06e3fb600325e76c75b3b
3100
Corona-virus-Map.com.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\blank[1].gif
image
MD5: 6d22e4f2d2057c6e8d6fab098e76e80f
SHA256: afe0dcfca292a0fae8bce08a48c14d3e59c9d82c6052ab6d48a22ecc6c48f277
3100
Corona-virus-Map.com.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\ColorPicker[1].js
text
MD5: 898fe264ab8601e327f84a85c7f93126
SHA256: c40c39418a5b0d5726f5e92c81ff1e3935cf1b0c4e9054be1231bdc0d0894985
3100
Corona-virus-Map.com.exe
C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\VWUHWJV4\gisanddata.maps.arcgis[1].xml
text
MD5: c1ddea3ef6bbef3e7060a1a9ad89e4c5
SHA256: b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db
3100
Corona-virus-Map.com.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\3d5260a1-e4cd-4567-80ed-69d23c40355f[1].woff
woff
MD5: e3b8896280537002189b1716491ccac8
SHA256: 67d14aed0c5cb900add65c4dc94cd218fd6a936d3d5787caacef782e36b0031a
3100
Corona-virus-Map.com.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\claro[1].css
text
MD5: 862bbb051b822675e3d074e39fe610d3
SHA256: a24d5875b74524075c850c6b82e51d5ec56ed85ac09793f4eb9798c79e19cd63
3100
Corona-virus-Map.com.exe
C:\Users\admin\AppData\Local\Temp\datCEC7.tmp
woff
MD5: 604f151c2c068b971cf5266409462aa5
SHA256: 25a2f09aec34055ca7ac608e3b0ca119fefeec9fbadb442d8a4f173cdca0bba2
3100
Corona-virus-Map.com.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\jsapi_en-us[1].js
text
MD5: 2245096fcd00147c618b4c77f7e86069
SHA256: e437b2af93836324c661251b75d8357cf12fcdf250e8dae75a136e7706063389
3100
Corona-virus-Map.com.exe
C:\Users\admin\AppData\Local\Temp\datCEC5.tmp
woff
MD5: 14fdb046afa23bd163f0f9dcfd66c8db
SHA256: a99ccf7008dec8ca9217674c43c6480458d48e8fb15e7e29d06edd0b3b39c46a
3100
Corona-virus-Map.com.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\e388ac99-8c6a-4451-8690-1d15b4d45adb[1].woff
woff
MD5: d7a47c7dea713cfad1179f09d5baa06d
SHA256: d340ab2537ab9633740422f8f70dcef7d07d218e890baf1285d9c1cf94c2fc5d
3100
Corona-virus-Map.com.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\app-light-b63613cfdb072471418a118e938f8636[1].css
text
MD5: b63613cfdb072471418a118e938f8636
SHA256: 52cc8bf1981713f9cd54d11ecd21025b2a69ce9fea99d603172e3b75d7490632
3100
Corona-virus-Map.com.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\esri[1].css
text
MD5: cec363661e246e729b054e304c500f25
SHA256: 0bf164a7597d56b2c271604f3fff7b5804c2a6d870ce09cdcb41882d1af27abc
3100
Corona-virus-Map.com.exe
C:\Users\admin\AppData\Local\Temp\datCEC6.tmp
woff
MD5: d0b00864fe057ca65a3dbb6f4747d492
SHA256: 021998c4a3acd7b0ba2b011aa0021fd8cfb7f343c001251a4e85c5b046c7903e
3100
Corona-virus-Map.com.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\amd-loading-02cbfb85f129b9c95536fe053a9457cb[1].js
text
MD5: 41e03c07a754bba215da16e4f05a49bc
SHA256: 1b0550146c0b4aba8405dad0a9970f7fe328226bc90e6474d1ccfcf9d41e059f
3100
Corona-virus-Map.com.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\amd-config-d7fb343ed4b24bea0f132a1d0bbc7dbb[1].js
text
MD5: d7fb343ed4b24bea0f132a1d0bbc7dbb
SHA256: 8314a990a5fb9dcdd342c7c8fda368167056d55ab3e48224d6c0eb5af555e363
3100
Corona-virus-Map.com.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\init[1].js
text
MD5: 2ac5650a1f9bec50c14db7b422f2dbc3
SHA256: 504f4969f8cc39836d321eafffc69b921c5bf595e6c36627c114e396342cf3fa
3100
Corona-virus-Map.com.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\vendor-cd320a47cf3e277e4a55fc99d7ff1519[1].css
text
MD5: cd320a47cf3e277e4a55fc99d7ff1519
SHA256: 7d34a992dba48b7a2ae6893d726bd86360ba678d137ef7d31e746fcfd4de03fc
2160
Windows.Globalization.Fontgroups.exe
C:\Users\admin\AppData\Local\Temp\autBBCB.tmp
––
MD5:  ––
SHA256:  ––
2160
Windows.Globalization.Fontgroups.exe
C:\Users\admin\AppData\Roaming\amd64_netfx4-system.runti..dowsruntime.ui.xaml\Windows.Globalization.Fontgroups.module.exe.2
––
MD5:  ––
SHA256:  ––
2160
Windows.Globalization.Fontgroups.exe
C:\Users\admin\AppData\Roaming\amd64_netfx4-system.runti..dowsruntime.ui.xaml\Windows.Globalization.Fontgroups.module.exe
––
MD5:  ––
SHA256:  ––
2160
Windows.Globalization.Fontgroups.exe
C:\Users\admin\AppData\Roaming\amd64_netfx4-system.runti..dowsruntime.ui.xaml\1\Information.txt
––
MD5:  ––
SHA256:  ––
2160
Windows.Globalization.Fontgroups.exe
C:\Users\admin\AppData\Local\Temp\Tar5A8F.tmp
––
MD5:  ––
SHA256:  ––
2160
Windows.Globalization.Fontgroups.exe
C:\Users\admin\AppData\Local\Temp\Cab5A8E.tmp
––
MD5:  ––
SHA256:  ––
3100
Corona-virus-Map.com.exe
C:\Users\admin\AppData\Local\Temp\Tar53D7.tmp
––
MD5:  ––
SHA256:  ––
3100
Corona-virus-Map.com.exe
C:\Users\admin\AppData\Local\Temp\Cab53D6.tmp
––
MD5:  ––
SHA256:  ––
2160
Windows.Globalization.Fontgroups.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cookies.sqlite-shm
––
MD5:  ––
SHA256:  ––
2160
Windows.Globalization.Fontgroups.exe
C:\Users\admin\AppData\Roaming\amd64_netfx4-system.runti..dowsruntime.ui.xaml\Windows.Globalization.Fontgroups.sqlite3.module.dll
––
MD5:  ––
SHA256:  ––
2160
Windows.Globalization.Fontgroups.exe
C:\Users\admin\AppData\Roaming\amd64_netfx4-system.runti..dowsruntime.ui.xaml\Windows.Globalization.Fontgroups.sqlite3.module.dll.2
––
MD5:  ––
SHA256:  ––
2160
Windows.Globalization.Fontgroups.exe
C:\Users\admin\AppData\Local\Temp\aut4DFA.tmp
––
MD5:  ––
SHA256:  ––
2488
Build.exe
C:\Users\admin\AppData\Roaming\amd64_netfx4-system.runti..dowsruntime.ui.xaml\ENU_6887FE9730D2535E9D41
––
MD5:  ––
SHA256:  ––
2160
Windows.Globalization.Fontgroups.exe
C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
binary
MD5: 31d269bd0423624593a6138aab978ba8
SHA256: b53db3bea17a48e03a02d7576d4607c03afeaee49c7d04397a192da90817b276
3100
Corona-virus-Map.com.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\index[1].htm
html
MD5: 5c932f1a1d44af60a3bacca86a02e424
SHA256: 5e839fd30e0e1513aca7777b5a9e38b705055bf525eb71623924a1b1b1bfd9bc
2160
Windows.Globalization.Fontgroups.exe
C:\Users\admin\AppData\Roaming\amd64_netfx4-system.runti..dowsruntime.ui.xaml\1\Cookies\Google Chrome (2).txt
text
MD5: aeb35a3badee035080889a2cda6128de
SHA256: 816904b77c5431f097c8c823bf6ef6da769730e8721e6a10526c6f230555b514
2384
Corona.exe
C:\Users\admin\AppData\Local\Temp\aut48BC.tmp
––
MD5:  ––
SHA256:  ––
2384
Corona.exe
C:\Users\admin\AppData\Local\Temp\aut4782.tmp
––
MD5:  ––
SHA256:  ––
3100
Corona-virus-Map.com.exe
C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5AB
der
MD5: 459ba5a84bef00bd50029fc7e84a7aad
SHA256: f774d4f907637d1944716c9d8df6b7afd983c1cf6e574b72c375358a1685b2bd
2604
Windows.Globalization.Fontgroups.module.exe
C:\Users\admin\AppData\Roaming\amd64_netfx4-system.runti..dowsruntime.ui.xaml\ENU_6887FE9730D2535E9D41.7z
compressed
MD5: 80a3e54b681f3cd2af7306fee0cc2678
SHA256: d53e1133c97c700ea3158932f8ba91371c470965d12eef8618bc50e071ee2ff3
3100
Corona-virus-Map.com.exe
C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\35DDEDF268117918D1D277A171D8DF7B_0BF08DC3E996EA8E0B74365860F1037F
binary
MD5: 84f26b9b3925b8c60fe5d32e93baada5
SHA256: f6bcf6fdac482cbc1528427015a8caf7d927867fd3f401c1248c9fef06b60ec5
3100
Corona-virus-Map.com.exe
C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5AB
binary
MD5: 5c23ab1a1ca2882c6f0628aa4f70ab04
SHA256: 55a51109b05dd7b6d73d97edc611cb386049d8fe0380a77c60da969398806d0d
2160
Windows.Globalization.Fontgroups.exe
C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
der
MD5: 28bee1cfd67cb6d53b701dd3ab8d0d86
SHA256: dbc5c98e778def9c9a51a3ec1f6199d11ee79f7346bacc101d28b6101e65c300
3100
Corona-virus-Map.com.exe
C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\35DDEDF268117918D1D277A171D8DF7B_0BF08DC3E996EA8E0B74365860F1037F
der
MD5: 6b94305ff2cc20d69d3037aa38d9f34d
SHA256: 53b282a3ecfdfa9bcc08489cd8972261a985b0994cdabeca08c800cdf48714a9
2528
Corona-virus-Map.com.bin.exe
C:\Users\admin\AppData\Local\Temp\aut40CC.tmp
––
MD5:  ––
SHA256:  ––
2528
Corona-virus-Map.com.bin.exe
C:\Users\admin\AppData\Local\Temp\aut3F25.tmp
––
MD5:  ––
SHA256:  ––
2160
Windows.Globalization.Fontgroups.exe
C:\Users\admin\AppData\Roaming\amd64_netfx4-system.runti..dowsruntime.ui.xaml\1\AutoFills.txt
text
MD5: 0d041fa2b7d4b53cfc128158442680cc
SHA256: ce38f5b80097af5e3b7af271d9c1657d856a6bd1c6f38b15e6846bd3396775f7
2160
Windows.Globalization.Fontgroups.exe
C:\Users\admin\AppData\Roaming\amd64_netfx4-system.runti..dowsruntime.ui.xaml\1\Passwords.txt
text
MD5: 76791c82f9f0bf922a6aa942aa4003c8
SHA256: 61c45914b5d3f91a483724f705bf2d74974e025dee4e44393e5a4746cce06848
2160
Windows.Globalization.Fontgroups.exe
C:\Users\admin\AppData\Roaming\amd64_netfx4-system.runti..dowsruntime.ui.xaml\1\Cookies\Mozilla Firefox (10).txt
text
MD5: 87cc984576777ce52103c94663aba355
SHA256: 6b7cfdc32a9fbeb8a2fe9d310bd64bdc831868140e225886e14823de3be5cfa3
2452
Corona.exe
C:\Users\admin\AppData\Local\Temp\RarSFX0\Corona.bat
text
MD5: e9dcbecca02b600ce135f7d58b8cd830
SHA256: 0cd1e499799e4d98f1cb76df08ff7a7f441216ff713dfa97cb6691c68c962cf8
2160
Windows.Globalization.Fontgroups.exe
C:\Users\admin\AppData\Roaming\amd64_netfx4-system.runti..dowsruntime.ui.xaml\1\Screen.jpg
image
MD5: 9867dd4eedffdda6f267568946b0c0fc
SHA256: 14d7719b245c3aa195f1044eb10eb7e0bf9213ad5c93762840242ddcfda5d9f2

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
7
TCP/UDP connections
14
DNS requests
7
Threats
12

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
3100 Corona-virus-Map.com.exe GET 200 93.184.220.29:80 http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEATh56TcXPLzbcArQrhdFZ8%3D US
der
shared
3100 Corona-virus-Map.com.exe GET 200 93.184.220.29:80 http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTPJvUY%2Bsl%2Bj4yzQuAcL2oQno5fCgQUUWj%2FkK8CB3U8zNllZGKiErhZcjsCEA%2Fua8pGyrHaNkwKIDFpni4%3D US
der
shared
2160 Windows.Globalization.Fontgroups.exe GET 200 93.184.220.29:80 http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D US
der
shared
2160 Windows.Globalization.Fontgroups.exe CONNECT –– 51.68.178.28:65233 http://api.telegram.org:443 GB
––
––
malicious
2160 Windows.Globalization.Fontgroups.exe CONNECT –– 51.68.178.28:65233 http://api.telegram.org:443 GB
––
––
malicious
2160 Windows.Globalization.Fontgroups.exe CONNECT –– 51.68.178.28:65233 http://api.telegram.org:443 GB
––
––
malicious
2160 Windows.Globalization.Fontgroups.exe CONNECT –– 51.68.178.28:65233 http://api.telegram.org:443 GB
––
––
malicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
3100 Corona-virus-Map.com.exe 93.184.220.29:80 MCI Communications Services, Inc. d/b/a Verizon Business US whitelisted
2160 Windows.Globalization.Fontgroups.exe 104.26.9.44:443 Cloudflare Inc US malicious
2160 Windows.Globalization.Fontgroups.exe 93.184.220.29:80 MCI Communications Services, Inc. d/b/a Verizon Business US whitelisted
2160 Windows.Globalization.Fontgroups.exe 149.154.167.220:443 Telegram Messenger LLP GB malicious
2160 Windows.Globalization.Fontgroups.exe 51.68.178.28:65233 GB malicious
3100 Corona-virus-Map.com.exe 52.200.37.59:443 Amazon.com, Inc. US unknown
3100 Corona-virus-Map.com.exe 143.204.89.122:443 US unknown

DNS requests

Domain IP Reputation
gisanddata.maps.arcgis.com 52.200.37.59
34.198.205.11
34.203.120.96
54.167.133.217
34.198.35.123
54.81.32.42
whitelisted
coronavirusstatus.space No response malicious
api.telegram.org 149.154.167.220
shared
ocsp.digicert.com 93.184.220.29
shared
ipapi.co 104.26.9.44
172.67.69.226
104.26.8.44
shared
js.arcgis.com 143.204.89.122
143.204.89.61
143.204.89.46
143.204.89.9
shared

Threats

PID Process Class Message
–– –– Potentially Bad Traffic ET INFO Suspicious Domain Request for Possible COVID-19 Domain M2
–– –– Potentially Bad Traffic ET INFO Suspicious Domain Request for Possible COVID-19 Domain M2
–– –– Potential Corporate Privacy Violation ET POLICY External IP Lookup Domain (ipapi .co in DNS lookup)
2160 Windows.Globalization.Fontgroups.exe Potentially Bad Traffic ET INFO TLS Handshake Failure
2160 Windows.Globalization.Fontgroups.exe Potential Corporate Privacy Violation ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile
2160 Windows.Globalization.Fontgroups.exe Potential Corporate Privacy Violation ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile
2160 Windows.Globalization.Fontgroups.exe Potentially Bad Traffic ET INFO TLS Handshake Failure
2160 Windows.Globalization.Fontgroups.exe Potential Corporate Privacy Violation ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile
2160 Windows.Globalization.Fontgroups.exe Potential Corporate Privacy Violation ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile

3 ETPRO signatures available at the full report

Debug output strings

No debug info.