Loading ...

Play interactive tourEdit tour

Analysis Report CDC COVID-19 Second Outbreak Warning release.exe

Overview

General Information

Sample Name:CDC COVID-19 Second Outbreak Warning release.exe
Analysis ID:318615
MD5:f4201dd98773cac936bc187ea40fe7ed
SHA1:a432474f6c65cec9343c540aa10fb313d6eb112a
SHA256:d0f1b190868c2b25c602e6eee551a39fe677678d6e7dc45eb304fa82a5760799

Most interesting Screenshot:

Detection

MassLogger RAT
Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Yara detected MassLogger RAT
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Costura Assembly Loader
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates processes with suspicious names
Detected potential crypto function
Drops PE files
Enables debug privileges
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE / OLE file has an invalid certificate
PE file contains strange resources
Queries disk information (often used to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Stores large binary data to the registry
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • winrar.exe (PID: 7056 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe' MD5: F4201DD98773CAC936BC187EA40FE7ED)
    • winrar.exe (PID: 5604 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe MD5: F4201DD98773CAC936BC187EA40FE7ED)
      • WerFault.exe (PID: 6016 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5604 -s 944 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • winrar.exe (PID: 4488 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe' MD5: F4201DD98773CAC936BC187EA40FE7ED)
    • winrar.exe (PID: 5628 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe MD5: F4201DD98773CAC936BC187EA40FE7ED)
    • winrar.exe (PID: 5020 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe MD5: F4201DD98773CAC936BC187EA40FE7ED)
      • WerFault.exe (PID: 7084 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 940 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.763344511.0000000005920000.00000004.00000001.sdmpJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
    00000016.00000002.882395208.0000000004FF0000.00000004.00000001.sdmpJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
      0000000D.00000003.803904638.00000000042BA000.00000004.00000001.sdmpJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
        00000018.00000002.895590342.0000000000402000.00000040.00000001.sdmpQuasar_RAT_1Detects Quasar RATFlorian Roth
        • 0x8b6:$op1: 04 1E FE 02 04 16 FE 01 60
        • 0x755:$op2: 00 17 03 1F 20 17 19 15 28
        • 0xea8:$op3: 00 04 03 69 91 1B 40
        • 0x1fbc:$op3: 00 04 03 69 91 1B 40
        00000018.00000002.895590342.0000000000402000.00000040.00000001.sdmpJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
          Click to see the 32 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          6.2.CDC COVID-19 Second Outbreak Warning release.exe.400000.0.unpackQuasar_RAT_1Detects Quasar RATFlorian Roth
          • 0xab6:$op1: 04 1E FE 02 04 16 FE 01 60
          • 0x955:$op2: 00 17 03 1F 20 17 19 15 28
          • 0x10a8:$op3: 00 04 03 69 91 1B 40
          • 0x21bc:$op3: 00 04 03 69 91 1B 40
          6.2.CDC COVID-19 Second Outbreak Warning release.exe.400000.0.unpackJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
            20.2.winrar.exe.400000.0.unpackQuasar_RAT_1Detects Quasar RATFlorian Roth
            • 0xab6:$op1: 04 1E FE 02 04 16 FE 01 60
            • 0x955:$op2: 00 17 03 1F 20 17 19 15 28
            • 0x10a8:$op3: 00 04 03 69 91 1B 40
            • 0x21bc:$op3: 00 04 03 69 91 1B 40
            20.2.winrar.exe.400000.0.unpackJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
              24.2.winrar.exe.400000.0.unpackQuasar_RAT_1Detects Quasar RATFlorian Roth
              • 0xab6:$op1: 04 1E FE 02 04 16 FE 01 60
              • 0x955:$op2: 00 17 03 1F 20 17 19 15 28
              • 0x10a8:$op3: 00 04 03 69 91 1B 40
              • 0x21bc:$op3: 00 04 03 69 91 1B 40
              Click to see the 1 entries

              Sigma Overview

              No Sigma rule has matched

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Machine Learning detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeJoe Sandbox ML: detected
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeJoe Sandbox ML: detected
              Machine Learning detection for sampleShow sources
              Source: CDC COVID-19 Second Outbreak Warning release.exeJoe Sandbox ML: detected
              Source: CDC COVID-19 Second Outbreak Warning release.exeJoe Sandbox ML: detected
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\Jump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeFile opened: C:\Users\user\AppData\Jump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeFile opened: C:\Users\user\Jump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\Jump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeFile opened: C:\Users\user\AppData\Jump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeFile opened: C:\Users\user\Jump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
              Source: CDC COVID-19 Second Outbreak Warning release.exeString found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
              Source: CDC COVID-19 Second Outbreak Warning release.exeString found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
              Source: WerFault.exe, 00000016.00000003.879668313.0000000004AA7000.00000004.00000001.sdmpString found in binary or memory: http://crl.microsoft
              Source: CDC COVID-19 Second Outbreak Warning release.exeString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
              Source: CDC COVID-19 Second Outbreak Warning release.exeString found in binary or memory: http://ocsp.thawte.com0
              Source: CDC COVID-19 Second Outbreak Warning release.exeString found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
              Source: CDC COVID-19 Second Outbreak Warning release.exeString found in binary or memory: http://ocsp2.globalsign.com/rootr306
              Source: CDC COVID-19 Second Outbreak Warning release.exeString found in binary or memory: http://s.symcb.com/universal-root.crl0
              Source: CDC COVID-19 Second Outbreak Warning release.exeString found in binary or memory: http://s.symcd.com06
              Source: WerFault.exe, 00000009.00000003.733632241.0000000005960000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.814791981.0000000005030000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.841146013.0000000005730000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
              Source: WerFault.exe, 00000009.00000003.733632241.0000000005960000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.814791981.0000000005030000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.841146013.0000000005730000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
              Source: WerFault.exe, 00000009.00000003.733632241.0000000005960000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.814791981.0000000005030000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.841146013.0000000005730000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
              Source: WerFault.exe, 00000009.00000003.733632241.0000000005960000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.814791981.0000000005030000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.841146013.0000000005730000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
              Source: WerFault.exe, 00000009.00000003.733632241.0000000005960000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.814791981.0000000005030000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.841146013.0000000005730000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
              Source: WerFault.exe, 00000009.00000003.733632241.0000000005960000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.814791981.0000000005030000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.841146013.0000000005730000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
              Source: WerFault.exe, 00000009.00000003.733632241.0000000005960000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.814791981.0000000005030000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.841146013.0000000005730000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
              Source: WerFault.exe, 00000009.00000003.733632241.0000000005960000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.814791981.0000000005030000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.841146013.0000000005730000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: WerFault.exe, 00000009.00000003.733632241.0000000005960000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.814791981.0000000005030000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.841146013.0000000005730000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
              Source: WerFault.exe, 00000009.00000003.733632241.0000000005960000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.814791981.0000000005030000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.841146013.0000000005730000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
              Source: WerFault.exe, 00000009.00000003.733632241.0000000005960000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.814791981.0000000005030000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.841146013.0000000005730000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
              Source: WerFault.exe, 00000009.00000003.733632241.0000000005960000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.814791981.0000000005030000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.841146013.0000000005730000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
              Source: WerFault.exe, 00000009.00000003.733632241.0000000005960000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.814791981.0000000005030000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.841146013.0000000005730000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
              Source: WerFault.exe, 00000009.00000003.733632241.0000000005960000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.814791981.0000000005030000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.841146013.0000000005730000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
              Source: WerFault.exe, 00000009.00000003.733632241.0000000005960000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.814791981.0000000005030000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.841146013.0000000005730000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o
              Source: CDC COVID-19 Second Outbreak Warning release.exeString found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
              Source: CDC COVID-19 Second Outbreak Warning release.exeString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
              Source: CDC COVID-19 Second Outbreak Warning release.exeString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
              Source: CDC COVID-19 Second Outbreak Warning release.exeString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
              Source: CDC COVID-19 Second Outbreak Warning release.exeString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
              Source: CDC COVID-19 Second Outbreak Warning release.exeString found in binary or memory: http://ts-ocsp.ws.symantec.com07
              Source: CDC COVID-19 Second Outbreak Warning release.exeString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
              Source: CDC COVID-19 Second Outbreak Warning release.exeString found in binary or memory: https://d.symcb.com/cps0%
              Source: CDC COVID-19 Second Outbreak Warning release.exeString found in binary or memory: https://d.symcb.com/rpa0
              Source: CDC COVID-19 Second Outbreak Warning release.exeString found in binary or memory: https://d.symcb.com/rpa0.
              Source: CDC COVID-19 Second Outbreak Warning release.exeString found in binary or memory: https://www.globalsign.com/repository/0
              Source: CDC COVID-19 Second Outbreak Warning release.exeString found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
              Source: CDC COVID-19 Second Outbreak Warning release.exeString found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
              Source: WerFault.exe, 00000016.00000003.879668313.0000000004AA7000.00000004.00000001.sdmpString found in binary or memory: http://crl.microsoft
              Source: CDC COVID-19 Second Outbreak Warning release.exeString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
              Source: CDC COVID-19 Second Outbreak Warning release.exeString found in binary or memory: http://ocsp.thawte.com0
              Source: CDC COVID-19 Second Outbreak Warning release.exeString found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
              Source: CDC COVID-19 Second Outbreak Warning release.exeString found in binary or memory: http://ocsp2.globalsign.com/rootr306
              Source: CDC COVID-19 Second Outbreak Warning release.exeString found in binary or memory: http://s.symcb.com/universal-root.crl0
              Source: CDC COVID-19 Second Outbreak Warning release.exeString found in binary or memory: http://s.symcd.com06
              Source: WerFault.exe, 00000009.00000003.733632241.0000000005960000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.814791981.0000000005030000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.841146013.0000000005730000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
              Source: WerFault.exe, 00000009.00000003.733632241.0000000005960000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.814791981.0000000005030000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.841146013.0000000005730000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
              Source: WerFault.exe, 00000009.00000003.733632241.0000000005960000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.814791981.0000000005030000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.841146013.0000000005730000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
              Source: WerFault.exe, 00000009.00000003.733632241.0000000005960000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.814791981.0000000005030000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.841146013.0000000005730000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
              Source: WerFault.exe, 00000009.00000003.733632241.0000000005960000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.814791981.0000000005030000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.841146013.0000000005730000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
              Source: WerFault.exe, 00000009.00000003.733632241.0000000005960000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.814791981.0000000005030000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.841146013.0000000005730000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
              Source: WerFault.exe, 00000009.00000003.733632241.0000000005960000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.814791981.0000000005030000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.841146013.0000000005730000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
              Source: WerFault.exe, 00000009.00000003.733632241.0000000005960000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.814791981.0000000005030000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.841146013.0000000005730000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: WerFault.exe, 00000009.00000003.733632241.0000000005960000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.814791981.0000000005030000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.841146013.0000000005730000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
              Source: WerFault.exe, 00000009.00000003.733632241.0000000005960000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.814791981.0000000005030000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.841146013.0000000005730000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
              Source: WerFault.exe, 00000009.00000003.733632241.0000000005960000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.814791981.0000000005030000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.841146013.0000000005730000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
              Source: WerFault.exe, 00000009.00000003.733632241.0000000005960000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.814791981.0000000005030000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.841146013.0000000005730000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
              Source: WerFault.exe, 00000009.00000003.733632241.0000000005960000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.814791981.0000000005030000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.841146013.0000000005730000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
              Source: WerFault.exe, 00000009.00000003.733632241.0000000005960000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.814791981.0000000005030000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.841146013.0000000005730000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
              Source: WerFault.exe, 00000009.00000003.733632241.0000000005960000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.814791981.0000000005030000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.841146013.0000000005730000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o
              Source: CDC COVID-19 Second Outbreak Warning release.exeString found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
              Source: CDC COVID-19 Second Outbreak Warning release.exeString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
              Source: CDC COVID-19 Second Outbreak Warning release.exeString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
              Source: CDC COVID-19 Second Outbreak Warning release.exeString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
              Source: CDC COVID-19 Second Outbreak Warning release.exeString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
              Source: CDC COVID-19 Second Outbreak Warning release.exeString found in binary or memory: http://ts-ocsp.ws.symantec.com07
              Source: CDC COVID-19 Second Outbreak Warning release.exeString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
              Source: CDC COVID-19 Second Outbreak Warning release.exeString found in binary or memory: https://d.symcb.com/cps0%
              Source: CDC COVID-19 Second Outbreak Warning release.exeString found in binary or memory: https://d.symcb.com/rpa0
              Source: CDC COVID-19 Second Outbreak Warning release.exeString found in binary or memory: https://d.symcb.com/rpa0.
              Source: CDC COVID-19 Second Outbreak Warning release.exeString found in binary or memory: https://www.globalsign.com/repository/0
              Source: CDC COVID-19 Second Outbreak Warning release.exe, 00000000.00000002.721459221.00000000009FB000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
              Source: CDC COVID-19 Second Outbreak Warning release.exe, 00000000.00000002.721459221.00000000009FB000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

              System Summary:

              barindex
              Malicious sample detected (through community Yara rule)Show sources
              Source: 00000018.00000002.895590342.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
              Source: 0000000D.00000002.807907464.0000000004110000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
              Source: 0000000E.00000002.837049292.00000000048C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
              Source: 00000006.00000002.763675792.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
              Source: 00000014.00000002.882744269.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
              Source: 00000000.00000002.726511556.0000000004040000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
              Source: 0000000E.00000002.829458089.0000000003EB1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
              Source: 6.2.CDC COVID-19 Second Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
              Source: 20.2.winrar.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
              Source: 24.2.winrar.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
              Source: 00000018.00000002.895590342.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
              Source: 0000000D.00000002.807907464.0000000004110000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
              Source: 0000000E.00000002.837049292.00000000048C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
              Source: 00000006.00000002.763675792.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
              Source: 00000014.00000002.882744269.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
              Source: 00000000.00000002.726511556.0000000004040000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
              Source: 0000000E.00000002.829458089.0000000003EB1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
              Source: 6.2.CDC COVID-19 Second Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
              Source: 20.2.winrar.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
              Source: 24.2.winrar.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
              Source: C:\Users\user\Desktop\CDC COVID-19 Second Outbreak Warning release.exeCode function: 0_2_024BFB000_2_024BFB00
              Source: C:\Users\user\Desktop\CDC COVID-19 Second Outbreak Warning release.exeCode function: 0_2_024BF7B80_2_024BF7B8
              Source: C:\Users\user\Desktop\CDC COVID-19 Second Outbreak Warning release.exeCode function: 0_2_054A79EC0_2_054A79EC
              Source: C:\Users\user\Desktop\CDC COVID-19 Second Outbreak Warning release.exeCode function: 0_2_054A29F00_2_054A29F0
              Source: C:\Users\user\Desktop\CDC COVID-19 Second Outbreak Warning release.exeCode function: 0_2_054A69C20_2_054A69C2
              Source: C:\Users\user\Desktop\CDC COVID-19 Second Outbreak Warning release.exeCode function: 0_2_054A69D00_2_054A69D0
              Source: C:\Users\user\Desktop\CDC COVID-19 Second Outbreak Warning release.exeCode function: 0_2_054A29E00_2_054A29E0
              Source: C:\Users\user\Desktop\CDC COVID-19 Second Outbreak Warning release.exeCode function: 0_2_054A23680_2_054A2368
              Source: C:\Users\user\Desktop\CDC COVID-19 Second Outbreak Warning release.exeCode function: 0_2_054A23780_2_054A2378
              Source: C:\Users\user\Desktop\CDC COVID-19 Second Outbreak Warning release.exeCode function: 0_2_054A7AF00_2_054A7AF0
              Source: C:\Users\user\Desktop\CDC COVID-19 Second Outbreak Warning release.exeCode function: 0_2_024BFB000_2_024BFB00
              Source: C:\Users\user\Desktop\CDC COVID-19 Second Outbreak Warning release.exeCode function: 0_2_024BF7B80_2_024BF7B8
              Source: C:\Users\user\Desktop\CDC COVID-19 Second Outbreak Warning release.exeCode function: 0_2_054A79EC0_2_054A79EC
              Source: C:\Users\user\Desktop\CDC COVID-19 Second Outbreak Warning release.exeCode function: 0_2_054A29F00_2_054A29F0
              Source: C:\Users\user\Desktop\CDC COVID-19 Second Outbreak Warning release.exeCode function: 0_2_054A69C20_2_054A69C2
              Source: C:\Users\user\Desktop\CDC COVID-19 Second Outbreak Warning release.exeCode function: 0_2_054A69D00_2_054A69D0
              Source: C:\Users\user\Desktop\CDC COVID-19 Second Outbreak Warning release.exeCode function: 0_2_054A29E00_2_054A29E0
              Source: C:\Users\user\Desktop\CDC COVID-19 Second Outbreak Warning release.exeCode function: 0_2_054A23680_2_054A2368
              Source: C:\Users\user\Desktop\CDC COVID-19 Second Outbreak Warning release.exeCode function: 0_2_054A23780_2_054A2378
              Source: C:\Users\user\Desktop\CDC COVID-19 Second Outbreak Warning release.exeCode function: 0_2_054A7AF00_2_054A7AF0
              Source: C:\Users\user\Desktop\CDC COVID-19 Second Outbreak Warning release.exeCode function: 6_2_031C04B16_2_031C04B1
              Source: C:\Users\user\Desktop\CDC COVID-19 Second Outbreak Warning release.exeCode function: 6_2_031C04C06_2_031C04C0
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeCode function: 13_2_00D8FB0013_2_00D8FB00
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeCode function: 13_2_00D8F7B813_2_00D8F7B8
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeCode function: 13_2_04E8054813_2_04E80548
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeCode function: 13_2_04E84A4013_2_04E84A40
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeCode function: 13_2_04E81BE013_2_04E81BE0
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeCode function: 13_2_04E847C813_2_04E847C8
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeCode function: 13_2_04E847B813_2_04E847B8
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeCode function: 13_2_04E89F8013_2_04E89F80
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeCode function: 13_2_04E89F7113_2_04E89F71
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeCode function: 13_2_04E8B0E113_2_04E8B0E1
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeCode function: 13_2_04E84A3013_2_04E84A30
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeCode function: 14_2_013EFB0014_2_013EFB00
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeCode function: 14_2_013EF7B814_2_013EF7B8
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeCode function: 14_2_0545054814_2_05450548
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeCode function: 14_2_05451BE014_2_05451BE0
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeCode function: 14_2_05454A4014_2_05454A40
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeCode function: 14_2_054547C814_2_054547C8
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeCode function: 14_2_054547B814_2_054547B8
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeCode function: 14_2_05454A3014_2_05454A30
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeCode function: 20_2_00D204C020_2_00D204C0
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeCode function: 20_2_00D204B120_2_00D204B1
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeCode function: 24_2_012004B124_2_012004B1
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeCode function: 24_2_012004C024_2_012004C0
              Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6676 -s 940
              Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6676 -s 940
              Source: CDC COVID-19 Second Outbreak Warning release.exeStatic PE information: invalid certificate
              Source: CDC COVID-19 Second Outbreak Warning release.exeStatic PE information: invalid certificate
              Source: CDC COVID-19 Second Outbreak Warning release.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: CDC COVID-19 Second Outbreak Warning release.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: winrar.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: winrar.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: CDC COVID-19 Second Outbreak Warning release.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: CDC COVID-19 Second Outbreak Warning release.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: winrar.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: winrar.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: CDC COVID-19 Second Outbreak Warning release.exe, 00000000.00000002.721268123.0000000000342000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameXpobnbz5.exe0 vs CDC COVID-19 Second Outbreak Warning release.exe
              Source: CDC COVID-19 Second Outbreak Warning release.exe, 00000000.00000002.721459221.00000000009FB000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs CDC COVID-19 Second Outbreak Warning release.exe
              Source: CDC COVID-19 Second Outbreak Warning release.exe, 00000000.00000002.729159480.0000000004B80000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNkuulqutljcm.dll4 vs CDC COVID-19 Second Outbreak Warning release.exe
              Source: CDC COVID-19 Second Outbreak Warning release.exe, 00000000.00000002.728916032.0000000004B10000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs CDC COVID-19 Second Outbreak Warning release.exe
              Source: CDC COVID-19 Second Outbreak Warning release.exe, 00000000.00000002.730743530.0000000005460000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClassLibrary3.dll< vs CDC COVID-19 Second Outbreak Warning release.exe
              Source: CDC COVID-19 Second Outbreak Warning release.exe, 00000000.00000002.726511556.0000000004040000.00000004.00000001.sdmpBinary or memory string: OriginalFilename" vs CDC COVID-19 Second Outbreak Warning release.exe
              Source: CDC COVID-19 Second Outbreak Warning release.exe, 00000006.00000002.763675792.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilename" vs CDC COVID-19 Second Outbreak Warning release.exe
              Source: CDC COVID-19 Second Outbreak Warning release.exe, 00000006.00000002.765329818.0000000005880000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs CDC COVID-19 Second Outbreak Warning release.exe
              Source: CDC COVID-19 Second Outbreak Warning release.exe, 00000006.00000002.764540721.00000000031F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs CDC COVID-19 Second Outbreak Warning release.exe
              Source: CDC COVID-19 Second Outbreak Warning release.exe, 00000006.00000002.764370393.00000000017EA000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs CDC COVID-19 Second Outbreak Warning release.exe
              Source: CDC COVID-19 Second Outbreak Warning release.exe, 00000006.00000002.764632918.00000000033D2000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameXpobnbz5.exe0 vs CDC COVID-19 Second Outbreak Warning release.exe
              Source: CDC COVID-19 Second Outbreak Warning release.exeBinary or memory string: OriginalFilenameXpobnbz5.exe0 vs CDC COVID-19 Second Outbreak Warning release.exe
              Source: CDC COVID-19 Second Outbreak Warning release.exe, 00000000.00000002.721268123.0000000000342000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameXpobnbz5.exe0 vs CDC COVID-19 Second Outbreak Warning release.exe
              Source: CDC COVID-19 Second Outbreak Warning release.exe, 00000000.00000002.721459221.00000000009FB000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs CDC COVID-19 Second Outbreak Warning release.exe
              Source: CDC COVID-19 Second Outbreak Warning release.exe, 00000000.00000002.729159480.0000000004B80000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNkuulqutljcm.dll4 vs CDC COVID-19 Second Outbreak Warning release.exe
              Source: CDC COVID-19 Second Outbreak Warning release.exe, 00000000.00000002.728916032.0000000004B10000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs CDC COVID-19 Second Outbreak Warning release.exe
              Source: CDC COVID-19 Second Outbreak Warning release.exe, 00000000.00000002.730743530.0000000005460000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClassLibrary3.dll< vs CDC COVID-19 Second Outbreak Warning release.exe
              Source: CDC COVID-19 Second Outbreak Warning release.exe, 00000000.00000002.726511556.0000000004040000.00000004.00000001.sdmpBinary or memory string: OriginalFilename" vs CDC COVID-19 Second Outbreak Warning release.exe
              Source: CDC COVID-19 Second Outbreak Warning release.exe, 00000006.00000002.763675792.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilename" vs CDC COVID-19 Second Outbreak Warning release.exe
              Source: CDC COVID-19 Second Outbreak Warning release.exe, 00000006.00000002.765329818.0000000005880000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs CDC COVID-19 Second Outbreak Warning release.exe
              Source: CDC COVID-19 Second Outbreak Warning release.exe, 00000006.00000002.764540721.00000000031F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs CDC COVID-19 Second Outbreak Warning release.exe
              Source: CDC COVID-19 Second Outbreak Warning release.exe, 00000006.00000002.764370393.00000000017EA000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs CDC COVID-19 Second Outbreak Warning release.exe
              Source: CDC COVID-19 Second Outbreak Warning release.exe, 00000006.00000002.764632918.00000000033D2000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameXpobnbz5.exe0 vs CDC COVID-19 Second Outbreak Warning release.exe
              Source: CDC COVID-19 Second Outbreak Warning release.exeBinary or memory string: OriginalFilenameXpobnbz5.exe0 vs CDC COVID-19 Second Outbreak Warning release.exe
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: sfc.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: sfc.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dll
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: sfc.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: sfc.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dll
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
              Source: 00000018.00000002.895590342.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0000000D.00000002.807907464.0000000004110000.00000004.00000001.sdmp, type: MEMORYMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0000000E.00000002.837049292.00000000048C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 00000006.00000002.763675792.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 00000014.00000002.882744269.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 00000000.00000002.726511556.0000000004040000.00000004.00000001.sdmp, type: MEMORYMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0000000E.00000002.829458089.0000000003EB1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 6.2.CDC COVID-19 Second Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 20.2.winrar.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 24.2.winrar.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 00000018.00000002.895590342.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0000000D.00000002.807907464.0000000004110000.00000004.00000001.sdmp, type: MEMORYMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0000000E.00000002.837049292.00000000048C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 00000006.00000002.763675792.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 00000014.00000002.882744269.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 00000000.00000002.726511556.0000000004040000.00000004.00000001.sdmp, type: MEMORYMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0000000E.00000002.829458089.0000000003EB1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 6.2.CDC COVID-19 Second Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 20.2.winrar.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 24.2.winrar.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: CDC COVID-19 Second Outbreak Warning release.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: winrar.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: CDC COVID-19 Second Outbreak Warning release.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: winrar.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: CDC COVID-19 Second Outbreak Warning release.exe, u0007/u0006.csCryptographic APIs: 'TransformFinalBlock'
              Source: winrar.exe.0.dr, u0007/u0006.csCryptographic APIs: 'TransformFinalBlock'
              Source: 0.0.CDC COVID-19 Second Outbreak Warning release.exe.260000.0.unpack, u0007/u0006.csCryptographic APIs: 'TransformFinalBlock'
              Source: 0.2.CDC COVID-19 Second Outbreak Warning release.exe.260000.0.unpack, u0007/u0006.csCryptographic APIs: 'TransformFinalBlock'
              Source: 6.0.CDC COVID-19 Second Outbreak Warning release.exe.f70000.0.unpack, u0007/u0006.csCryptographic APIs: 'TransformFinalBlock'
              Source: 6.2.CDC COVID-19 Second Outbreak Warning release.exe.f70000.1.unpack, u0007/u0006.csCryptographic APIs: 'TransformFinalBlock'
              Source: 13.0.winrar.exe.380000.0.unpack, u0007/u0006.csCryptographic APIs: 'TransformFinalBlock'
              Source: 13.2.winrar.exe.380000.0.unpack, u0007/u0006.csCryptographic APIs: 'TransformFinalBlock'
              Source: 14.0.winrar.exe.ad0000.0.unpack, u0007/u0006.csCryptographic APIs: 'TransformFinalBlock'
              Source: 14.2.winrar.exe.ad0000.0.unpack, u0007/u0006.csCryptographic APIs: 'TransformFinalBlock'
              Source: 20.0.winrar.exe.590000.0.unpack, u0007/u0006.csCryptographic APIs: 'TransformFinalBlock'
              Source: CDC COVID-19 Second Outbreak Warning release.exe, u0007/u0006.csCryptographic APIs: 'TransformFinalBlock'
              Source: winrar.exe.0.dr, u0007/u0006.csCryptographic APIs: 'TransformFinalBlock'
              Source: 0.0.CDC COVID-19 Second Outbreak Warning release.exe.260000.0.unpack, u0007/u0006.csCryptographic APIs: 'TransformFinalBlock'
              Source: 0.2.CDC COVID-19 Second Outbreak Warning release.exe.260000.0.unpack, u0007/u0006.csCryptographic APIs: 'TransformFinalBlock'
              Source: 6.0.CDC COVID-19 Second Outbreak Warning release.exe.f70000.0.unpack, u0007/u0006.csCryptographic APIs: 'TransformFinalBlock'
              Source: 6.2.CDC COVID-19 Second Outbreak Warning release.exe.f70000.1.unpack, u0007/u0006.csCryptographic APIs: 'TransformFinalBlock'
              Source: 13.0.winrar.exe.380000.0.unpack, u0007/u0006.csCryptographic APIs: 'TransformFinalBlock'
              Source: 13.2.winrar.exe.380000.0.unpack, u0007/u0006.csCryptographic APIs: 'TransformFinalBlock'
              Source: 14.0.winrar.exe.ad0000.0.unpack, u0007/u0006.csCryptographic APIs: 'TransformFinalBlock'
              Source: 14.2.winrar.exe.ad0000.0.unpack, u0007/u0006.csCryptographic APIs: 'TransformFinalBlock'
              Source: 20.0.winrar.exe.590000.0.unpack, u0007/u0006.csCryptographic APIs: 'TransformFinalBlock'
              Source: classification engineClassification label: mal76.troj.evad.winEXE@14/16@0/0
              Source: C:\Users\user\Desktop\CDC COVID-19 Second Outbreak Warning release.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WinrarJump to behavior
              Source: C:\Users\user\Desktop\CDC COVID-19 Second Outbreak Warning release.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WinrarJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5020
              Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5604
              Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6676
              Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5020
              Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5604
              Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6676
              Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERF9.tmpJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERF9.tmpJump to behavior
              Source: CDC COVID-19 Second Outbreak Warning release.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: CDC COVID-19 Second Outbreak Warning release.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\CDC COVID-19 Second Outbreak Warning release.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\Desktop\CDC COVID-19 Second Outbreak Warning release.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Users\user\Desktop\CDC COVID-19 Second Outbreak Warning release.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\Desktop\CDC COVID-19 Second Outbreak Warning release.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Users\user\Desktop\CDC COVID-19 Second Outbreak Warning release.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: C:\Users\user\Desktop\CDC COVID-19 Second Outbreak Warning release.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
              Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
              Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
              Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
              Source: C:\Users\user\Desktop\CDC COVID-19 Second Outbreak Warning release.exeFile read: C:\Users\user\Desktop\CDC COVID-19 Second Outbreak Warning release.exeJump to behavior
              Source: C:\Users\user\Desktop\CDC COVID-19 Second Outbreak Warning release.exeFile read: C:\Users\user\Desktop\CDC COVID-19 Second Outbreak Warning release.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\CDC COVID-19 Second Outbreak Warning release.exe 'C:\Users\user\Desktop\CDC COVID-19 Second Outbreak Warning release.exe'
              Source: unknownProcess created: C:\Users\user\Desktop\CDC COVID-19 Second Outbreak Warning release.exe C:\Users\user\Desktop\CDC COVID-19 Second Outbreak Warning release.exe
              Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6676 -s 940
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe'
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe'
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe
              Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5604 -s 944
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe
              Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 940
              Source: C:\Users\user\Desktop\CDC COVID-19 Second Outbreak Warning release.exeProcess created: C:\Users\user\Desktop\CDC COVID-19 Second Outbreak Warning release.exe C:\Users\user\Desktop\CDC COVID-19 Second Outbreak Warning release.exeJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\CDC COVID-19 Second Outbreak Warning release.exe 'C:\Users\user\Desktop\CDC COVID-19 Second Outbreak Warning release.exe'
              Source: unknownProcess created: C:\Users\user\Desktop\CDC COVID-19 Second Outbreak Warning release.exe C:\Users\user\Desktop\CDC COVID-19 Second Outbreak Warning release.exe
              Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6676 -s 940
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe'
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe'
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe
              Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5604 -s 944
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe
              Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 940
              Source: C:\Users\user\Desktop\CDC COVID-19 Second Outbreak Warning release.exeProcess created: C:\Users\user\Desktop\CDC COVID-19 Second Outbreak Warning release.exe C:\Users\user\Desktop\CDC COVID-19 Second Outbreak Warning release.exeJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeJump to behavior
              Source: C:\Users\user\Desktop\CDC COVID-19 Second Outbreak Warning release.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
              Source: C:\Users\user\Desktop\CDC COVID-19 Second Outbreak Warning release.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
              Source: C:\Users\user\Desktop\CDC COVID-19 Second Outbreak Warning release.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: C:\Users\user\Desktop\CDC COVID-19 Second Outbreak Warning release.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: CDC COVID-19 Second Outbreak Warning release.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: CDC COVID-19 Second Outbreak Warning release.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: CDC COVID-19 Second Outbreak Warning release.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
              Source: CDC COVID-19 Second Outbreak Warning release.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
              Source: Binary string: rsaenh.pdb source: WerFault.exe, 00000009.00000003.735320667.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.815879263.0000000004D77000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.842637029.0000000005497000.00000004.00000040.sdmp
              Source: Binary string: winrar.PDB405 source: winrar.exe, 00000014.00000002.883154230.0000000000AF8000.00000004.00000010.sdmp, winrar.exe, 00000018.00000002.896250108.0000000000EF8000.00000004.00000010.sdmp
              Source: Binary string: System.ni.pdb% source: WerFault.exe, 00000009.00000003.735320667.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.815879263.0000000004D77000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.842637029.0000000005497000.00000004.00000040.sdmp
              Source: Binary string: System.pdb" source: WerFault.exe, 00000009.00000003.735320667.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.815879263.0000000004D77000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.842637029.0000000005497000.00000004.00000040.sdmp
              Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000009.00000003.727559910.0000000005412000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.809498281.0000000004AF0000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.842525579.00000000054C1000.00000004.00000001.sdmp
              Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000009.00000003.735320667.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.815879263.0000000004D77000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.842637029.0000000005497000.00000004.00000040.sdmp
              Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000009.00000003.735353679.0000000005704000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.815820939.0000000004D71000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.842626474.0000000005494000.00000004.00000040.sdmp
              Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000009.00000003.735277755.0000000005731000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.815787312.0000000004DA1000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.842525579.00000000054C1000.00000004.00000001.sdmp
              Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000009.00000003.735277755.0000000005731000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.815787312.0000000004DA1000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.842525579.00000000054C1000.00000004.00000001.sdmp
              Source: Binary string: wntdll.pdb source: WerFault.exe, 00000009.00000003.735277755.0000000005731000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.815787312.0000000004DA1000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.842525579.00000000054C1000.00000004.00000001.sdmp
              Source: Binary string: fltLib.pdb& source: WerFault.exe, 00000016.00000003.815879263.0000000004D77000.00000004.00000040.sdmp
              Source: Binary string: wimm32.pdb{ source: WerFault.exe, 0000001A.00000003.842637029.0000000005497000.00000004.00000040.sdmp
              Source: Binary string: shcore.pdbD source: WerFault.exe, 00000016.00000003.815879263.0000000004D77000.00000004.00000040.sdmp
              Source: Binary string: clr.pdb source: WerFault.exe, 00000009.00000003.735347046.0000000005700000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.815862701.0000000004D70000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.842613430.0000000005490000.00000004.00000040.sdmp
              Source: Binary string: cryptsp.pdb source: WerFault.exe, 00000009.00000003.735320667.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.815879263.0000000004D77000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.842637029.0000000005497000.00000004.00000040.sdmp
              Source: Binary string: advapi32.pdb source: WerFault.exe, 00000009.00000003.735277755.0000000005731000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.815787312.0000000004DA1000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.842525579.00000000054C1000.00000004.00000001.sdmp
              Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000009.00000003.735277755.0000000005731000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.815787312.0000000004DA1000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.842525579.00000000054C1000.00000004.00000001.sdmp
              Source: Binary string: bcrypt.pdb( source: WerFault.exe, 00000016.00000003.815879263.0000000004D77000.00000004.00000040.sdmp
              Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000009.00000003.735277755.0000000005731000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.815787312.0000000004DA1000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.835421551.00000000033B5000.00000004.00000001.sdmp
              Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000009.00000003.735309765.0000000005701000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.815820939.0000000004D71000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.842562972.0000000005491000.00000004.00000040.sdmp
              Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 00000009.00000002.763344511.0000000005920000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000002.882395208.0000000004FF0000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.895281504.00000000056F0000.00000004.00000001.sdmp, WERF9.tmp.dmp.9.dr
              Source: Binary string: System.Core.pdb" source: WerFault.exe, 00000009.00000003.735300244.000000000570F000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.815808878.0000000004D7F000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.842549794.000000000549F000.00000004.00000040.sdmp
              Source: Binary string: mscoree.pdb source: WerFault.exe, 00000009.00000003.735277755.0000000005731000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.815787312.0000000004DA1000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.842525579.00000000054C1000.00000004.00000001.sdmp
              Source: Binary string: shlwapi.pdbk source: WerFault.exe, 00000009.00000003.735309765.0000000005701000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.815820939.0000000004D71000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.842562972.0000000005491000.00000004.00000040.sdmp
              Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 00000009.00000003.735353679.0000000005704000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.815820939.0000000004D71000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.842626474.0000000005494000.00000004.00000040.sdmp
              Source: Binary string: powrprof.pdb source: WerFault.exe, 00000009.00000003.735320667.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.815879263.0000000004D77000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.842637029.0000000005497000.00000004.00000040.sdmp
              Source: Binary string: msvcr120_clr0400.i386.pdb% source: WerFault.exe, 00000009.00000003.735320667.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.815879263.0000000004D77000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.842637029.0000000005497000.00000004.00000040.sdmp
              Source: Binary string: mscorlib.ni.pdbRSDS source: WERF9.tmp.dmp.9.dr
              Source: Binary string: System.pdbP source: WERC40A.tmp.dmp.26.dr
              Source: Binary string: clrjit.pdb4 source: WerFault.exe, 00000016.00000003.815879263.0000000004D77000.00000004.00000040.sdmp
              Source: Binary string: ole32.pdb source: WerFault.exe, 00000009.00000003.735320667.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.815879263.0000000004D77000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.842637029.0000000005497000.00000004.00000040.sdmp
              Source: Binary string: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.PDB source: winrar.exe, 00000018.00000002.896250108.0000000000EF8000.00000004.00000010.sdmp
              Source: Binary string: mscorlib.ni.pdbx source: WerFault.exe, 00000009.00000002.763344511.0000000005920000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000002.882395208.0000000004FF0000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.895281504.00000000056F0000.00000004.00000001.sdmp
              Source: Binary string: msasn1.pdb source: WerFault.exe, 00000009.00000003.735320667.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.815879263.0000000004D77000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.842637029.0000000005497000.00000004.00000040.sdmp
              Source: Binary string: cryptsp.pdbP source: WerFault.exe, 00000016.00000003.815879263.0000000004D77000.00000004.00000040.sdmp
              Source: Binary string: shell32.pdbN source: WerFault.exe, 00000016.00000003.815879263.0000000004D77000.00000004.00000040.sdmp
              Source: Binary string: mscorlib.pdb source: WerFault.exe, 00000009.00000002.763344511.0000000005920000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000002.882395208.0000000004FF0000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.895281504.00000000056F0000.00000004.00000001.sdmp, WERF9.tmp.dmp.9.dr
              Source: Binary string: \??\C:\Users\user\Desktop\CDC COVID-19 Second Outbreak Warning release.PDB source: CDC COVID-19 Second Outbreak Warning release.exe, 00000006.00000002.764403820.0000000001814000.00000004.00000020.sdmp
              Source: Binary string: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.PDB2.dll> source: winrar.exe, 00000014.00000002.883154230.0000000000AF8000.00000004.00000010.sdmp, winrar.exe, 00000018.00000002.896250108.0000000000EF8000.00000004.00000010.sdmp
              Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000009.00000003.735320667.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.815879263.0000000004D77000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.842637029.0000000005497000.00000004.00000040.sdmp
              Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000009.00000003.735320667.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.815879263.0000000004D77000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.842637029.0000000005497000.00000004.00000040.sdmp
              Source: Binary string: combase.pdb source: WerFault.exe, 00000009.00000003.735309765.0000000005701000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.815820939.0000000004D71000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.842562972.0000000005491000.00000004.00000040.sdmp
              Source: Binary string: wuser32.pdb' source: WerFault.exe, 00000009.00000003.735320667.0000000005707000.00000004.00000040.sdmp
              Source: Binary string: wkernel32.pdb( source: WerFault.exe, 0000001A.00000003.835610751.00000000033AF000.00000004.00000001.sdmp
              Source: Binary string: mscorlib.ni.pdbh source: WerFault.exe, 00000009.00000003.735320667.0000000005707000.00000004.00000040.sdmp
              Source: Binary string: wuser32.pdb> source: WerFault.exe, 00000016.00000003.815879263.0000000004D77000.00000004.00000040.sdmp
              Source: Binary string: wimm32.pdb\ source: WerFault.exe, 00000016.00000003.815879263.0000000004D77000.00000004.00000040.sdmp
              Source: Binary string: System.Core.ni.pdbRSDSD source: WERF9.tmp.dmp.9.dr
              Source: Binary string: CDC COVID-19 Second Outbreak Warning release.PDB source: CDC COVID-19 Second Outbreak Warning release.exe, 00000006.00000002.763968462.00000000011F8000.00000004.00000010.sdmp
              Source: Binary string: mscoreei.pdbk source: WerFault.exe, 00000009.00000003.735309765.0000000005701000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.815820939.0000000004D71000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.842562972.0000000005491000.00000004.00000040.sdmp
              Source: Binary string: mscorlib.pdbx source: WerFault.exe, 00000009.00000002.763344511.0000000005920000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000002.882395208.0000000004FF0000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.895281504.00000000056F0000.00000004.00000001.sdmp
              Source: Binary string: msasn1.pdb2 source: WerFault.exe, 00000016.00000003.815879263.0000000004D77000.00000004.00000040.sdmp
              Source: Binary string: C:\Users\user\Desktop\CDC COVID-19 Second Outbreak Warning release.PDB source: CDC COVID-19 Second Outbreak Warning release.exe, 00000006.00000002.763968462.00000000011F8000.00000004.00000010.sdmp
              Source: Binary string: shcore.pdb source: WerFault.exe, 00000009.00000003.735320667.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.815879263.0000000004D77000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.842637029.0000000005497000.00000004.00000040.sdmp
              Source: Binary string: wwin32u.pdbj source: WerFault.exe, 00000016.00000003.815879263.0000000004D77000.00000004.00000040.sdmp
              Source: Binary string: mscorlib.ni.pdbR source: WerFault.exe, 00000016.00000003.815879263.0000000004D77000.00000004.00000040.sdmp
              Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000009.00000003.735347046.0000000005700000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.815862701.0000000004D70000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.842613430.0000000005490000.00000004.00000040.sdmp
              Source: Binary string: fltLib.pdb source: WerFault.exe, 00000009.00000003.735320667.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.815879263.0000000004D77000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.842637029.0000000005497000.00000004.00000040.sdmp
              Source: Binary string: System.Core.ni.pdb" source: WerFault.exe, 00000009.00000003.735300244.000000000570F000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.815808878.0000000004D7F000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.842549794.000000000549F000.00000004.00000040.sdmp
              Source: Binary string: powrprof.pdbB source: WerFault.exe, 00000016.00000003.815879263.0000000004D77000.00000004.00000040.sdmp
              Source: Binary string: shell32.pdb source: WerFault.exe, 00000009.00000003.735320667.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.815879263.0000000004D77000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.842637029.0000000005497000.00000004.00000040.sdmp
              Source: Binary string: System.Core.ni.pdb source: WerFault.exe, 00000009.00000003.735300244.000000000570F000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000002.882395208.0000000004FF0000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.895281504.00000000056F0000.00000004.00000001.sdmp, WERF9.tmp.dmp.9.dr
              Source: Binary string: System.Core.pdb d7k source: WERC40A.tmp.dmp.26.dr
              Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000009.00000003.735347046.0000000005700000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.815862701.0000000004D70000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.842613430.0000000005490000.00000004.00000040.sdmp
              Source: Binary string: mscorlib.ni.pdb4 source: WerFault.exe, 0000001A.00000003.842637029.0000000005497000.00000004.00000040.sdmp
              Source: Binary string: rsaenh.pdbZ source: WerFault.exe, 00000016.00000003.815879263.0000000004D77000.00000004.00000040.sdmp
              Source: Binary string: wwin32u.pdb7 source: WerFault.exe, 0000001A.00000003.842637029.0000000005497000.00000004.00000040.sdmp
              Source: Binary string: wimm32.pdb source: WerFault.exe, 00000009.00000003.735320667.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.815879263.0000000004D77000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.842637029.0000000005497000.00000004.00000040.sdmp
              Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000009.00000003.735320667.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.815879263.0000000004D77000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.842637029.0000000005497000.00000004.00000040.sdmp
              Source: Binary string: diasymreader.pdb source: WerFault.exe, 00000009.00000003.735320667.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.815879263.0000000004D77000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.842637029.0000000005497000.00000004.00000040.sdmp
              Source: Binary string: cfgmgr32.pdbv source: WerFault.exe, 00000016.00000003.815879263.0000000004D77000.00000004.00000040.sdmp
              Source: Binary string: System.ni.pdbT3 source: WerFault.exe, 00000009.00000002.763344511.0000000005920000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000002.882395208.0000000004FF0000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.895281504.00000000056F0000.00000004.00000001.sdmp
              Source: Binary string: System.pdbx source: WerFault.exe, 00000009.00000002.763344511.0000000005920000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000002.882395208.0000000004FF0000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.895281504.00000000056F0000.00000004.00000001.sdmp
              Source: Binary string: Windows.Storage.pdb% source: WerFault.exe, 00000009.00000003.735320667.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.815879263.0000000004D77000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.842637029.0000000005497000.00000004.00000040.sdmp
              Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000001A.00000003.835108628.00000000033A3000.00000004.00000001.sdmp
              Source: Binary string: profapi.pdb source: WerFault.exe, 00000009.00000003.735320667.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.815879263.0000000004D77000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.842637029.0000000005497000.00000004.00000040.sdmp
              Source: Binary string: oleaut32.pdb` source: WerFault.exe, 00000016.00000003.815879263.0000000004D77000.00000004.00000040.sdmp
              Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000009.00000003.735347046.0000000005700000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.815862701.0000000004D70000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.842613430.0000000005490000.00000004.00000040.sdmp
              Source: Binary string: sechost.pdb source: WerFault.exe, 00000009.00000003.735277755.0000000005731000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.815787312.0000000004DA1000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.842525579.00000000054C1000.00000004.00000001.sdmp
              Source: Binary string: System.ni.pdbRSDS source: WERF9.tmp.dmp.9.dr
              Source: Binary string: clrjit.pdb source: WerFault.exe, 00000009.00000003.735320667.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.815879263.0000000004D77000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.842637029.0000000005497000.00000004.00000040.sdmp
              Source: Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 00000009.00000003.735320667.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.815879263.0000000004D77000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.842637029.0000000005497000.00000004.00000040.sdmp
              Source: Binary string: version.pdb source: WerFault.exe, 00000009.00000003.735320667.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.815879263.0000000004D77000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.842637029.0000000005497000.00000004.00000040.sdmp
              Source: Binary string: System.pdb source: WerFault.exe, 00000009.00000002.763344511.0000000005920000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000002.882395208.0000000004FF0000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.895281504.00000000056F0000.00000004.00000001.sdmp, WERF9.tmp.dmp.9.dr
              Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000009.00000003.735347046.0000000005700000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.815862701.0000000004D70000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.842613430.0000000005490000.00000004.00000040.sdmp
              Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000009.00000003.735277755.0000000005731000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.815787312.0000000004DA1000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.842525579.00000000054C1000.00000004.00000001.sdmp
              Source: Binary string: System.Core.pdbx source: WerFault.exe, 00000009.00000002.763344511.0000000005920000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000002.882395208.0000000004FF0000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.895281504.00000000056F0000.00000004.00000001.sdmp
              Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000009.00000003.735277755.0000000005731000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.815787312.0000000004DA1000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.842525579.00000000054C1000.00000004.00000001.sdmp
              Source: Binary string: mscoreei.pdb source: WerFault.exe, 00000009.00000003.735309765.0000000005701000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.815820939.0000000004D71000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.842562972.0000000005491000.00000004.00000040.sdmp
              Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 0000001A.00000003.835421551.00000000033B5000.00000004.00000001.sdmp
              Source: Binary string: combase.pdbk source: WerFault.exe, 00000009.00000003.735309765.0000000005701000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.815820939.0000000004D71000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.842562972.0000000005491000.00000004.00000040.sdmp
              Source: Binary string: System.Core.pdb source: WerFault.exe, 00000009.00000003.735300244.000000000570F000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000002.882395208.0000000004FF0000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.895281504.00000000056F0000.00000004.00000001.sdmp, WERF9.tmp.dmp.9.dr
              Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000009.00000003.735320667.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.815879263.0000000004D77000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.842637029.0000000005497000.00000004.00000040.sdmp
              Source: Binary string: wuser32.pdb source: WerFault.exe, 00000009.00000003.735320667.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.815879263.0000000004D77000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.842637029.0000000005497000.00000004.00000040.sdmp
              Source: Binary string: System.ni.pdb source: WerFault.exe, 00000009.00000003.735300244.000000000570F000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000002.882395208.0000000004FF0000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.895281504.00000000056F0000.00000004.00000001.sdmp, WERF9.tmp.dmp.9.dr
              Source: Binary string: crypt32.pdb source: WerFault.exe, 00000009.00000003.735320667.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.815879263.0000000004D77000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.842637029.0000000005497000.00000004.00000040.sdmp
              Source: Binary string: rsaenh.pdb source: WerFault.exe, 00000009.00000003.735320667.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.815879263.0000000004D77000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.842637029.0000000005497000.00000004.00000040.sdmp
              Source: Binary string: winrar.PDB405 source: winrar.exe, 00000014.00000002.883154230.0000000000AF8000.00000004.00000010.sdmp, winrar.exe, 00000018.00000002.896250108.0000000000EF8000.00000004.00000010.sdmp
              Source: Binary string: System.ni.pdb% source: WerFault.exe, 00000009.00000003.735320667.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.815879263.0000000004D77000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.842637029.0000000005497000.00000004.00000040.sdmp
              Source: Binary string: System.pdb" source: WerFault.exe, 00000009.00000003.735320667.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.815879263.0000000004D77000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.842637029.0000000005497000.00000004.00000040.sdmp
              Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000009.00000003.727559910.0000000005412000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.809498281.0000000004AF0000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.842525579.00000000054C1000.00000004.00000001.sdmp
              Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000009.00000003.735320667.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.815879263.0000000004D77000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.842637029.0000000005497000.00000004.00000040.sdmp
              Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000009.00000003.735353679.0000000005704000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.815820939.0000000004D71000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.842626474.0000000005494000.00000004.00000040.sdmp
              Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000009.00000003.735277755.0000000005731000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.815787312.0000000004DA1000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.842525579.00000000054C1000.00000004.00000001.sdmp
              Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000009.00000003.735277755.0000000005731000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.815787312.0000000004DA1000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.842525579.00000000054C1000.00000004.00000001.sdmp
              Source: Binary string: wntdll.pdb source: WerFault.exe, 00000009.00000003.735277755.0000000005731000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.815787312.0000000004DA1000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.842525579.00000000054C1000.00000004.00000001.sdmp
              Source: Binary string: fltLib.pdb& source: WerFault.exe, 00000016.00000003.815879263.0000000004D77000.00000004.00000040.sdmp
              Source: Binary string: wimm32.pdb{ source: WerFault.exe, 0000001A.00000003.842637029.0000000005497000.00000004.00000040.sdmp
              Source: Binary string: shcore.pdbD source: WerFault.exe, 00000016.00000003.815879263.0000000004D77000.00000004.00000040.sdmp
              Source: Binary string: clr.pdb source: WerFault.exe, 00000009.00000003.735347046.0000000005700000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.815862701.0000000004D70000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.842613430.0000000005490000.00000004.00000040.sdmp
              Source: Binary string: cryptsp.pdb source: WerFault.exe, 00000009.00000003.735320667.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.815879263.0000000004D77000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.842637029.0000000005497000.00000004.00000040.sdmp
              Source: Binary string: advapi32.pdb source: WerFault.exe, 00000009.00000003.735277755.0000000005731000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.815787312.0000000004DA1000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.842525579.00000000054C1000.00000004.00000001.sdmp
              Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000009.00000003.735277755.0000000005731000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.815787312.0000000004DA1000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.842525579.00000000054C1000.00000004.00000001.sdmp
              Source: Binary string: bcrypt.pdb( source: WerFault.exe, 00000016.00000003.815879263.0000000004D77000.00000004.00000040.sdmp
              Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000009.00000003.735277755.0000000005731000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.815787312.0000000004DA1000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.835421551.00000000033B5000.00000004.00000001.sdmp
              Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000009.00000003.735309765.0000000005701000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.815820939.0000000004D71000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.842562972.0000000005491000.00000004.00000040.sdmp
              Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 00000009.00000002.763344511.0000000005920000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000002.882395208.0000000004FF0000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.895281504.00000000056F0000.00000004.00000001.sdmp, WERF9.tmp.dmp.9.dr
              Source: Binary string: System.Core.pdb" source: WerFault.exe, 00000009.00000003.735300244.000000000570F000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.815808878.0000000004D7F000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.842549794.000000000549F000.00000004.00000040.sdmp
              Source: Binary string: mscoree.pdb source: WerFault.exe, 00000009.00000003.735277755.0000000005731000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.815787312.0000000004DA1000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.842525579.00000000054C1000.00000004.00000001.sdmp
              Source: Binary string: shlwapi.pdbk source: WerFault.exe, 00000009.00000003.735309765.0000000005701000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.815820939.0000000004D71000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.842562972.0000000005491000.00000004.00000040.sdmp
              Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 00000009.00000003.735353679.0000000005704000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.815820939.0000000004D71000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.842626474.0000000005494000.00000004.00000040.sdmp
              Source: Binary string: powrprof.pdb source: WerFault.exe, 00000009.00000003.735320667.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.815879263.0000000004D77000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.842637029.0000000005497000.00000004.00000040.sdmp
              Source: Binary string: msvcr120_clr0400.i386.pdb% source: WerFault.exe, 00000009.00000003.735320667.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.815879263.0000000004D77000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.842637029.0000000005497000.00000004.00000040.sdmp
              Source: Binary string: mscorlib.ni.pdbRSDS source: WERF9.tmp.dmp.9.dr
              Source: Binary string: System.pdbP source: WERC40A.tmp.dmp.26.dr
              Source: Binary string: clrjit.pdb4 source: WerFault.exe, 00000016.00000003.815879263.0000000004D77000.00000004.00000040.sdmp
              Source: Binary string: ole32.pdb source: WerFault.exe, 00000009.00000003.735320667.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.815879263.0000000004D77000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.842637029.0000000005497000.00000004.00000040.sdmp
              Source: Binary string: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.PDB source: winrar.exe, 00000018.00000002.896250108.0000000000EF8000.00000004.00000010.sdmp
              Source: Binary string: mscorlib.ni.pdbx source: WerFault.exe, 00000009.00000002.763344511.0000000005920000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000002.882395208.0000000004FF0000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.895281504.00000000056F0000.00000004.00000001.sdmp
              Source: Binary string: msasn1.pdb source: WerFault.exe, 00000009.00000003.735320667.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.815879263.0000000004D77000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.842637029.0000000005497000.00000004.00000040.sdmp
              Source: Binary string: cryptsp.pdbP source: WerFault.exe, 00000016.00000003.815879263.0000000004D77000.00000004.00000040.sdmp
              Source: Binary string: shell32.pdbN source: WerFault.exe, 00000016.00000003.815879263.0000000004D77000.00000004.00000040.sdmp
              Source: Binary string: mscorlib.pdb source: WerFault.exe, 00000009.00000002.763344511.0000000005920000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000002.882395208.0000000004FF0000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.895281504.00000000056F0000.00000004.00000001.sdmp, WERF9.tmp.dmp.9.dr
              Source: Binary string: \??\C:\Users\user\Desktop\CDC COVID-19 Second Outbreak Warning release.PDB source: CDC COVID-19 Second Outbreak Warning release.exe, 00000006.00000002.764403820.0000000001814000.00000004.00000020.sdmp
              Source: Binary string: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.PDB2.dll> source: winrar.exe, 00000014.00000002.883154230.0000000000AF8000.00000004.00000010.sdmp, winrar.exe, 00000018.00000002.896250108.0000000000EF8000.00000004.00000010.sdmp
              Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000009.00000003.735320667.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.815879263.0000000004D77000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.842637029.0000000005497000.00000004.00000040.sdmp
              Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000009.00000003.735320667.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.815879263.0000000004D77000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.842637029.0000000005497000.00000004.00000040.sdmp
              Source: Binary string: combase.pdb source: WerFault.exe, 00000009.00000003.735309765.0000000005701000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.815820939.0000000004D71000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.842562972.0000000005491000.00000004.00000040.sdmp
              Source: Binary string: wuser32.pdb' source: WerFault.exe, 00000009.00000003.735320667.0000000005707000.00000004.00000040.sdmp
              Source: Binary string: wkernel32.pdb( source: WerFault.exe, 0000001A.00000003.835610751.00000000033AF000.00000004.00000001.sdmp
              Source: Binary string: mscorlib.ni.pdbh source: WerFault.exe, 00000009.00000003.735320667.0000000005707000.00000004.00000040.sdmp
              Source: Binary string: wuser32.pdb> source: WerFault.exe, 00000016.00000003.815879263.0000000004D77000.00000004.00000040.sdmp
              Source: Binary string: wimm32.pdb\ source: WerFault.exe, 00000016.00000003.815879263.0000000004D77000.00000004.00000040.sdmp
              Source: Binary string: System.Core.ni.pdbRSDSD source: WERF9.tmp.dmp.9.dr
              Source: Binary string: CDC COVID-19 Second Outbreak Warning release.PDB source: CDC COVID-19 Second Outbreak Warning release.exe, 00000006.00000002.763968462.00000000011F8000.00000004.00000010.sdmp
              Source: Binary string: mscoreei.pdbk source: WerFault.exe, 00000009.00000003.735309765.0000000005701000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.815820939.0000000004D71000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.842562972.0000000005491000.00000004.00000040.sdmp
              Source: Binary string: mscorlib.pdbx source: WerFault.exe, 00000009.00000002.763344511.0000000005920000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000002.882395208.0000000004FF0000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.895281504.00000000056F0000.00000004.00000001.sdmp
              Source: Binary string: msasn1.pdb2 source: WerFault.exe, 00000016.00000003.815879263.0000000004D77000.00000004.00000040.sdmp
              Source: Binary string: C:\Users\user\Desktop\CDC COVID-19 Second Outbreak Warning release.PDB source: CDC COVID-19 Second Outbreak Warning release.exe, 00000006.00000002.763968462.00000000011F8000.00000004.00000010.sdmp
              Source: Binary string: shcore.pdb source: WerFault.exe, 00000009.00000003.735320667.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.815879263.0000000004D77000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.842637029.0000000005497000.00000004.00000040.sdmp
              Source: Binary string: wwin32u.pdbj source: WerFault.exe, 00000016.00000003.815879263.0000000004D77000.00000004.00000040.sdmp
              Source: Binary string: mscorlib.ni.pdbR source: WerFault.exe, 00000016.00000003.815879263.0000000004D77000.00000004.00000040.sdmp
              Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000009.00000003.735347046.0000000005700000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.815862701.0000000004D70000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.842613430.0000000005490000.00000004.00000040.sdmp
              Source: Binary string: fltLib.pdb source: WerFault.exe, 00000009.00000003.735320667.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.815879263.0000000004D77000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.842637029.0000000005497000.00000004.00000040.sdmp
              Source: Binary string: System.Core.ni.pdb" source: WerFault.exe, 00000009.00000003.735300244.000000000570F000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.815808878.0000000004D7F000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.842549794.000000000549F000.00000004.00000040.sdmp
              Source: Binary string: powrprof.pdbB source: WerFault.exe, 00000016.00000003.815879263.0000000004D77000.00000004.00000040.sdmp
              Source: Binary string: shell32.pdb source: WerFault.exe, 00000009.00000003.735320667.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.815879263.0000000004D77000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.842637029.0000000005497000.00000004.00000040.sdmp
              Source: Binary string: System.Core.ni.pdb source: WerFault.exe, 00000009.00000003.735300244.000000000570F000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000002.882395208.0000000004FF0000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.895281504.00000000056F0000.00000004.00000001.sdmp, WERF9.tmp.dmp.9.dr
              Source: Binary string: System.Core.pdb d7k source: WERC40A.tmp.dmp.26.dr
              Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000009.00000003.735347046.0000000005700000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.815862701.0000000004D70000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.842613430.0000000005490000.00000004.00000040.sdmp
              Source: Binary string: mscorlib.ni.pdb4 source: WerFault.exe, 0000001A.00000003.842637029.0000000005497000.00000004.00000040.sdmp
              Source: Binary string: rsaenh.pdbZ source: WerFault.exe, 00000016.00000003.815879263.0000000004D77000.00000004.00000040.sdmp
              Source: Binary string: wwin32u.pdb7 source: WerFault.exe, 0000001A.00000003.842637029.0000000005497000.00000004.00000040.sdmp
              Source: Binary string: wimm32.pdb source: WerFault.exe, 00000009.00000003.735320667.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.815879263.0000000004D77000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.842637029.0000000005497000.00000004.00000040.sdmp
              Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000009.00000003.735320667.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.815879263.0000000004D77000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.842637029.0000000005497000.00000004.00000040.sdmp
              Source: Binary string: diasymreader.pdb source: WerFault.exe, 00000009.00000003.735320667.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.815879263.0000000004D77000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.842637029.0000000005497000.00000004.00000040.sdmp
              Source: Binary string: cfgmgr32.pdbv source: WerFault.exe, 00000016.00000003.815879263.0000000004D77000.00000004.00000040.sdmp
              Source: Binary string: System.ni.pdbT3 source: WerFault.exe, 00000009.00000002.763344511.0000000005920000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000002.882395208.0000000004FF0000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.895281504.00000000056F0000.00000004.00000001.sdmp
              Source: Binary string: System.pdbx source: WerFault.exe, 00000009.00000002.763344511.0000000005920000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000002.882395208.0000000004FF0000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.895281504.00000000056F0000.00000004.00000001.sdmp
              Source: Binary string: Windows.Storage.pdb% source: WerFault.exe, 00000009.00000003.735320667.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.815879263.0000000004D77000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.842637029.0000000005497000.00000004.00000040.sdmp
              Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000001A.00000003.835108628.00000000033A3000.00000004.00000001.sdmp
              Source: Binary string: profapi.pdb source: WerFault.exe, 00000009.00000003.735320667.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.815879263.0000000004D77000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.842637029.0000000005497000.00000004.00000040.sdmp
              Source: Binary string: oleaut32.pdb` source: WerFault.exe, 00000016.00000003.815879263.0000000004D77000.00000004.00000040.sdmp
              Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000009.00000003.735347046.0000000005700000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.815862701.0000000004D70000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.842613430.0000000005490000.00000004.00000040.sdmp
              Source: Binary string: sechost.pdb source: WerFault.exe, 00000009.00000003.735277755.0000000005731000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.815787312.0000000004DA1000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.842525579.00000000054C1000.00000004.00000001.sdmp
              Source: Binary string: System.ni.pdbRSDS source: WERF9.tmp.dmp.9.dr
              Source: Binary string: clrjit.pdb source: WerFault.exe, 00000009.00000003.735320667.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.815879263.0000000004D77000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.842637029.0000000005497000.00000004.00000040.sdmp
              Source: Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 00000009.00000003.735320667.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.815879263.0000000004D77000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.842637029.0000000005497000.00000004.00000040.sdmp
              Source: Binary string: version.pdb source: WerFault.exe, 00000009.00000003.735320667.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.815879263.0000000004D77000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.842637029.0000000005497000.00000004.00000040.sdmp
              Source: Binary string: System.pdb source: WerFault.exe, 00000009.00000002.763344511.0000000005920000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000002.882395208.0000000004FF0000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.895281504.00000000056F0000.00000004.00000001.sdmp, WERF9.tmp.dmp.9.dr
              Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000009.00000003.735347046.0000000005700000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.815862701.0000000004D70000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.842613430.0000000005490000.00000004.00000040.sdmp
              Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000009.00000003.735277755.0000000005731000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.815787312.0000000004DA1000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.842525579.00000000054C1000.00000004.00000001.sdmp
              Source: Binary string: System.Core.pdbx source: WerFault.exe, 00000009.00000002.763344511.0000000005920000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000002.882395208.0000000004FF0000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.895281504.00000000056F0000.00000004.00000001.sdmp
              Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000009.00000003.735277755.0000000005731000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.815787312.0000000004DA1000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.842525579.00000000054C1000.00000004.00000001.sdmp
              Source: Binary string: mscoreei.pdb source: WerFault.exe, 00000009.00000003.735309765.0000000005701000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.815820939.0000000004D71000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.842562972.0000000005491000.00000004.00000040.sdmp
              Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 0000001A.00000003.835421551.00000000033B5000.00000004.00000001.sdmp
              Source: Binary string: combase.pdbk source: WerFault.exe, 00000009.00000003.735309765.0000000005701000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.815820939.0000000004D71000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.842562972.0000000005491000.00000004.00000040.sdmp
              Source: Binary string: System.Core.pdb source: WerFault.exe, 00000009.00000003.735300244.000000000570F000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000002.882395208.0000000004FF0000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.895281504.00000000056F0000.00000004.00000001.sdmp, WERF9.tmp.dmp.9.dr
              Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000009.00000003.735320667.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.815879263.0000000004D77000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.842637029.0000000005497000.00000004.00000040.sdmp
              Source: Binary string: wuser32.pdb source: WerFault.exe, 00000009.00000003.735320667.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.815879263.0000000004D77000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.842637029.0000000005497000.00000004.00000040.sdmp
              Source: Binary string: System.ni.pdb source: WerFault.exe, 00000009.00000003.735300244.000000000570F000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000002.882395208.0000000004FF0000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.895281504.00000000056F0000.00000004.00000001.sdmp, WERF9.tmp.dmp.9.dr
              Source: Binary string: crypt32.pdb source: WerFault.exe, 00000009.00000003.735320667.0000000005707000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.815879263.0000000004D77000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.842637029.0000000005497000.00000004.00000040.sdmp

              Data Obfuscation:

              barindex
              Yara detected Costura Assembly LoaderShow sources
              Source: Yara matchFile source: Process Memory Space: WerFault.exe PID: 7084, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: WerFault.exe PID: 6016, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: winrar.exe PID: 4488, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: winrar.exe PID: 5020, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: CDC COVID-19 Second Outbreak Warning release.exe PID: 7132, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: winrar.exe PID: 5604, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: CDC COVID-19 Second Outbreak Warning release.exe PID: 6676, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: winrar.exe PID: 7056, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: WerFault.exe PID: 6816, type: MEMORY
              Source: C:\Users\user\Desktop\CDC COVID-19 Second Outbreak Warning release.exeCode function: 6_2_00F7A7B9 push es; ret 6_2_00F7ACDC
              Source: C:\Users\user\Desktop\CDC COVID-19 Second Outbreak Warning release.exeCode function: 6_2_00F73C72 push es; ret 6_2_00F7ACDC
              Source: C:\Users\user\Desktop\CDC COVID-19 Second Outbreak Warning release.exeCode function: 6_2_00F7A7B9 push es; ret 6_2_00F7ACDC
              Source: C:\Users\user\Desktop\CDC COVID-19 Second Outbreak Warning release.exeCode function: 6_2_00F73C72 push es; ret 6_2_00F7ACDC
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeCode function: 13_2_00383C72 push es; ret 13_2_0038ACDC
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeCode function: 13_2_0038A7B9 push es; ret 13_2_0038ACDC
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeCode function: 14_2_00ADA7B9 push es; ret 14_2_00ADACDC
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeCode function: 14_2_00AD3C72 push es; ret 14_2_00ADACDC
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeCode function: 20_2_00593C72 push es; ret 20_2_0059ACDC
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeCode function: 20_2_0059A7B9 push es; ret 20_2_0059ACDC
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeCode function: 23_2_002F3C72 push es; ret 23_2_002FACDC
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeCode function: 23_2_002FA7B9 push es; ret 23_2_002FACDC
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeCode function: 24_2_009FA7B9 push es; ret 24_2_009FACDC
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeCode function: 24_2_009F3C72 push es; ret 24_2_009FACDC
              Source: initial sampleStatic PE information: section name: .text entropy: 7.97832989128
              Source: initial sampleStatic PE information: section name: .text entropy: 7.97832989128
              Source: initial sampleStatic PE information: section name: .text entropy: 7.97832989128
              Source: initial sampleStatic PE information: section name: .text entropy: 7.97832989128
              Source: C:\Users\user\Desktop\CDC COVID-19 Second Outbreak Warning release.exeFile created: \cdc covid-19 second outbreak warning release.exeJump to behavior
              Source: C:\Users\user\Desktop\CDC COVID-19 Second Outbreak Warning release.exeFile created: \cdc covid-19 second outbreak warning release.exeJump to behavior
              Source: C:\Users\user\Desktop\CDC COVID-19 Second Outbreak Warning release.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeJump to dropped file
              Source: C:\Users\user\Desktop\CDC COVID-19 Second Outbreak Warning release.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeJump to dropped file
              Source: C:\Users\user\Desktop\CDC COVID-19 Second Outbreak Warning release.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WinrarJump to behavior
              Source: C:\Users\user\Desktop\CDC COVID-19 Second Outbreak Warning release.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeJump to behavior
              Source: C:\Users\user\Desktop\CDC COVID-19 Second Outbreak Warning release.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe\:Zone.Identifier:$DATAJump to behavior
              Source: C:\Users\user\Desktop\CDC COVID-19 Second Outbreak Warning release.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WinrarJump to behavior
              Source: C:\Users\user\Desktop\CDC COVID-19 Second Outbreak Warning release.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeJump to behavior
              Source: C:\Users\user\Desktop\CDC COVID-19 Second Outbreak Warning release.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe\:Zone.Identifier:$DATAJump to behavior
              Source: C:\Users\user\Desktop\CDC COVID-19 Second Outbreak Warning release.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run winrarJump to behavior
              Source: C:\Users\user\Desktop\CDC COVID-19 Second Outbreak Warning release.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run winrarJump to behavior
              Source: C:\Users\user\Desktop\CDC COVID-19 Second Outbreak Warning release.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run winrarJump to behavior
              Source: C:\Users\user\Desktop\CDC COVID-19 Second Outbreak Warning release.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run winrarJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363} DeviceTicketJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363} DeviceTicketJump to behavior
              Source: C:\Users\user\Desktop\CDC COVID-19 Second Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\CDC COVID-19 Second Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\CDC COVID-19 Second Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\CDC COVID-19 Second Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\CDC COVID-19 Second Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\CDC COVID-19 Second Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\CDC COVID-19 Second Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\CDC COVID-19 Second Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\CDC COVID-19 Second Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\CDC COVID-19 Second Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\CDC COVID-19 Second Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\CDC COVID-19 Second Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\CDC COVID-19 Second Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\CDC COVID-19 Second Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\CDC COVID-19 Second Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\CDC COVID-19 Second Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\CDC COVID-19 Second Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\CDC COVID-19 Second Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\CDC COVID-19 Second Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\CDC COVID-19 Second Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\CDC COVID-19 Second Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\CDC COVID-19 Second Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\CDC COVID-19 Second Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\CDC COVID-19 Second Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\CDC COVID-19 Second Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\CDC COVID-19 Second Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\CDC COVID-19 Second Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\CDC COVID-19 Second Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\CDC COVID-19 Second Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\CDC COVID-19 Second Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\CDC COVID-19 Second Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\CDC COVID-19 Second Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\CDC COVID-19 Second Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\CDC COVID-19 Second Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\CDC COVID-19 Second Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\CDC COVID-19 Second Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\CDC COVID-19 Second Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\CDC COVID-19 Second Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\CDC COVID-19 Second Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\CDC COVID-19 Second Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\CDC COVID-19 Second Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\CDC COVID-19 Second Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\CDC COVID-19 Second Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsof