Loading ...

Play interactive tourEdit tour

Analysis Report Covid21 2.0.exe

Overview

General Information

Sample Name:Covid21 2.0.exe
Analysis ID:377010
MD5:a7c7f5e792809db8653a75c958f82bc4
SHA1:7ebe75db24af98efdcfebd970e7eea4b029f9f81
SHA256:02fea9970500d498e602b22cea68ade9869aca40a5cdc79cf1798644ba2057ca
Infos:

Most interesting Screenshot:

Detection

Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Command shell drops VBS files
Contains functionality to detect sleep reduction / modifications
Contains functionalty to change the wallpaper
Disables the Windows task manager (taskmgr)
Found API chain indicative of debugger detection
Machine Learning detection for dropped file
Machine Learning detection for sample
Protects its processes via BreakOnTermination flag
Sample or dropped binary is a compiled AutoHotkey binary
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Writes directly to the primary disk partition (DR0)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
OS version to string mapping found (often used in BOTs)
PE file contains strange resources
Potential key logger detected (key state polling based)
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sleep loop found (likely to delay execution)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Uses taskkill to terminate processes

Classification

Startup

  • System is w10x64
  • Covid21 2.0.exe (PID: 6564 cmdline: 'C:\Users\user\Desktop\Covid21 2.0.exe' MD5: A7C7F5E792809DB8653A75C958F82BC4)
    • cmd.exe (PID: 6616 cmdline: C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Local\Temp\2526.tmp\Covid21.bat' ' MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 6632 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cscript.exe (PID: 6680 cmdline: cscript prompt.vbs MD5: 00D3041E47F99E48DD5FFFEDF60F6304)
      • reg.exe (PID: 6760 cmdline: REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 6780 cmdline: Reg add 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender' /v DisableAntiSpyware /t REG_DWORD /d 1 /f MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • CLWCP.exe (PID: 6804 cmdline: clwcp c:\covid21\covid.jpg MD5: E62EE6F1EFC85CB36D62AB779DB6E4EC)
      • reg.exe (PID: 6836 cmdline: reg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop /v NoChangingWallPaper /t REG_DWORD /d 1 /f MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • wscript.exe (PID: 6888 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\2526.tmp\x.vbs' MD5: 7075DD7B9BE8807FCA93ACD86F724884)
      • cmd.exe (PID: 6912 cmdline: C:\Windows\system32\cmd.exe /K coronaloop.bat MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 6940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • Corona.exe (PID: 6984 cmdline: c:\covid21\corona.exe MD5: 6374CA8AD59246DFED4794FD788D6560)
      • timeout.exe (PID: 6932 cmdline: timeout 5 /nobreak MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
      • inv.exe (PID: 7092 cmdline: inv.exe MD5: EBB811D0396C06A70FE74D9B23679446)
      • wscript.exe (PID: 7104 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\2526.tmp\y.vbs' MD5: 7075DD7B9BE8807FCA93ACD86F724884)
      • timeout.exe (PID: 7120 cmdline: timeout 5 /nobreak MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
      • z.exe (PID: 6544 cmdline: z.exe MD5: A7CE5BEE03C197F0A99427C4B590F4A0)
      • wscript.exe (PID: 744 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\2526.tmp\y.vbs' MD5: 7075DD7B9BE8807FCA93ACD86F724884)
      • timeout.exe (PID: 768 cmdline: timeout 5 /nobreak MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
      • mlt.exe (PID: 6804 cmdline: mlt.exe MD5: A4E26D32F9655DBE8EFD276A530EB02B)
      • wscript.exe (PID: 3136 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\2526.tmp\y.vbs' MD5: 7075DD7B9BE8807FCA93ACD86F724884)
      • timeout.exe (PID: 1376 cmdline: timeout 5 /nobreak MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
      • wscript.exe (PID: 5972 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\2526.tmp\y.vbs' MD5: 7075DD7B9BE8807FCA93ACD86F724884)
      • icons.exe (PID: 6056 cmdline: icons.exe MD5: 3CA1D5768C2944D4284B1541653823C7)
        • conhost.exe (PID: 7060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • timeout.exe (PID: 7052 cmdline: timeout 5 /nobreak MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
      • screenscrew.exe (PID: 5600 cmdline: screenscrew.exe MD5: E87A04C270F98BB6B5677CC789D1AD1D)
      • wscript.exe (PID: 7080 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\2526.tmp\y.vbs' MD5: 7075DD7B9BE8807FCA93ACD86F724884)
      • timeout.exe (PID: 5672 cmdline: timeout 5 /nobreak MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
      • wscript.exe (PID: 6932 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\2526.tmp\t.vbs' MD5: 7075DD7B9BE8807FCA93ACD86F724884)
      • timeout.exe (PID: 3912 cmdline: timeout 3 /nobreak MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
      • taskkill.exe (PID: 6160 cmdline: taskkill /f /im explorer.exe MD5: 15E2E0ACD891510C6268CB8899F2A1A1)
      • PayloadMBR.exe (PID: 4112 cmdline: PayloadMBR.exe MD5: D917AF256A1D20B4EAC477CDB189367B)
        • schtasks.exe (PID: 4248 cmdline: schtasks.exe /Create /TN 'Windows Update' /ru SYSTEM /SC ONSTART /TR 'C:\Users\user\AppData\Local\Temp\2526.tmp\PayloadMBR.exe' MD5: 15FF7D8324231381BAD48A052F85DF04)
          • conhost.exe (PID: 4228 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Antivirus detection for dropped fileShow sources
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\PayloadMBR.exeAvira: detection malicious, Label: HEUR/AGEN.1133501
Multi AV Scanner detection for dropped fileShow sources
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\PayloadMBR.exeReversingLabs: Detection: 82%
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\icons.exeReversingLabs: Detection: 12%
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\inv.exeReversingLabs: Detection: 48%
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\screenscrew.exeMetadefender: Detection: 36%Perma Link
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\screenscrew.exeReversingLabs: Detection: 62%
Multi AV Scanner detection for submitted fileShow sources
Source: Covid21 2.0.exeVirustotal: Detection: 69%Perma Link
Source: Covid21 2.0.exeMetadefender: Detection: 29%Perma Link
Source: Covid21 2.0.exeReversingLabs: Detection: 75%
Machine Learning detection for dropped fileShow sources
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\icons.exeJoe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\PayloadMBR.exeJoe Sandbox ML: detected
Machine Learning detection for sampleShow sources
Source: Covid21 2.0.exeJoe Sandbox ML: detected
Source: 0.2.Covid21 2.0.exe.63145a.3.unpackAvira: Label: TR/Patched.Ren.Gen
Source: Covid21 2.0.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exeCode function: 6_2_0040850C FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,6_2_0040850C
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exeCode function: 6_2_00408604 FindFirstFileA,GetLastError,6_2_00408604
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exeCode function: 6_2_00405210 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,6_2_00405210
Source: C:\covid21\Corona.exeCode function: 12_2_00404F24 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,12_2_00404F24
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\inv.exeCode function: 13_2_00404EB8 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,13_2_00404EB8
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exeCode function: 18_2_0043892A _strlen,FindFirstFileA,FindFirstFileA,FindClose,FindFirstFileA,FindClose,_strcat,18_2_0043892A
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exeCode function: 18_2_00424873 _strlen,_strcat,_strcat,_strrchr,_strlen,_strrchr,FindFirstFileA,FindFirstFileA,GetTickCount,PeekMessageA,GetTickCount,_strlen,_strcat,SetFileAttributesA,FindNextFileA,FindClose,_strcat,FindFirstFileA,_strlen,GetTickCount,GetTickCount,PeekMessageA,GetTickCount,_strlen,FindNextFileA,FindClose,18_2_00424873
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exeCode function: 18_2_00423AD5 DeleteFileA,FindFirstFileA,_strcat,_strrchr,_strlen,GetTickCount,GetTickCount,PeekMessageA,GetTickCount,_strlen,_strcat,DeleteFileA,FindNextFileA,FindClose,18_2_00423AD5
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exeCode function: 18_2_0040A357 _strrchr,_strcat,_strlen,_strcat,FindFirstFileA,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,_strcat,FindFirstFileA,_strlen,_strlen,FindNextFileA,FindClose,18_2_0040A357
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exeCode function: 18_2_0042C368 FindFirstFileA,GetTickCount,GetTickCount,PeekMessageA,GetTickCount,_strlen,_strcat,MoveFileA,DeleteFileA,MoveFileA,CopyFileA,FindNextFileA,FindClose,18_2_0042C368
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exeCode function: 18_2_00423D09 FindFirstFileA,FindClose,18_2_00423D09
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exeCode function: 18_2_00423DE4 FindFirstFileA,FindClose,FileTimeToLocalFileTime,18_2_00423DE4
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exeCode function: 18_2_00424DBB _strlen,_strcat,LocalFileTimeToFileTime,GetSystemTimeAsFileTime,_strcat,_strrchr,_strlen,_strrchr,FindFirstFileA,FindFirstFileA,SetFileTime,GetTickCount,PeekMessageA,GetTickCount,_strlen,_strcat,CreateFileA,SetFileTime,CloseHandle,FindNextFileA,FindClose,_strcat,FindFirstFileA,_strlen,GetTickCount,GetTickCount,PeekMessageA,GetTickCount,_strlen,FindNextFileA,FindClose,18_2_00424DBB
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exeCode function: 18_2_0042C603 GetFileAttributesA,FindFirstFileA,FindClose,18_2_0042C603
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exeCode function: 18_2_00439FDC FindFirstFileA,FindClose,GetFileAttributesA,18_2_00439FDC
Source: z.exe.0.drString found in binary or memory: http://www.autohotkey.com
Source: Covid21 2.0.exe, 00000000.00000002.754322945.0000000000611000.00000040.00020000.sdmp, z.exe, 00000012.00000002.792846873.000000000045A000.00000002.00020000.sdmp, z.exe.0.drString found in binary or memory: http://www.autohotkey.comCould
Source: screenscrew.exe, 0000001E.00000002.792044732.000000000043B000.00000004.00020000.sdmpString found in binary or memory: http://www.rjlsoftware.com
Source: screenscrew.exe, 0000001E.00000002.793881577.00000000022C0000.00000004.00000001.sdmpString found in binary or memory: http://www.rjlsoftware.com(
Source: screenscrew.exeString found in binary or memory: http://www.rjlsoftware.com/?screenscrew
Source: screenscrew.exe, 0000001E.00000003.729503063.00000000021D0000.00000004.00000001.sdmpString found in binary or memory: http://www.rjlsoftware.com/?screenscrewopenj
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exeCode function: 18_2_00443AE3 GetTickCount,GetTickCount,OpenClipboard,OpenClipboard,GetTickCount,OpenClipboard,18_2_00443AE3
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exeCode function: 6_2_004218AC GetClipboardData,CopyEnhMetaFileA,GetEnhMetaFileHeader,6_2_004218AC
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exeCode function: 18_2_00420B07 GetForegroundWindow,GetWindowRect,_strrchr,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetDC,DeleteObject,DeleteObject,GetIconInfo,DeleteObject,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,ReleaseDC,DeleteObject,DeleteObject,SelectObject,DeleteDC,DeleteObject,18_2_00420B07
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exeCode function: 6_2_00435EB4 GetKeyboardState,6_2_00435EB4
Source: Covid21 2.0.exe, 00000000.00000002.754644021.000000000090A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Source: C:\Users\user\Desktop\Covid21 2.0.exeCode function: 0_2_00405D3C GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetFocus,GetFocus,GetClassNameA,_strncoll,GetFocus,SendMessageA,GetPropA,0_2_00405D3C

Spam, unwanted Advertisements and Ransom Demands:

barindex
Contains functionalty to change the wallpaperShow sources
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exeCode function: 6_2_0046CF80 RegOpenKeyExA,RegOpenKeyExA,RegSetValueExA,RegSetValueExA,RegSetValueExA,RegSetValueExA,RegFlushKey,RegCloseKey,SystemParametersInfoA,SystemParametersInfoA,6_2_0046CF80

Operating System Destruction:

barindex
Protects its processes via BreakOnTermination flagShow sources
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\PayloadMBR.exeProcess information set: 01 00 00 00

System Summary:

barindex
Sample or dropped binary is a compiled AutoHotkey binaryShow sources
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exeWindow found: window name: AutoHotkeyJump to behavior
Source: C:\Users\user\Desktop\Covid21 2.0.exeCode function: 0_2_00404714 GetWindowLongA,CallWindowProcA,RemovePropA,RemovePropA,RemovePropA,RevokeDragDrop,SetWindowLongA,NtdllDefWindowProc_A,0_2_00404714
Source: C:\Users\user\Desktop\Covid21 2.0.exeCode function: 0_2_00407E1A sprintf,GetPropA,HeapFree,HeapFree,HeapFree,RemovePropA,CallWindowProcA,NtdllDefWindowProc_A,0_2_00407E1A
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exeCode function: 6_2_00439164 NtdllDefWindowProc_A,GetCapture,6_2_00439164
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exeCode function: 6_2_0045543C NtdllDefWindowProc_A,6_2_0045543C
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exeCode function: 6_2_0042E49C NtdllDefWindowProc_A,6_2_0042E49C
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exeCode function: 6_2_00449828 GetSubMenu,SaveDC,RestoreDC,72E7B080,SaveDC,RestoreDC,NtdllDefWindowProc_A,6_2_00449828
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exeCode function: 6_2_00455BEC IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,6_2_00455BEC
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exeCode function: 6_2_00455CB0 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,6_2_00455CB0
Source: C:\covid21\Corona.exeCode function: 12_2_00432908 NtdllDefWindowProc_A,GetCapture,KiUserCallbackDispatcher,12_2_00432908
Source: C:\covid21\Corona.exeCode function: 12_2_0044CEA8 NtdllDefWindowProc_A,12_2_0044CEA8
Source: C:\covid21\Corona.exeCode function: 12_2_004421FC GetSubMenu,SaveDC,RestoreDC,72E7B080,SaveDC,RestoreDC,NtdllDefWindowProc_A,12_2_004421FC
Source: C:\covid21\Corona.exeCode function: 12_2_0042738C NtdllDefWindowProc_A,12_2_0042738C
Source: C:\covid21\Corona.exeCode function: 12_2_0044D650 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,12_2_0044D650
Source: C:\covid21\Corona.exeCode function: 12_2_0044D700 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,12_2_0044D700
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\inv.exeCode function: 13_2_0044A410 NtdllDefWindowProc_A,13_2_0044A410
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\inv.exeCode function: 13_2_00424BF0 NtdllDefWindowProc_A,13_2_00424BF0
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\inv.exeCode function: 13_2_0044ABB8 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,13_2_0044ABB8
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\inv.exeCode function: 13_2_0044AC68 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,13_2_0044AC68
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\inv.exeCode function: 13_2_0043F764 GetSubMenu,SaveDC,RestoreDC,72E7B080,SaveDC,RestoreDC,NtdllDefWindowProc_A,13_2_0043F764
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\inv.exeCode function: 13_2_0042FFB8 NtdllDefWindowProc_A,GetCapture,13_2_0042FFB8
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\screenscrew.exeCode function: 30_2_00428F5C NtdllDefWindowProc_A,30_2_00428F5C
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\screenscrew.exeCode function: 30_2_0042220A NtdllDefWindowProc_A,30_2_0042220A
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\screenscrew.exeCode function: 30_2_00422218 NtdllDefWindowProc_A,30_2_00422218
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\screenscrew.exeCode function: 30_2_0042E808 NtdllDefWindowProc_A,30_2_0042E808
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exeCode function: 18_2_004234E7: CreateFileA,DeviceIoControl,CreateFileA,DeviceIoControl,CloseHandle,18_2_004234E7
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exeCode function: 18_2_0042CAA7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,EnumWindows,ExitWindowsEx,18_2_0042CAA7
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exeFile created: C:\Windows\clwcp.bmpJump to behavior
Source: C:\Users\user\Desktop\Covid21 2.0.exeCode function: 0_2_004069600_2_00406960
Source: C:\Users\user\Desktop\Covid21 2.0.exeCode function: 0_2_00406C100_2_00406C10
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exeCode function: 6_2_00458A986_2_00458A98
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exeCode function: 6_2_0044EE086_2_0044EE08
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exeCode function: 6_2_004650506_2_00465050
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exeCode function: 6_2_004498286_2_00449828
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\CLWCP.exeCode function: 6_2_00463A686_2_00463A68
Source: C:\covid21\Corona.exeCode function: 12_2_004421FC12_2_004421FC
Source: C:\covid21\Corona.exeCode function: 12_2_004473A012_2_004473A0
Source: C:\covid21\Corona.exeCode function: 12_2_0041B3AA12_2_0041B3AA
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\inv.exeCode function: 13_2_0044490813_2_00444908
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\inv.exeCode function: 13_2_0043F76413_2_0043F764
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exeCode function: 18_2_004075C418_2_004075C4
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exeCode function: 18_2_0040DE8C18_2_0040DE8C
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exeCode function: 18_2_0045885418_2_00458854
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exeCode function: 18_2_0042487318_2_00424873
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exeCode function: 18_2_0044207B18_2_0044207B
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exeCode function: 18_2_0041480318_2_00414803
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exeCode function: 18_2_004071FF18_2_004071FF
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exeCode function: 18_2_0044522E18_2_0044522E
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exeCode function: 18_2_0044B39518_2_0044B395
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exeCode function: 18_2_0042146618_2_00421466
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exeCode function: 18_2_00452C2018_2_00452C20
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exeCode function: 18_2_0042F51418_2_0042F514
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exeCode function: 18_2_0045052918_2_00450529
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exeCode function: 18_2_00449D8E18_2_00449D8E
Source: C:\Users\user\AppData\Local\Temp\2526.tmp\z.exeCode function: 18_2_0042963D