Loading ...

Play interactive tourEdit tour

Analysis Report CDC GUIDES COVID-19 Second Outbreak Warning release.scr

Overview

General Information

Sample Name:CDC GUIDES COVID-19 Second Outbreak Warning release.scr (renamed file extension from scr to exe)
Analysis ID:319216
MD5:dc8d9c9a86fe4830053697c1dc59dc6f
SHA1:a63fa3cc878efe75ecf849111c3e3d417fef4fdd
SHA256:5dcd1649d97e0da882778ec70677be52b49603b6596b044518f02c278d93d0f2

Most interesting Screenshot:

Detection

Quasar
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Quasar RAT
.NET source code references suspicious native API functions
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
May check the online IP address of the machine
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates processes with suspicious names
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains strange resources
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • vlc.exe (PID: 6588 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe' MD5: DC8D9C9A86FE4830053697C1DC59DC6F)
    • vlc.exe (PID: 2172 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe MD5: DC8D9C9A86FE4830053697C1DC59DC6F)
  • vlc.exe (PID: 6824 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe' MD5: DC8D9C9A86FE4830053697C1DC59DC6F)
    • vlc.exe (PID: 4080 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe MD5: DC8D9C9A86FE4830053697C1DC59DC6F)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000F.00000002.372345849.0000000003BE5000.00000004.00000001.sdmpQuasar_RAT_1Detects Quasar RATFlorian Roth
  • 0xe70d7:$s1: DoUploadAndExecute
  • 0x13def7:$s1: DoUploadAndExecute
  • 0xe731b:$s2: DoDownloadAndExecute
  • 0x13e13b:$s2: DoDownloadAndExecute
  • 0xe6e9c:$s3: DoShellExecute
  • 0x13dcbc:$s3: DoShellExecute
  • 0xe72d3:$s4: set_Processname
  • 0x13e0f3:$s4: set_Processname
  • 0xae9d4:$op1: 04 1E FE 02 04 16 FE 01 60
  • 0x1057f4:$op1: 04 1E FE 02 04 16 FE 01 60
  • 0xae8f8:$op2: 00 17 03 1F 20 17 19 15 28
  • 0x105718:$op2: 00 17 03 1F 20 17 19 15 28
  • 0xaf35e:$op3: 00 04 03 69 91 1B 40
  • 0xafbae:$op3: 00 04 03 69 91 1B 40
  • 0x10617e:$op3: 00 04 03 69 91 1B 40
  • 0x1069ce:$op3: 00 04 03 69 91 1B 40
0000000F.00000002.372345849.0000000003BE5000.00000004.00000001.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
    00000005.00000002.831738365.0000000000402000.00000040.00000001.sdmpQuasar_RAT_1Detects Quasar RATFlorian Roth
    • 0x3df27:$s1: DoUploadAndExecute
    • 0x3e16b:$s2: DoDownloadAndExecute
    • 0x3dcec:$s3: DoShellExecute
    • 0x3e123:$s4: set_Processname
    • 0x5824:$op1: 04 1E FE 02 04 16 FE 01 60
    • 0x5748:$op2: 00 17 03 1F 20 17 19 15 28
    • 0x61ae:$op3: 00 04 03 69 91 1B 40
    • 0x69fe:$op3: 00 04 03 69 91 1B 40
    00000005.00000002.831738365.0000000000402000.00000040.00000001.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
      00000014.00000002.358547843.0000000000402000.00000040.00000001.sdmpQuasar_RAT_1Detects Quasar RATFlorian Roth
      • 0x3df27:$s1: DoUploadAndExecute
      • 0x3e16b:$s2: DoDownloadAndExecute
      • 0x3dcec:$s3: DoShellExecute
      • 0x3e123:$s4: set_Processname
      • 0x5824:$op1: 04 1E FE 02 04 16 FE 01 60
      • 0x5748:$op2: 00 17 03 1F 20 17 19 15 28
      • 0x61ae:$op3: 00 04 03 69 91 1B 40
      • 0x69fe:$op3: 00 04 03 69 91 1B 40
      Click to see the 13 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      21.2.vlc.exe.400000.0.unpackVermin_Keylogger_Jan18_1Detects Vermin KeyloggerFlorian Roth
      • 0x3ec0a:$x3: GetKeyloggerLogsResponse
      • 0x3de62:$x4: GetKeyloggerLogs
      • 0x3e13a:$s1: <RunHidden>k__BackingField
      • 0x3edd2:$s2: set_SystemInfos
      • 0x3e163:$s3: set_RunHidden
      • 0x3dc96:$s4: set_RemotePath
      • 0x56628:$s6: Client.exe
      • 0x566bc:$s6: Client.exe
      • 0x32029:$s7: xClient.Core.ReverseProxy.Packets
      21.2.vlc.exe.400000.0.unpackxRAT_1Detects Patchwork malwareFlorian Roth
      • 0x305c0:$x4: xClient.Properties.Resources.resources
      • 0x30481:$s4: Client.exe
      • 0x3e163:$s7: set_RunHidden
      21.2.vlc.exe.400000.0.unpackQuasar_RAT_1Detects Quasar RATFlorian Roth
      • 0x3e127:$s1: DoUploadAndExecute
      • 0x3e36b:$s2: DoDownloadAndExecute
      • 0x3deec:$s3: DoShellExecute
      • 0x3e323:$s4: set_Processname
      • 0x5a24:$op1: 04 1E FE 02 04 16 FE 01 60
      • 0x5948:$op2: 00 17 03 1F 20 17 19 15 28
      • 0x63ae:$op3: 00 04 03 69 91 1B 40
      • 0x6bfe:$op3: 00 04 03 69 91 1B 40
      21.2.vlc.exe.400000.0.unpackQuasar_RAT_2Detects Quasar RATFlorian Roth
      • 0x3ec0a:$x1: GetKeyloggerLogsResponse
      • 0x3ee4a:$s1: DoShellExecuteResponse
      • 0x3e7b9:$s2: GetPasswordsResponse
      • 0x3ed1d:$s3: GetStartupItemsResponse
      • 0x3e13b:$s5: RunHidden
      • 0x3e159:$s5: RunHidden
      • 0x3e167:$s5: RunHidden
      • 0x3e17b:$s5: RunHidden
      21.2.vlc.exe.400000.0.unpackMAL_QuasarRAT_May19_1Detects QuasarRAT malwareFlorian Roth
      • 0x4f649:$xc1: 41 00 64 00 6D 00 69 00 6E 00 00 11 73 00 63 00 68 00 74 00 61 00 73 00 6B 00 73 00 00 1B 2F 00 ...
      • 0x4f87f:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C ...
      Click to see the 16 entries

      Sigma Overview

      No Sigma rule has matched

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Multi AV Scanner detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeReversingLabs: Detection: 12%
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeReversingLabs: Detection: 12%
      Multi AV Scanner detection for submitted fileShow sources
      Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exeReversingLabs: Detection: 12%
      Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exeReversingLabs: Detection: 12%
      Yara detected Quasar RATShow sources
      Source: Yara matchFile source: 0000000F.00000002.372345849.0000000003BE5000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000002.831738365.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000014.00000002.358547843.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000002.355201046.00000000037C5000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000002.376779243.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.269160984.0000000004035000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: vlc.exe PID: 2172, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: CDC GUIDES COVID-19 Second Outbreak Warning release.exe PID: 2764, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: vlc.exe PID: 4080, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: vlc.exe PID: 6588, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: CDC GUIDES COVID-19 Second Outbreak Warning release.exe PID: 5820, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: vlc.exe PID: 6824, type: MEMORY
      Source: Yara matchFile source: 21.2.vlc.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.2.CDC GUIDES COVID-19 Second Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 20.2.vlc.exe.400000.0.unpack, type: UNPACKEDPE
      Machine Learning detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Local\Temp\9FFWrx9i8Kuq.exeJoe Sandbox ML: detected
      Source: C:\Users\user\AppData\Local\Temp\9FFWrx9i8Kuq.exeJoe Sandbox ML: detected
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\AppData\Jump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\Jump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\Jump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\AppData\Jump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\Jump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\Jump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior

      Networking:

      barindex
      May check the online IP address of the machineShow sources
      Source: unknownDNS query: name: ip-api.com
      Source: unknownDNS query: name: ip-api.com
      Source: global trafficTCP traffic: 192.168.2.3:49736 -> 185.244.26.221:4782
      Source: global trafficTCP traffic: 192.168.2.3:49736 -> 185.244.26.221:4782
      Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
      Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
      Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0Host: ip-api.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0Host: ip-api.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0Host: ip-api.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0Host: ip-api.comConnection: Keep-Alive
      Source: unknownDNS traffic detected: queries for: ip-api.com
      Source: unknownDNS traffic detected: queries for: ip-api.com
      Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000000.00000002.267762525.0000000002F82000.00000004.00000001.sdmp, CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000005.00000002.831738365.0000000000402000.00000040.00000001.sdmp, vlc.exe, 0000000E.00000002.353478457.0000000002A3F000.00000004.00000001.sdmp, vlc.exe, 0000000F.00000002.372076333.0000000002E5F000.00000004.00000001.sdmp, vlc.exe, 00000014.00000002.358547843.0000000000402000.00000040.00000001.sdmp, vlc.exe, 00000015.00000002.376779243.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://api.ipify.org/
      Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000005.00000002.839822026.0000000003207000.00000004.00000001.sdmp, 9FFWrx9i8Kuq.exe.5.drString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
      Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000005.00000002.839822026.0000000003207000.00000004.00000001.sdmp, 9FFWrx9i8Kuq.exe.5.drString found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
      Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exeString found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
      Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exeString found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
      Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000005.00000002.839709535.00000000031D9000.00000004.00000001.sdmpString found in binary or memory: http://crl.m0odoca
      Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exeString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
      Source: 9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
      Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000000.00000002.267762525.0000000002F82000.00000004.00000001.sdmp, CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000005.00000002.831738365.0000000000402000.00000040.00000001.sdmp, vlc.exe, 0000000E.00000002.353478457.0000000002A3F000.00000004.00000001.sdmp, vlc.exe, 0000000F.00000002.372076333.0000000002E5F000.00000004.00000001.sdmp, vlc.exe, 00000014.00000002.358547843.0000000000402000.00000040.00000001.sdmp, vlc.exe, 00000015.00000002.376779243.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://freegeoip.net/xml/
      Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000005.00000002.837102867.0000000002EDC000.00000004.00000001.sdmpString found in binary or memory: http://ip-api.com
      Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000000.00000002.267762525.0000000002F82000.00000004.00000001.sdmp, CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000005.00000002.837102867.0000000002EDC000.00000004.00000001.sdmp, CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000005.00000002.831738365.0000000000402000.00000040.00000001.sdmp, vlc.exe, 0000000E.00000002.353478457.0000000002A3F000.00000004.00000001.sdmp, vlc.exe, 0000000F.00000002.372076333.0000000002E5F000.00000004.00000001.sdmp, vlc.exe, 00000014.00000002.358547843.0000000000402000.00000040.00000001.sdmp, vlc.exe, 00000015.00000002.376779243.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://ip-api.com/json/
      Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000005.00000002.837102867.0000000002EDC000.00000004.00000001.sdmpString found in binary or memory: http://ip-api.com4
      Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000005.00000002.839822026.0000000003207000.00000004.00000001.sdmp, 9FFWrx9i8Kuq.exe.5.drString found in binary or memory: http://ocsp.comodoca.com0
      Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exeString found in binary or memory: http://ocsp.thawte.com0
      Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exeString found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
      Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exeString found in binary or memory: http://ocsp2.globalsign.com/rootr306
      Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exeString found in binary or memory: http://s.symcb.com/universal-root.crl0
      Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exeString found in binary or memory: http://s.symcd.com06
      Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000005.00000002.837474746.0000000002F23000.00000004.00000001.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/
      Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000005.00000002.837102867.0000000002EDC000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exeString found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
      Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exeString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
      Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exeString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
      Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exeString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
      Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exeString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
      Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exeString found in binary or memory: http://ts-ocsp.ws.symantec.com07
      Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exeString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
      Source: 9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: 9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
      Source: 9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
      Source: 9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
      Source: 9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
      Source: 9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
      Source: 9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
      Source: 9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
      Source: 9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
      Source: 9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
      Source: 9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
      Source: 9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
      Source: 9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
      Source: 9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
      Source: 9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
      Source: 9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
      Source: 9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
      Source: 9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
      Source: 9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
      Source: 9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
      Source: 9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
      Source: 9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
      Source: 9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
      Source: 9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
      Source: 9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
      Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exeString found in binary or memory: https://d.symcb.com/cps0%
      Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exeString found in binary or memory: https://d.symcb.com/rpa0
      Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exeString found in binary or memory: https://d.symcb.com/rpa0.
      Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000005.00000002.839822026.0000000003207000.00000004.00000001.sdmp, 9FFWrx9i8Kuq.exe.5.drString found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0
      Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exeString found in binary or memory: https://www.globalsign.com/repository/0
      Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000000.00000002.267762525.0000000002F82000.00000004.00000001.sdmp, CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000005.00000002.831738365.0000000000402000.00000040.00000001.sdmp, vlc.exe, 0000000E.00000002.353478457.0000000002A3F000.00000004.00000001.sdmp, vlc.exe, 0000000F.00000002.372076333.0000000002E5F000.00000004.00000001.sdmp, vlc.exe, 00000014.00000002.358547843.0000000000402000.00000040.00000001.sdmp, vlc.exe, 00000015.00000002.376779243.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://api.ipify.org/
      Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000005.00000002.839822026.0000000003207000.00000004.00000001.sdmp, 9FFWrx9i8Kuq.exe.5.drString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
      Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000005.00000002.839822026.0000000003207000.00000004.00000001.sdmp, 9FFWrx9i8Kuq.exe.5.drString found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
      Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exeString found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
      Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exeString found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
      Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000005.00000002.839709535.00000000031D9000.00000004.00000001.sdmpString found in binary or memory: http://crl.m0odoca
      Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exeString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
      Source: 9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
      Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000000.00000002.267762525.0000000002F82000.00000004.00000001.sdmp, CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000005.00000002.831738365.0000000000402000.00000040.00000001.sdmp, vlc.exe, 0000000E.00000002.353478457.0000000002A3F000.00000004.00000001.sdmp, vlc.exe, 0000000F.00000002.372076333.0000000002E5F000.00000004.00000001.sdmp, vlc.exe, 00000014.00000002.358547843.0000000000402000.00000040.00000001.sdmp, vlc.exe, 00000015.00000002.376779243.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://freegeoip.net/xml/
      Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000005.00000002.837102867.0000000002EDC000.00000004.00000001.sdmpString found in binary or memory: http://ip-api.com
      Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000000.00000002.267762525.0000000002F82000.00000004.00000001.sdmp, CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000005.00000002.837102867.0000000002EDC000.00000004.00000001.sdmp, CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000005.00000002.831738365.0000000000402000.00000040.00000001.sdmp, vlc.exe, 0000000E.00000002.353478457.0000000002A3F000.00000004.00000001.sdmp, vlc.exe, 0000000F.00000002.372076333.0000000002E5F000.00000004.00000001.sdmp, vlc.exe, 00000014.00000002.358547843.0000000000402000.00000040.00000001.sdmp, vlc.exe, 00000015.00000002.376779243.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://ip-api.com/json/
      Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000005.00000002.837102867.0000000002EDC000.00000004.00000001.sdmpString found in binary or memory: http://ip-api.com4
      Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000005.00000002.839822026.0000000003207000.00000004.00000001.sdmp, 9FFWrx9i8Kuq.exe.5.drString found in binary or memory: http://ocsp.comodoca.com0
      Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exeString found in binary or memory: http://ocsp.thawte.com0
      Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exeString found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
      Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exeString found in binary or memory: http://ocsp2.globalsign.com/rootr306
      Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exeString found in binary or memory: http://s.symcb.com/universal-root.crl0
      Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exeString found in binary or memory: http://s.symcd.com06
      Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000005.00000002.837474746.0000000002F23000.00000004.00000001.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/
      Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000005.00000002.837102867.0000000002EDC000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exeString found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
      Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exeString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
      Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exeString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
      Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exeString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
      Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exeString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
      Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exeString found in binary or memory: http://ts-ocsp.ws.symantec.com07
      Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exeString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
      Source: 9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: 9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
      Source: 9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
      Source: 9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
      Source: 9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
      Source: 9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
      Source: 9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
      Source: 9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
      Source: 9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
      Source: 9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
      Source: 9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
      Source: 9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
      Source: 9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
      Source: 9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
      Source: 9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
      Source: 9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
      Source: 9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
      Source: 9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
      Source: 9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
      Source: 9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
      Source: 9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
      Source: 9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
      Source: 9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
      Source: 9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
      Source: 9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
      Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exeString found in binary or memory: https://d.symcb.com/cps0%
      Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exeString found in binary or memory: https://d.symcb.com/rpa0
      Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exeString found in binary or memory: https://d.symcb.com/rpa0.
      Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000005.00000002.839822026.0000000003207000.00000004.00000001.sdmp, 9FFWrx9i8Kuq.exe.5.drString found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0
      Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exeString found in binary or memory: https://www.globalsign.com/repository/0
      Source: vlc.exe, 0000000E.00000002.352476510.0000000000ACB000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
      Source: vlc.exe, 0000000E.00000002.352476510.0000000000ACB000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

      E-Banking Fraud:

      barindex
      Yara detected Quasar RATShow sources
      Source: Yara matchFile source: 0000000F.00000002.372345849.0000000003BE5000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000002.831738365.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000014.00000002.358547843.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000002.355201046.00000000037C5000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000002.376779243.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.269160984.0000000004035000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: vlc.exe PID: 2172, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: CDC GUIDES COVID-19 Second Outbreak Warning release.exe PID: 2764, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: vlc.exe PID: 4080, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: vlc.exe PID: 6588, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: CDC GUIDES COVID-19 Second Outbreak Warning release.exe PID: 5820, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: vlc.exe PID: 6824, type: MEMORY
      Source: Yara matchFile source: 21.2.vlc.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.2.CDC GUIDES COVID-19 Second Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 20.2.vlc.exe.400000.0.unpack, type: UNPACKEDPE

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 0000000F.00000002.372345849.0000000003BE5000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 00000005.00000002.831738365.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 00000014.00000002.358547843.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 0000000E.00000002.355201046.00000000037C5000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 00000015.00000002.376779243.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 00000000.00000002.269160984.0000000004035000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 21.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Vermin Keylogger Author: Florian Roth
      Source: 21.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Patchwork malware Author: Florian Roth
      Source: 21.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 21.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 21.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
      Source: 21.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
      Source: 5.2.CDC GUIDES COVID-19 Second Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Vermin Keylogger Author: Florian Roth
      Source: 5.2.CDC GUIDES COVID-19 Second Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Patchwork malware Author: Florian Roth
      Source: 5.2.CDC GUIDES COVID-19 Second Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 5.2.CDC GUIDES COVID-19 Second Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 5.2.CDC GUIDES COVID-19 Second Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
      Source: 5.2.CDC GUIDES COVID-19 Second Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
      Source: 20.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Vermin Keylogger Author: Florian Roth
      Source: 20.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Patchwork malware Author: Florian Roth
      Source: 20.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 20.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 20.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
      Source: 20.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
      Source: 0000000F.00000002.372345849.0000000003BE5000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 00000005.00000002.831738365.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 00000014.00000002.358547843.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 0000000E.00000002.355201046.00000000037C5000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 00000015.00000002.376779243.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 00000000.00000002.269160984.0000000004035000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 21.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Vermin Keylogger Author: Florian Roth
      Source: 21.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Patchwork malware Author: Florian Roth
      Source: 21.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 21.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 21.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
      Source: 21.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
      Source: 5.2.CDC GUIDES COVID-19 Second Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Vermin Keylogger Author: Florian Roth
      Source: 5.2.CDC GUIDES COVID-19 Second Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Patchwork malware Author: Florian Roth
      Source: 5.2.CDC GUIDES COVID-19 Second Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 5.2.CDC GUIDES COVID-19 Second Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 5.2.CDC GUIDES COVID-19 Second Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
      Source: 5.2.CDC GUIDES COVID-19 Second Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
      Source: 20.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Vermin Keylogger Author: Florian Roth
      Source: 20.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Patchwork malware Author: Florian Roth
      Source: 20.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 20.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 20.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
      Source: 20.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
      Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exeCode function: 0_2_02D5FA700_2_02D5FA70
      Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exeCode function: 0_2_05D91FA80_2_05D91FA8
      Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exeCode function: 0_2_05D946600_2_05D94660
      Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exeCode function: 0_2_05D909100_2_05D90910
      Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exeCode function: 0_2_05D900400_2_05D90040
      Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exeCode function: 0_2_05D990F00_2_05D990F0
      Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exeCode function: 0_2_05D990E00_2_05D990E0
      Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exeCode function: 0_2_05D9A2120_2_05D9A212
      Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exeCode function: 0_2_02D5FA700_2_02D5FA70
      Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exeCode function: 0_2_05D91FA80_2_05D91FA8
      Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exeCode function: 0_2_05D946600_2_05D94660
      Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exeCode function: 0_2_05D909100_2_05D90910
      Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exeCode function: 0_2_05D900400_2_05D90040
      Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exeCode function: 0_2_05D990F00_2_05D990F0
      Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exeCode function: 0_2_05D990E00_2_05D990E0
      Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exeCode function: 0_2_05D9A2120_2_05D9A212
      Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exeCode function: 5_2_0142F0905_2_0142F090
      Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exeCode function: 5_2_0142F9605_2_0142F960
      Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exeCode function: 5_2_0142ED485_2_0142ED48
      Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exeCode function: 5_2_066CE6DB5_2_066CE6DB
      Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exeCode function: 5_2_066C8EB85_2_066C8EB8
      Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exeCode function: 5_2_066C4A605_2_066C4A60
      Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exeCode function: 5_2_066C58645_2_066C5864
      Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exeCode function: 5_2_067342B85_2_067342B8
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeCode function: 14_2_00D0FA7014_2_00D0FA70
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeCode function: 14_2_04E21FA814_2_04E21FA8
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeCode function: 14_2_04E2489014_2_04E24890
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeCode function: 14_2_04E2487F14_2_04E2487F
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeCode function: 14_2_04E2004014_2_04E20040
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeCode function: 14_2_04E2091014_2_04E20910
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeCode function: 14_2_04E28AE114_2_04E28AE1
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeCode function: 14_2_04E28AF014_2_04E28AF0
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeCode function: 14_2_04E24B0814_2_04E24B08
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeCode function: 15_2_050E1FA815_2_050E1FA8
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeCode function: 15_2_050E091015_2_050E0910
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeCode function: 15_2_050E004015_2_050E0040
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeCode function: 15_2_050E487F15_2_050E487F
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeCode function: 15_2_050E489015_2_050E4890
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeCode function: 15_2_050E8AE115_2_050E8AE1
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeCode function: 15_2_050E8AF015_2_050E8AF0
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeCode function: 20_2_032EF09020_2_032EF090
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeCode function: 20_2_032EF96020_2_032EF960
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeCode function: 20_2_032EED4820_2_032EED48
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeCode function: 21_2_02E2F09021_2_02E2F090
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeCode function: 21_2_02E2F96021_2_02E2F960
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeCode function: 21_2_02E2ED4821_2_02E2ED48
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeCode function: 21_2_055F519821_2_055F5198
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeCode function: 21_2_055F51A821_2_055F51A8
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeCode function: 21_2_055F10B821_2_055F10B8
      Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exeStatic PE information: invalid certificate
      Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exeStatic PE information: invalid certificate
      Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: vlc.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: vlc.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: 9FFWrx9i8Kuq.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: 9FFWrx9i8Kuq.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: vlc.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: vlc.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: 9FFWrx9i8Kuq.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: 9FFWrx9i8Kuq.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000000.00000000.200975576.0000000000BCA000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameZzjjddspu2.exe0 vs CDC GUIDES COVID-19 Second Outbreak Warning release.exe
      Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000000.00000002.272315963.0000000005390000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs CDC GUIDES COVID-19 Second Outbreak Warning release.exe
      Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000000.00000002.272529925.0000000005520000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamePtgjunquq.dll4 vs CDC GUIDES COVID-19 Second Outbreak Warning release.exe
      Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000000.00000002.267762525.0000000002F82000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClassLibrary3.dll< vs CDC GUIDES COVID-19 Second Outbreak Warning release.exe
      Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000000.00000002.267762525.0000000002F82000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClient.exe" vs CDC GUIDES COVID-19 Second Outbreak Warning release.exe
      Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000005.00000002.833556159.0000000000B8A000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameZzjjddspu2.exe0 vs CDC GUIDES COVID-19 Second Outbreak Warning release.exe
      Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000005.00000002.839822026.0000000003207000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDyxylehx1.exe8 vs CDC GUIDES COVID-19 Second Outbreak Warning release.exe
      Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000005.00000002.833725048.0000000000F38000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs CDC GUIDES COVID-19 Second Outbreak Warning release.exe
      Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000005.00000002.832620216.000000000045A000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameClient.exe" vs CDC GUIDES COVID-19 Second Outbreak Warning release.exe
      Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000005.00000002.842823257.00000000061E0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs CDC GUIDES COVID-19 Second Outbreak Warning release.exe
      Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exeBinary or memory string: OriginalFilenameZzjjddspu2.exe0 vs CDC GUIDES COVID-19 Second Outbreak Warning release.exe
      Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000000.00000000.200975576.0000000000BCA000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameZzjjddspu2.exe0 vs CDC GUIDES COVID-19 Second Outbreak Warning release.exe
      Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000000.00000002.272315963.0000000005390000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs CDC GUIDES COVID-19 Second Outbreak Warning release.exe
      Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000000.00000002.272529925.0000000005520000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamePtgjunquq.dll4 vs CDC GUIDES COVID-19 Second Outbreak Warning release.exe
      Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000000.00000002.267762525.0000000002F82000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClassLibrary3.dll< vs CDC GUIDES COVID-19 Second Outbreak Warning release.exe
      Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000000.00000002.267762525.0000000002F82000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClient.exe" vs CDC GUIDES COVID-19 Second Outbreak Warning release.exe
      Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000005.00000002.833556159.0000000000B8A000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameZzjjddspu2.exe0 vs CDC GUIDES COVID-19 Second Outbreak Warning release.exe
      Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000005.00000002.839822026.0000000003207000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDyxylehx1.exe8 vs CDC GUIDES COVID-19 Second Outbreak Warning release.exe
      Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000005.00000002.833725048.0000000000F38000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs CDC GUIDES COVID-19 Second Outbreak Warning release.exe
      Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000005.00000002.832620216.000000000045A000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameClient.exe" vs CDC GUIDES COVID-19 Second Outbreak Warning release.exe
      Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000005.00000002.842823257.00000000061E0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs CDC GUIDES COVID-19 Second Outbreak Warning release.exe
      Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exeBinary or memory string: OriginalFilenameZzjjddspu2.exe0 vs CDC GUIDES COVID-19 Second Outbreak Warning release.exe
      Source: 0000000F.00000002.372345849.0000000003BE5000.00000004.00000001.sdmp, type: MEMORYMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000005.00000002.831738365.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000014.00000002.358547843.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000E.00000002.355201046.00000000037C5000.00000004.00000001.sdmp, type: MEMORYMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000015.00000002.376779243.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000000.00000002.269160984.0000000004035000.00000004.00000001.sdmp, type: MEMORYMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 21.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 21.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 21.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 21.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
      Source: 21.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
      Source: 21.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 5.2.CDC GUIDES COVID-19 Second Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 5.2.CDC GUIDES COVID-19 Second Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 5.2.CDC GUIDES COVID-19 Second Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 5.2.CDC GUIDES COVID-19 Second Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
      Source: 5.2.CDC GUIDES COVID-19 Second Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
      Source: 5.2.CDC GUIDES COVID-19 Second Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 20.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 20.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 20.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 20.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
      Source: 20.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
      Source: 20.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000F.00000002.372345849.0000000003BE5000.00000004.00000001.sdmp, type: MEMORYMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000005.00000002.831738365.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000014.00000002.358547843.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000E.00000002.355201046.00000000037C5000.00000004.00000001.sdmp, type: MEMORYMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000015.00000002.376779243.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000000.00000002.269160984.0000000004035000.00000004.00000001.sdmp, type: MEMORYMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 21.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 21.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 21.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 21.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
      Source: 21.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
      Source: 21.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 5.2.CDC GUIDES COVID-19 Second Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 5.2.CDC GUIDES COVID-19 Second Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 5.2.CDC GUIDES COVID-19 Second Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 5.2.CDC GUIDES COVID-19 Second Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
      Source: 5.2.CDC GUIDES COVID-19 Second Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
      Source: 5.2.CDC GUIDES COVID-19 Second Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 20.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 20.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 20.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 20.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
      Source: 20.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
      Source: 20.2.vlc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: vlc.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: vlc.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe, u0006/u0008.csCryptographic APIs: 'TransformFinalBlock'
      Source: vlc.exe.0.dr, u0006/u0008.csCryptographic APIs: 'TransformFinalBlock'
      Source: 0.0.CDC GUIDES COVID-19 Second Outbreak Warning release.exe.b40000.0.unpack, u0006/u0008.csCryptographic APIs: 'TransformFinalBlock'
      Source: 0.2.CDC GUIDES COVID-19 Second Outbreak Warning release.exe.b40000.0.unpack, u0006/u0008.csCryptographic APIs: 'TransformFinalBlock'
      Source: 5.0.CDC GUIDES COVID-19 Second Outbreak Warning release.exe.b00000.0.unpack, u0006/u0008.csCryptographic APIs: 'TransformFinalBlock'
      Source: 5.2.CDC GUIDES COVID-19 Second Outbreak Warning release.exe.b00000.1.unpack, u0006/u0008.csCryptographic APIs: 'TransformFinalBlock'
      Source: 14.2.vlc.exe.340000.0.unpack, u0006/u0008.csCryptographic APIs: 'TransformFinalBlock'
      Source: 14.0.vlc.exe.340000.0.unpack, u0006/u0008.csCryptographic APIs: 'TransformFinalBlock'
      Source: 15.2.vlc.exe.600000.0.unpack, u0006/u0008.csCryptographic APIs: 'TransformFinalBlock'
      Source: 15.0.vlc.exe.600000.0.unpack, u0006/u0008.csCryptographic APIs: 'TransformFinalBlock'
      Source: 20.2.vlc.exe.df0000.1.unpack, u0006/u0008.csCryptographic APIs: 'TransformFinalBlock'
      Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe, u0006/u0008.csCryptographic APIs: 'TransformFinalBlock'
      Source: vlc.exe.0.dr, u0006/u0008.csCryptographic APIs: 'TransformFinalBlock'
      Source: 0.0.CDC GUIDES COVID-19 Second Outbreak Warning release.exe.b40000.0.unpack, u0006/u0008.csCryptographic APIs: 'TransformFinalBlock'
      Source: 0.2.CDC GUIDES COVID-19 Second Outbreak Warning release.exe.b40000.0.unpack, u0006/u0008.csCryptographic APIs: 'TransformFinalBlock'
      Source: 5.0.CDC GUIDES COVID-19 Second Outbreak Warning release.exe.b00000.0.unpack, u0006/u0008.csCryptographic APIs: 'TransformFinalBlock'
      Source: 5.2.CDC GUIDES COVID-19 Second Outbreak Warning release.exe.b00000.1.unpack, u0006/u0008.csCryptographic APIs: 'TransformFinalBlock'
      Source: 14.2.vlc.exe.340000.0.unpack, u0006/u0008.csCryptographic APIs: 'TransformFinalBlock'
      Source: 14.0.vlc.exe.340000.0.unpack, u0006/u0008.csCryptographic APIs: 'TransformFinalBlock'
      Source: 15.2.vlc.exe.600000.0.unpack, u0006/u0008.csCryptographic APIs: 'TransformFinalBlock'
      Source: 15.0.vlc.exe.600000.0.unpack, u0006/u0008.csCryptographic APIs: 'TransformFinalBlock'
      Source: 20.2.vlc.exe.df0000.1.unpack, u0006/u0008.csCryptographic APIs: 'TransformFinalBlock'
      Source: 5.2.CDC GUIDES COVID-19 Second Outbreak Warning release.exe.400000.0.unpack, ufffd?u23de?u2b96???ue028??ufd45???ufffd??ue0ca?.csBase64 encoded string: 'PWj6lHXDOxrLfwXNzfnaLMjOfzO9+W+4JxWWiTvfenV8SQApGzJ0Di/b8fuXcZ0M5PrXoL7V9sk8b6uX8xhtZw==', 'm0LUgy1TBJLS/Rv0+i1hOxLPRvKMsf09np12UQ5OrwBPWWSUYbRf+y9WQJ8KY1h7++uGSo0tWuw0x8ypgzipLl1b12b1d2xLp6CNHiFEtAk=', 'NcFtjbDOcsw7Evd3coMC0y4koy/SRZGydhNmno81ZOWOvdfg7sv0Cj5ad2ROUfX4QMscAIjYJdjrrs41+qcQwg==', 'T5995aiahDmRotzNR+wPzkhM3KlC5s/O43KC/1X3Cxu2swVztTyi14Z01j5qsLhy+ZSCP+lJl3YSu4KaMkTl74E6v3MGTgcDoCAikm98Vzg=', 'jLorJj8inqFdgz/bM7KXpwKX+vdTgIpVKMMjF72veNdt62nzBlqRLeihc0RWxDu4tSOd4DuvQwCqGcdB8QTCyQ=='
      Source: 5.2.CDC GUIDES COVID-19 Second Outbreak Warning release.exe.400000.0.unpack, ufffd?u23de?u2b96???ue028??ufd45???ufffd??ue0ca?.csBase64 encoded string: 'PWj6lHXDOxrLfwXNzfnaLMjOfzO9+W+4JxWWiTvfenV8SQApGzJ0Di/b8fuXcZ0M5PrXoL7V9sk8b6uX8xhtZw==', 'm0LUgy1TBJLS/Rv0+i1hOxLPRvKMsf09np12UQ5OrwBPWWSUYbRf+y9WQJ8KY1h7++uGSo0tWuw0x8ypgzipLl1b12b1d2xLp6CNHiFEtAk=', 'NcFtjbDOcsw7Evd3coMC0y4koy/SRZGydhNmno81ZOWOvdfg7sv0Cj5ad2ROUfX4QMscAIjYJdjrrs41+qcQwg==', 'T5995aiahDmRotzNR+wPzkhM3KlC5s/O43KC/1X3Cxu2swVztTyi14Z01j5qsLhy+ZSCP+lJl3YSu4KaMkTl74E6v3MGTgcDoCAikm98Vzg=', 'jLorJj8inqFdgz/bM7KXpwKX+vdTgIpVKMMjF72veNdt62nzBlqRLeihc0RWxDu4tSOd4DuvQwCqGcdB8QTCyQ=='
      Source: classification engineClassification label: mal100.troj.evad.winEXE@11/5@2/2
      Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLANJump to behavior
      Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLANJump to behavior
      Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exeMutant created: \Sessions\1\BaseNamedObjects\QSR_MUTEX_aEyHRwA2EwWBI7cCGO
      Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exeMutant created: \Sessions\1\BaseNamedObjects\QSR_MUTEX_aEyHRwA2EwWBI7cCGO
      Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exeFile created: C:\Users\user\AppData\Local\Temp\9FFWrx9i8Kuq.exeJump to behavior
      Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exeFile created: C:\Users\user\AppData\Local\Temp\9FFWrx9i8Kuq.exeJump to behavior
      Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\9FFWrx9i8Kuq.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\9FFWrx9i8Kuq.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
      Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
      Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exeReversingLabs: Detection: 12%
      Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exeReversingLabs: Detection: 12%
      Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exeFile read: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exeJump to behavior
      Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exeFile read: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe 'C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe'
      Source: unknownProcess created: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe
      Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe'
      Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe'
      Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
      Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\9FFWrx9i8Kuq.exe C:\Users\user\AppData\Local\Temp\9FFWrx9i8Kuq.exe
      Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exeProcess created: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exeJump to behavior
      Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exeProcess created: C:\Users\user\AppData\Local\Temp\9FFWrx9i8Kuq.exe C:\Users\user\AppData\Local\Temp\9FFWrx9i8Kuq.exeJump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeJump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe 'C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe'
      Source: unknownProcess created: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe
      Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe'
      Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe'
      Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
      Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\9FFWrx9i8Kuq.exe C:\Users\user\AppData\Local\Temp\9FFWrx9i8Kuq.exe
      Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exeProcess created: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exeJump to behavior
      Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exeProcess created: C:\Users\user\AppData\Local\Temp\9FFWrx9i8Kuq.exe C:\Users\user\AppData\Local\Temp\9FFWrx9i8Kuq.exeJump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeJump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeJump