Source: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe |
Code function: 6_2_0040850C FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime, |
6_2_0040850C |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe |
Code function: 6_2_00408604 FindFirstFileA,GetLastError, |
6_2_00408604 |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe |
Code function: 6_2_00405210 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn, |
6_2_00405210 |
Source: C:\covid21\Corona.exe |
Code function: 12_2_00404F24 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn, |
12_2_00404F24 |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\inv.exe |
Code function: 13_2_00404EB8 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn, |
13_2_00404EB8 |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe |
Code function: 18_2_0043892A _strlen,FindFirstFileA,FindFirstFileA,FindClose,FindFirstFileA,FindClose,_strcat, |
18_2_0043892A |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe |
Code function: 18_2_00424873 _strlen,_strcat,_strcat,_strrchr,_strlen,_strrchr,FindFirstFileA,FindFirstFileA,GetTickCount,PeekMessageA,GetTickCount,_strlen,_strcat,SetFileAttributesA,FindNextFileA,FindClose,_strcat,FindFirstFileA,_strlen,GetTickCount,GetTickCount,PeekMessageA,GetTickCount,_strlen,FindNextFileA,FindClose, |
18_2_00424873 |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe |
Code function: 18_2_00423AD5 DeleteFileA,FindFirstFileA,_strcat,_strrchr,_strlen,GetTickCount,GetTickCount,PeekMessageA,GetTickCount,_strlen,_strcat,DeleteFileA,FindNextFileA,FindClose, |
18_2_00423AD5 |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe |
Code function: 18_2_0040A357 _strrchr,_strcat,_strlen,_strcat,FindFirstFileA,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,_strcat,FindFirstFileA,_strlen,_strlen,FindNextFileA,FindClose, |
18_2_0040A357 |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe |
Code function: 18_2_0042C368 FindFirstFileA,GetTickCount,GetTickCount,PeekMessageA,GetTickCount,_strlen,_strcat,MoveFileA,DeleteFileA,MoveFileA,CopyFileA,FindNextFileA,FindClose, |
18_2_0042C368 |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe |
Code function: 18_2_00423D09 FindFirstFileA,FindClose, |
18_2_00423D09 |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe |
Code function: 18_2_00423DE4 FindFirstFileA,FindClose,FileTimeToLocalFileTime, |
18_2_00423DE4 |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe |
Code function: 18_2_00424DBB _strlen,_strcat,LocalFileTimeToFileTime,GetSystemTimeAsFileTime,_strcat,_strrchr,_strlen,_strrchr,FindFirstFileA,FindFirstFileA,SetFileTime,GetTickCount,PeekMessageA,GetTickCount,_strlen,_strcat,CreateFileA,SetFileTime,CloseHandle,FindNextFileA,FindClose,_strcat,FindFirstFileA,_strlen,GetTickCount,GetTickCount,PeekMessageA,GetTickCount,_strlen,FindNextFileA,FindClose, |
18_2_00424DBB |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe |
Code function: 18_2_0042C603 GetFileAttributesA,FindFirstFileA,FindClose, |
18_2_0042C603 |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe |
Code function: 18_2_00439FDC FindFirstFileA,FindClose,GetFileAttributesA, |
18_2_00439FDC |
Source: C:\Users\user\Desktop\Covid21 2.0.exe |
Code function: 0_2_00404714 GetWindowLongA,CallWindowProcA,RemovePropA,RemovePropA,RemovePropA,RevokeDragDrop,SetWindowLongA,NtdllDefWindowProc_A, |
0_2_00404714 |
Source: C:\Users\user\Desktop\Covid21 2.0.exe |
Code function: 0_2_00405B1F GetPropA,DefFrameProcA,SetLastError,NtdllDefWindowProc_A, |
0_2_00405B1F |
Source: C:\Users\user\Desktop\Covid21 2.0.exe |
Code function: 0_2_00407E1A sprintf,GetPropA,HeapFree,HeapFree,HeapFree,RemovePropA,CallWindowProcA,NtdllDefWindowProc_A, |
0_2_00407E1A |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe |
Code function: 6_2_00439164 NtdllDefWindowProc_A,GetCapture, |
6_2_00439164 |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe |
Code function: 6_2_0045543C NtdllDefWindowProc_A, |
6_2_0045543C |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe |
Code function: 6_2_0042E49C NtdllDefWindowProc_A, |
6_2_0042E49C |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe |
Code function: 6_2_00449828 GetSubMenu,SaveDC,RestoreDC,73BBB080,SaveDC,RestoreDC,NtdllDefWindowProc_A, |
6_2_00449828 |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe |
Code function: 6_2_00455BEC IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A, |
6_2_00455BEC |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe |
Code function: 6_2_00455CB0 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus, |
6_2_00455CB0 |
Source: C:\covid21\Corona.exe |
Code function: 12_2_00432908 NtdllDefWindowProc_A,GetCapture,KiUserCallbackDispatcher, |
12_2_00432908 |
Source: C:\covid21\Corona.exe |
Code function: 12_2_0044CEA8 NtdllDefWindowProc_A, |
12_2_0044CEA8 |
Source: C:\covid21\Corona.exe |
Code function: 12_2_004421FC GetSubMenu,SaveDC,RestoreDC,73BBB080,SaveDC,RestoreDC,NtdllDefWindowProc_A, |
12_2_004421FC |
Source: C:\covid21\Corona.exe |
Code function: 12_2_0042738C NtdllDefWindowProc_A, |
12_2_0042738C |
Source: C:\covid21\Corona.exe |
Code function: 12_2_0044D650 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A, |
12_2_0044D650 |
Source: C:\covid21\Corona.exe |
Code function: 12_2_0044D700 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus, |
12_2_0044D700 |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\inv.exe |
Code function: 13_2_0044A410 NtdllDefWindowProc_A, |
13_2_0044A410 |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\inv.exe |
Code function: 13_2_00424BF0 NtdllDefWindowProc_A, |
13_2_00424BF0 |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\inv.exe |
Code function: 13_2_0044ABB8 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A, |
13_2_0044ABB8 |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\inv.exe |
Code function: 13_2_0044AC68 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus, |
13_2_0044AC68 |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\inv.exe |
Code function: 13_2_0043F764 GetSubMenu,SaveDC,RestoreDC,73BBB080,SaveDC,RestoreDC,NtdllDefWindowProc_A, |
13_2_0043F764 |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\inv.exe |
Code function: 13_2_0042FFB8 NtdllDefWindowProc_A,GetCapture, |
13_2_0042FFB8 |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\screenscrew.exe |
Code function: 37_2_00428F5C NtdllDefWindowProc_A, |
37_2_00428F5C |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\screenscrew.exe |
Code function: 37_2_0042220A NtdllDefWindowProc_A, |
37_2_0042220A |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\screenscrew.exe |
Code function: 37_2_00422218 NtdllDefWindowProc_A, |
37_2_00422218 |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\screenscrew.exe |
Code function: 37_2_0042E808 NtdllDefWindowProc_A, |
37_2_0042E808 |
Source: C:\Users\user\Desktop\Covid21 2.0.exe |
Code function: 0_2_00406960 |
0_2_00406960 |
Source: C:\Users\user\Desktop\Covid21 2.0.exe |
Code function: 0_2_00406C10 |
0_2_00406C10 |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe |
Code function: 6_2_00458A98 |
6_2_00458A98 |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe |
Code function: 6_2_0044EE08 |
6_2_0044EE08 |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe |
Code function: 6_2_00465050 |
6_2_00465050 |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe |
Code function: 6_2_00449828 |
6_2_00449828 |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe |
Code function: 6_2_00463A68 |
6_2_00463A68 |
Source: C:\covid21\Corona.exe |
Code function: 12_2_004421FC |
12_2_004421FC |
Source: C:\covid21\Corona.exe |
Code function: 12_2_004473A0 |
12_2_004473A0 |
Source: C:\covid21\Corona.exe |
Code function: 12_2_0041B3AA |
12_2_0041B3AA |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\inv.exe |
Code function: 13_2_00444908 |
13_2_00444908 |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\inv.exe |
Code function: 13_2_0043F764 |
13_2_0043F764 |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe |
Code function: 18_2_004075C4 |
18_2_004075C4 |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe |
Code function: 18_2_0040DE8C |
18_2_0040DE8C |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe |
Code function: 18_2_00458854 |
18_2_00458854 |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe |
Code function: 18_2_00424873 |
18_2_00424873 |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe |
Code function: 18_2_0044207B |
18_2_0044207B |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe |
Code function: 18_2_00414803 |
18_2_00414803 |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe |
Code function: 18_2_004071FF |
18_2_004071FF |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe |
Code function: 18_2_0044522E |
18_2_0044522E |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe |
Code function: 18_2_0044B395 |
18_2_0044B395 |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe |
Code function: 18_2_00421466 |
18_2_00421466 |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe |
Code function: 18_2_00452C20 |
18_2_00452C20 |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe |
Code function: 18_2_0042F514 |
18_2_0042F514 |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe |
Code function: 18_2_00450529 |
18_2_00450529 |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe |
Code function: 18_2_00449D8E |
18_2_00449D8E |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe |
Code function: 18_2_0042963D |
18_2_0042963D |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe |
Code function: 18_2_0040CF24 |
18_2_0040CF24 |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe |
Code function: 18_2_0041B735 |
18_2_0041B735 |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe |
Code function: 18_2_0044179A |
18_2_0044179A |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\screenscrew.exe |
Code function: 37_2_0042E58C |
37_2_0042E58C |
Source: unknown |
Process created: C:\Users\user\Desktop\Covid21 2.0.exe 'C:\Users\user\Desktop\Covid21 2.0.exe' |
|
Source: C:\Users\user\Desktop\Covid21 2.0.exe |
Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Local\Temp\2870.tmp\Covid21.bat' ' |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\cscript.exe cscript prompt.vbs |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\reg.exe REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\reg.exe Reg add 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender' /v DisableAntiSpyware /t REG_DWORD /d 1 /f |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe clwcp c:\covid21\covid.jpg |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\reg.exe reg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop /v NoChangingWallPaper /t REG_DWORD /d 1 /f |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\2870.tmp\x.vbs' |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K coronaloop.bat |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\timeout.exe timeout 5 /nobreak |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\covid21\Corona.exe c:\covid21\corona.exe |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Users\user\AppData\Local\Temp\2870.tmp\inv.exe inv.exe |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\2870.tmp\y.vbs' |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\timeout.exe timeout 5 /nobreak |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe z.exe |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\2870.tmp\y.vbs' |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\timeout.exe timeout 5 /nobreak |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Users\user\AppData\Local\Temp\2870.tmp\mlt.exe mlt.exe |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\2870.tmp\y.vbs' |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\timeout.exe timeout 5 /nobreak |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\2870.tmp\y.vbs' |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Users\user\AppData\Local\Temp\2870.tmp\icons.exe icons.exe |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\timeout.exe timeout 5 /nobreak |
|
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\icons.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Users\user\AppData\Local\Temp\2870.tmp\screenscrew.exe screenscrew.exe |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\2870.tmp\y.vbs' |
|
Source: C:\Users\user\Desktop\Covid21 2.0.exe |
Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Local\Temp\2870.tmp\Covid21.bat' ' |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\cscript.exe cscript prompt.vbs |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\reg.exe REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\reg.exe Reg add 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender' /v DisableAntiSpyware /t REG_DWORD /d 1 /f |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe clwcp c:\covid21\covid.jpg |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\reg.exe reg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop /v NoChangingWallPaper /t REG_DWORD /d 1 /f |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\2870.tmp\x.vbs' |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K coronaloop.bat |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\timeout.exe timeout 5 /nobreak |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Users\user\AppData\Local\Temp\2870.tmp\inv.exe inv.exe |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\2870.tmp\y.vbs' |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\timeout.exe timeout 5 /nobreak |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe z.exe |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\2870.tmp\y.vbs' |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\timeout.exe timeout 5 /nobreak |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Users\user\AppData\Local\Temp\2870.tmp\mlt.exe mlt.exe |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\2870.tmp\y.vbs' |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\timeout.exe timeout 5 /nobreak |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\2870.tmp\y.vbs' |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Users\user\AppData\Local\Temp\2870.tmp\icons.exe icons.exe |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\timeout.exe timeout 5 /nobreak |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Users\user\AppData\Local\Temp\2870.tmp\screenscrew.exe screenscrew.exe |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\2870.tmp\y.vbs' |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\covid21\Corona.exe c:\covid21\corona.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\Covid21 2.0.exe |
Code function: 0_2_00478069 push 004112A1h; ret |
0_2_004780AE |
Source: C:\Users\user\Desktop\Covid21 2.0.exe |
Code function: 0_2_004780BA push 004112D8h; ret |
0_2_004780E5 |
Source: C:\Users\user\Desktop\Covid21 2.0.exe |
Code function: 0_2_004775D7 push 0041083Ah; ret |
0_2_00477647 |
Source: C:\Users\user\Desktop\Covid21 2.0.exe |
Code function: 0_2_00477651 push 004108E4h; ret |
0_2_004776F1 |
Source: C:\Users\user\Desktop\Covid21 2.0.exe |
Code function: 0_2_004776FB push 00410A14h; ret |
0_2_00477821 |
Source: C:\Users\user\Desktop\Covid21 2.0.exe |
Code function: 0_2_0046DAD9 push 00406CF0h; ret |
0_2_0046DAFD |
Source: C:\Users\user\Desktop\Covid21 2.0.exe |
Code function: 0_2_0046CB59 push 00405D95h; ret |
0_2_0046CBA2 |
Source: C:\Users\user\Desktop\Covid21 2.0.exe |
Code function: 0_2_00473B01 push ecx; mov dword ptr [esp], edx |
0_2_00473B06 |
Source: C:\Users\user\Desktop\Covid21 2.0.exe |
Code function: 0_2_0046DB11 push 00407000h; ret |
0_2_0046DE0D |
Source: C:\Users\user\Desktop\Covid21 2.0.exe |
Code function: 0_2_0046CD7D push 00405F94h; ret |
0_2_0046CDA1 |
Source: C:\Users\user\Desktop\Covid21 2.0.exe |
Code function: 0_2_00469DB9 push eax; ret |
0_2_00469DF5 |
Source: C:\Users\user\Desktop\Covid21 2.0.exe |
Code function: 0_2_0046CE0D push 00406024h; ret |
0_2_0046CE31 |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe |
Code function: 6_2_00441090 push 0044111Dh; ret |
6_2_00441115 |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe |
Code function: 6_2_0040D62C push 0040D69Bh; ret |
6_2_0040D693 |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe |
Code function: 6_2_00405D44 push 00405D95h; ret |
6_2_00405D8D |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe |
Code function: 6_2_00442080 push ecx; mov dword ptr [esp], edx |
6_2_00442084 |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe |
Code function: 6_2_004162B8 push ecx; mov dword ptr [esp], edx |
6_2_004162BA |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe |
Code function: 6_2_0044237C push 004423A8h; ret |
6_2_004423A0 |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe |
Code function: 6_2_0044A328 push 0044A393h; ret |
6_2_0044A38B |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe |
Code function: 6_2_00428488 push 004284CAh; ret |
6_2_004284C2 |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe |
Code function: 6_2_0042E5E8 push 0042E614h; ret |
6_2_0042E60C |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe |
Code function: 6_2_0042E63C push 0042E668h; ret |
6_2_0042E660 |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe |
Code function: 6_2_004107C2 push 0041083Ah; ret |
6_2_00410832 |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe |
Code function: 6_2_004107C4 push 0041083Ah; ret |
6_2_00410832 |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe |
Code function: 6_2_0042C844 push 0042C870h; ret |
6_2_0042C868 |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe |
Code function: 6_2_0042C87C push 0042C8A8h; ret |
6_2_0042C8A0 |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe |
Code function: 6_2_0042C80C push 0042C838h; ret |
6_2_0042C830 |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe |
Code function: 6_2_0041083C push 004108E4h; ret |
6_2_004108DC |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe |
Code function: 6_2_004108E6 push 00410A14h; ret |
6_2_00410A0C |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe |
Code function: 6_2_0042C8EC push 0042C918h; ret |
6_2_0042C910 |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe |
Code function: 6_2_0042C8B4 push 0042C8E0h; ret |
6_2_0042C8D8 |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe |
Code function: 6_2_004554C4 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus, |
6_2_004554C4 |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe |
Code function: 6_2_00452098 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,ShowWindow, |
6_2_00452098 |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe |
Code function: 6_2_0043AB48 IsIconic,GetCapture, |
6_2_0043AB48 |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe |
Code function: 6_2_0043B440 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement, |
6_2_0043B440 |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe |
Code function: 6_2_00425458 IsIconic,GetWindowPlacement,GetWindowRect, |
6_2_00425458 |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe |
Code function: 6_2_00455BEC IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A, |
6_2_00455BEC |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe |
Code function: 6_2_00455CB0 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus, |
6_2_00455CB0 |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe |
Code function: 6_2_0043BD64 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient, |
6_2_0043BD64 |
Source: C:\covid21\Corona.exe |
Code function: 12_2_0044CF30 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus, |
12_2_0044CF30 |
Source: C:\covid21\Corona.exe |
Code function: 12_2_00449F58 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow, |
12_2_00449F58 |
Source: C:\covid21\Corona.exe |
Code function: 12_2_0043402C IsIconic,GetCapture, |
12_2_0043402C |
Source: C:\covid21\Corona.exe |
Code function: 12_2_004348E0 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement, |
12_2_004348E0 |
Source: C:\covid21\Corona.exe |
Code function: 12_2_00435160 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient, |
12_2_00435160 |
Source: C:\covid21\Corona.exe |
Code function: 12_2_0044D650 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A, |
12_2_0044D650 |
Source: C:\covid21\Corona.exe |
Code function: 12_2_0044D700 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus, |
12_2_0044D700 |
Source: C:\covid21\Corona.exe |
Code function: 12_2_0042397C MonitorFromWindow,MonitorFromWindow,IsIconic,GetWindowPlacement,GetWindowRect, |
12_2_0042397C |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\inv.exe |
Code function: 13_2_0044A498 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus, |
13_2_0044A498 |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\inv.exe |
Code function: 13_2_00432810 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient, |
13_2_00432810 |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\inv.exe |
Code function: 13_2_0044ABB8 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A, |
13_2_0044ABB8 |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\inv.exe |
Code function: 13_2_0044AC68 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus, |
13_2_0044AC68 |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\inv.exe |
Code function: 13_2_004474C0 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow, |
13_2_004474C0 |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\inv.exe |
Code function: 13_2_004316DC IsIconic,GetCapture, |
13_2_004316DC |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\inv.exe |
Code function: 13_2_00421D38 IsIconic,GetWindowPlacement,GetWindowRect, |
13_2_00421D38 |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\inv.exe |
Code function: 13_2_00431F90 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement, |
13_2_00431F90 |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe |
Code function: 18_2_0043A0D6 GetForegroundWindow,IsWindowVisible,GetWindowThreadProcessId,IsZoomed,IsIconic,GetWindowLongA,GetModuleHandleA,GetProcAddress, |
18_2_0043A0D6 |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe |
Code function: 18_2_004360F9 SetWindowTextA,IsZoomed,IsIconic,ShowWindow,IsIconic,GetWindowLongA,GetWindowLongA,GetWindowRect,MapWindowPoints,GetWindowLongA,GetWindowRect,GetWindowLongA,GetWindowRect,GetClientRect,IsWindowVisible,GetWindowLongA,GetMenu,GetWindowLongA,AdjustWindowRectEx,SystemParametersInfoA,GetWindowRect,IsZoomed,ShowWindow,MoveWindow,GetWindowRect,GetClientRect,ShowWindow,GetForegroundWindow,GetFocus,UpdateWindow,SetFocus, |
18_2_004360F9 |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe |
Code function: 18_2_004360F9 SetWindowTextA,IsZoomed,IsIconic,ShowWindow,IsIconic,GetWindowLongA,GetWindowLongA,GetWindowRect,MapWindowPoints,GetWindowLongA,GetWindowRect,GetWindowLongA,GetWindowRect,GetClientRect,IsWindowVisible,GetWindowLongA,GetMenu,GetWindowLongA,AdjustWindowRectEx,SystemParametersInfoA,GetWindowRect,IsZoomed,ShowWindow,MoveWindow,GetWindowRect,GetClientRect,ShowWindow,GetForegroundWindow,GetFocus,UpdateWindow,SetFocus, |
18_2_004360F9 |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe |
Code function: 18_2_0043536F GetWindowLongA,GetWindowLongA,GetWindowLongA,_strlen,SetWindowPos,EnableWindow,IsWindowVisible,IsIconic,SetWindowLongA,SetWindowLongA,SetWindowLongA,SetWindowPos,ShowWindow,ShowWindow,ShowWindow, |
18_2_0043536F |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe |
Code function: 18_2_0043C3F2 GetWindowThreadProcessId,GetWindowThreadProcessId,GetForegroundWindow,FindWindowA,IsIconic,ShowWindow,AttachThreadInput,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,BringWindowToTop, |
18_2_0043C3F2 |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe |
Code function: 18_2_00439C0E GetAsyncKeyState,GetForegroundWindow,IsIconic,GetWindowRect, |
18_2_00439C0E |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe |
Code function: 18_2_0044C66D SendMessageA,SendMessageA,SendMessageA,IsWindowVisible,ShowWindow,ShowWindow,IsIconic,ShowWindow,GetForegroundWindow,SetForegroundWindow,SendMessageA, |
18_2_0044C66D |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe |
Code function: 18_2_00431E81 SendMessageA,GetWindowLongA,IsWindowVisible,IsIconic,GetFocus,GetWindowRect,SendMessageA,GetWindowLongA,ShowWindow,EnableWindow,GetWindowRect,PtInRect,PtInRect,PtInRect,SetFocus,SendMessageA,SetFocus,MapWindowPoints,InvalidateRect, |
18_2_00431E81 |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe |
Code function: 18_2_0042CF3C GetDC,SelectObject,GetTextMetricsA,GetSystemMetrics,GetDC,SelectObject,GetTextMetricsA,GetSystemMetrics,GetDC,SelectObject,GetTextMetricsA,GetSystemMetrics,DrawTextA,GetSystemMetrics,GetSystemMetrics,GetDC,SelectObject,GetTextMetricsA,GetSystemMetrics,IsWindowVisible,IsIconic,SendMessageA,GetWindowLongA,SendMessageA,CreateWindowExA,SetWindowLongA,SendMessageA,CreateWindowExA,GetWindowLongA,SendMessageA,SendMessageA,CreateWindowExA,CreateWindowExA,CreateWindowExA,SendMessageA,SendMessageA,CreateWindowExA,SendMessageA,SendMessageA,SendMessageA,GetSystemMetrics,GetSystemMetrics,MoveWindow,SendMessageA,SelectObject,ReleaseDC,SendMessageA,SendMessageA,GetClientRect,SetWindowLongA,SendMessageA,SetWindowLongA,MoveWindow,GetWindowRect,SendMessageA,SetWindowPos,GetWindowRect,MapWindowPoints,InvalidateRect,SetWindowPos,SetWindowPos, |
18_2_0042CF3C |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\screenscrew.exe |
Code function: 37_2_00428FE4 PostMessageA,PostMessageA,SendMessageA,LoadLibraryA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus, |
37_2_00428FE4 |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\screenscrew.exe |
Code function: 37_2_0041F210 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient, |
37_2_0041F210 |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\screenscrew.exe |
Code function: 37_2_0041E320 IsIconic,GetCapture, |
37_2_0041E320 |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\screenscrew.exe |
Code function: 37_2_0041EABA IsIconic,SetWindowPos, |
37_2_0041EABA |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\screenscrew.exe |
Code function: 37_2_0041EABC IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement, |
37_2_0041EABC |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\screenscrew.exe |
Code function: 37_2_004275F8 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow, |
37_2_004275F8 |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\screenscrew.exe |
Code function: 37_2_00429678 IsIconic,SetActiveWindow, |
37_2_00429678 |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\screenscrew.exe |
Code function: 37_2_004296C0 IsIconic,SetActiveWindow,SetFocus, |
37_2_004296C0 |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe |
Code function: 6_2_0040850C FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime, |
6_2_0040850C |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe |
Code function: 6_2_00408604 FindFirstFileA,GetLastError, |
6_2_00408604 |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe |
Code function: 6_2_00405210 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn, |
6_2_00405210 |
Source: C:\covid21\Corona.exe |
Code function: 12_2_00404F24 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn, |
12_2_00404F24 |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\inv.exe |
Code function: 13_2_00404EB8 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn, |
13_2_00404EB8 |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe |
Code function: 18_2_0043892A _strlen,FindFirstFileA,FindFirstFileA,FindClose,FindFirstFileA,FindClose,_strcat, |
18_2_0043892A |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe |
Code function: 18_2_00424873 _strlen,_strcat,_strcat,_strrchr,_strlen,_strrchr,FindFirstFileA,FindFirstFileA,GetTickCount,PeekMessageA,GetTickCount,_strlen,_strcat,SetFileAttributesA,FindNextFileA,FindClose,_strcat,FindFirstFileA,_strlen,GetTickCount,GetTickCount,PeekMessageA,GetTickCount,_strlen,FindNextFileA,FindClose, |
18_2_00424873 |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe |
Code function: 18_2_00423AD5 DeleteFileA,FindFirstFileA,_strcat,_strrchr,_strlen,GetTickCount,GetTickCount,PeekMessageA,GetTickCount,_strlen,_strcat,DeleteFileA,FindNextFileA,FindClose, |
18_2_00423AD5 |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe |
Code function: 18_2_0040A357 _strrchr,_strcat,_strlen,_strcat,FindFirstFileA,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,_strcat,FindFirstFileA,_strlen,_strlen,FindNextFileA,FindClose, |
18_2_0040A357 |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe |
Code function: 18_2_0042C368 FindFirstFileA,GetTickCount,GetTickCount,PeekMessageA,GetTickCount,_strlen,_strcat,MoveFileA,DeleteFileA,MoveFileA,CopyFileA,FindNextFileA,FindClose, |
18_2_0042C368 |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe |
Code function: 18_2_00423D09 FindFirstFileA,FindClose, |
18_2_00423D09 |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe |
Code function: 18_2_00423DE4 FindFirstFileA,FindClose,FileTimeToLocalFileTime, |
18_2_00423DE4 |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe |
Code function: 18_2_00424DBB _strlen,_strcat,LocalFileTimeToFileTime,GetSystemTimeAsFileTime,_strcat,_strrchr,_strlen,_strrchr,FindFirstFileA,FindFirstFileA,SetFileTime,GetTickCount,PeekMessageA,GetTickCount,_strlen,_strcat,CreateFileA,SetFileTime,CloseHandle,FindNextFileA,FindClose,_strcat,FindFirstFileA,_strlen,GetTickCount,GetTickCount,PeekMessageA,GetTickCount,_strlen,FindNextFileA,FindClose, |
18_2_00424DBB |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe |
Code function: 18_2_0042C603 GetFileAttributesA,FindFirstFileA,FindClose, |
18_2_0042C603 |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe |
Code function: 18_2_00439FDC FindFirstFileA,FindClose,GetFileAttributesA, |
18_2_00439FDC |
Source: C:\Users\user\Desktop\Covid21 2.0.exe |
Code function: 0_2_00403B70 SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,SetUnhandledExceptionFilter, |
0_2_00403B70 |
Source: C:\Users\user\Desktop\Covid21 2.0.exe |
Code function: 0_2_00403CC0 SetUnhandledExceptionFilter, |
0_2_00403CC0 |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\mlt.exe |
Code function: 23_2_004011B0 Sleep,Sleep,SetUnhandledExceptionFilter,GetStartupInfoA, |
23_2_004011B0 |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\mlt.exe |
Code function: 23_2_004082CC SetUnhandledExceptionFilter, |
23_2_004082CC |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\mlt.exe |
Code function: 23_2_00402C51 SetUnhandledExceptionFilter, |
23_2_00402C51 |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\mlt.exe |
Code function: 23_2_00402290 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
23_2_00402290 |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\icons.exe |
Code function: 28_2_00401179 Sleep,Sleep,SetUnhandledExceptionFilter,_acmdln,malloc,strlen,malloc,memcpy,__initenv,_cexit,_amsg_exit,_initterm,GetStartupInfoA,_initterm,exit, |
28_2_00401179 |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\icons.exe |
Code function: 28_2_0040201C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort, |
28_2_0040201C |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\icons.exe |
Code function: 28_2_00402020 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort, |
28_2_00402020 |
Source: C:\Users\user\Desktop\Covid21 2.0.exe |
Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Local\Temp\2870.tmp\Covid21.bat' ' |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\cscript.exe cscript prompt.vbs |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\reg.exe REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\reg.exe Reg add 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender' /v DisableAntiSpyware /t REG_DWORD /d 1 /f |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe clwcp c:\covid21\covid.jpg |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\reg.exe reg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop /v NoChangingWallPaper /t REG_DWORD /d 1 /f |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\2870.tmp\x.vbs' |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K coronaloop.bat |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\timeout.exe timeout 5 /nobreak |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Users\user\AppData\Local\Temp\2870.tmp\inv.exe inv.exe |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\2870.tmp\y.vbs' |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\timeout.exe timeout 5 /nobreak |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe z.exe |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\2870.tmp\y.vbs' |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\timeout.exe timeout 5 /nobreak |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Users\user\AppData\Local\Temp\2870.tmp\mlt.exe mlt.exe |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\2870.tmp\y.vbs' |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\timeout.exe timeout 5 /nobreak |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\2870.tmp\y.vbs' |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Users\user\AppData\Local\Temp\2870.tmp\icons.exe icons.exe |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\timeout.exe timeout 5 /nobreak |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Users\user\AppData\Local\Temp\2870.tmp\screenscrew.exe screenscrew.exe |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\2870.tmp\y.vbs' |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\covid21\Corona.exe c:\covid21\corona.exe |
Jump to behavior |
Source: Covid21 2.0.exe, 00000000.00000002.311965350.0000000000611000.00000040.00020000.sdmp, z.exe, z.exe.0.dr |
Binary or memory string: Program Manager |
Source: Covid21 2.0.exe, z.exe, z.exe.0.dr |
Binary or memory string: Shell_TrayWnd |
Source: wscript.exe, 00000008.00000002.354896776.0000000003180000.00000002.00000001.sdmp, Corona.exe, 0000000C.00000002.354381919.0000000000D50000.00000002.00000001.sdmp, inv.exe, 0000000D.00000002.354166081.0000000000C80000.00000002.00000001.sdmp, z.exe, 00000012.00000002.354262499.0000000001BA0000.00000002.00000001.sdmp, mlt.exe, 00000017.00000002.354107900.0000000000D90000.00000002.00000001.sdmp, icons.exe, 0000001C.00000002.354241193.0000000001010000.00000002.00000001.sdmp, screenscrew.exe, 00000025.00000002.354181467.0000000000C80000.00000002.00000001.sdmp |
Binary or memory string: Progman |
Source: Covid21 2.0.exe, 00000000.00000002.309149345.000000000043D000.00000040.00020000.sdmp, PayloadMBR.exe.0.dr |
Binary or memory string: Windows UpdateShell_TrayWnd |
Source: Covid21 2.0.exe, 00000000.00000002.311965350.0000000000611000.00000040.00020000.sdmp, z.exe, 00000012.00000000.248581249.000000000045A000.00000002.00020000.sdmp, z.exe.0.dr |
Binary or memory string: (preempted: they will resume when the current thread finishes)%s CreateWindoweditShell_TrayWndAutoHotkey2RegClass0x%%%s%s%s.fRequires 1/2/3/Slow/Fast The current thread will exit.msRelativeScreenPress OK to continue.wait |
Source: Covid21 2.0.exe, 00000000.00000002.311965350.0000000000611000.00000040.00020000.sdmp, z.exe, 00000012.00000000.248581249.000000000045A000.00000002.00020000.sdmp, z.exe.0.dr |
Binary or memory string: ?IsHungAppWindowIsHungThreadThe maximum number of MsgBoxes has been reached.groupclasspididahk_%s%uProgram Manager |
Source: wscript.exe, 00000008.00000002.354896776.0000000003180000.00000002.00000001.sdmp, Corona.exe, 0000000C.00000002.354381919.0000000000D50000.00000002.00000001.sdmp, inv.exe, 0000000D.00000002.354166081.0000000000C80000.00000002.00000001.sdmp, z.exe, 00000012.00000002.354262499.0000000001BA0000.00000002.00000001.sdmp, mlt.exe, 00000017.00000002.354107900.0000000000D90000.00000002.00000001.sdmp, icons.exe, 0000001C.00000002.354241193.0000000001010000.00000002.00000001.sdmp, screenscrew.exe, 00000025.00000002.354181467.0000000000C80000.00000002.00000001.sdmp |
Binary or memory string: Progmanlock |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe |
Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, |
6_2_004053D4 |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe |
Code function: GetLocaleInfoA, |
6_2_0040B068 |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe |
Code function: GetLocaleInfoA, |
6_2_0040B0B4 |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe |
Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, |
6_2_004054E0 |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe |
Code function: GetLocaleInfoA, |
6_2_00405CCE |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe |
Code function: GetLocaleInfoA, |
6_2_00405CD0 |
Source: C:\covid21\Corona.exe |
Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, |
12_2_004050DC |
Source: C:\covid21\Corona.exe |
Code function: GetLocaleInfoA, |
12_2_0040A9FC |
Source: C:\covid21\Corona.exe |
Code function: GetLocaleInfoA, |
12_2_0040AA48 |
Source: C:\covid21\Corona.exe |
Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, |
12_2_004051E8 |
Source: C:\covid21\Corona.exe |
Code function: GetLocaleInfoA, |
12_2_004059D2 |
Source: C:\covid21\Corona.exe |
Code function: GetLocaleInfoA, |
12_2_004059D4 |
Source: C:\covid21\Corona.exe |
Code function: GetLocaleInfoA,GetACP, |
12_2_0040BFE8 |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\inv.exe |
Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, |
13_2_00405070 |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\inv.exe |
Code function: GetLocaleInfoA, |
13_2_0040A8B4 |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\inv.exe |
Code function: GetLocaleInfoA, |
13_2_0040A900 |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\inv.exe |
Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, |
13_2_0040517C |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\inv.exe |
Code function: GetLocaleInfoA, |
13_2_00405966 |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\inv.exe |
Code function: GetLocaleInfoA, |
13_2_00405968 |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\inv.exe |
Code function: GetLocaleInfoA,GetACP, |
13_2_0040BE14 |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe |
Code function: GetLocaleInfoA, |
18_2_0043DE27 |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\screenscrew.exe |
Code function: GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpy,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpy,LoadLibraryExA,lstrcpy,LoadLibraryExA,lstrcpy,LoadLibraryExA, |
37_2_004043C8 |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\screenscrew.exe |
Code function: GetLocaleInfoA, |
37_2_004082D0 |
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\screenscrew.exe |
Code function: GetLocaleInfoA, |
37_2_0040831C |