Play interactive tour

Edit tour

Analysis Report CDC GUIDES COVID-19 Second Outbreak Warning release.scr

Overview

General Information

Sample Name:	CDC GUIDES COVID-19 Second Outbreak Warning release.scr (renamed file extension from scr to exe)
Analysis ID:	319216
MD5:	dc8d9c9a86fe4830053697c1dc59dc6f
SHA1:	a63fa3cc878efe75ecf849111c3e3d417fef4fdd
SHA256:	5dcd1649d97e0da882778ec70677be52b49603b6596b044518f02c278d93d0f2
Most interesting Screenshot:

Detection

Quasar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected Quasar RAT

.NET source code references suspicious native API functions

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

May check the online IP address of the machine

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Creates processes with suspicious names

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

PE file contains strange resources

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Stores files to the Windows start menu directory

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

CDC GUIDES COVID-19 Second Outbreak Warning release.exe (PID: 2764 cmdline: 'C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe' MD5: DC8D9C9A86FE4830053697C1DC59DC6F)

CDC GUIDES COVID-19 Second Outbreak Warning release.exe (PID: 5820 cmdline: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe MD5: DC8D9C9A86FE4830053697C1DC59DC6F)

9FFWrx9i8Kuq.exe (PID: 496 cmdline: C:\Users\user\AppData\Local\Temp\9FFWrx9i8Kuq.exe MD5: 082B27BB1AAA169A5D0C4CD536976F99)

vlc.exe (PID: 6588 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe' MD5: DC8D9C9A86FE4830053697C1DC59DC6F)

vlc.exe (PID: 2172 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe MD5: DC8D9C9A86FE4830053697C1DC59DC6F)

vlc.exe (PID: 6824 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe' MD5: DC8D9C9A86FE4830053697C1DC59DC6F)

vlc.exe (PID: 4080 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe MD5: DC8D9C9A86FE4830053697C1DC59DC6F)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
0000000F.00000002.372345849.0000000003BE5000.00000004.00000001.sdmp	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0xe70d7:$s1: DoUploadAndExecute 0x13def7:$s1: DoUploadAndExecute 0xe731b:$s2: DoDownloadAndExecute 0x13e13b:$s2: DoDownloadAndExecute 0xe6e9c:$s3: DoShellExecute 0x13dcbc:$s3: DoShellExecute 0xe72d3:$s4: set_Processname 0x13e0f3:$s4: set_Processname 0xae9d4:$op1: 04 1E FE 02 04 16 FE 01 60 0x1057f4:$op1: 04 1E FE 02 04 16 FE 01 60 0xae8f8:$op2: 00 17 03 1F 20 17 19 15 28 0x105718:$op2: 00 17 03 1F 20 17 19 15 28 0xaf35e:$op3: 00 04 03 69 91 1B 40 0xafbae:$op3: 00 04 03 69 91 1B 40 0x10617e:$op3: 00 04 03 69 91 1B 40 0x1069ce:$op3: 00 04 03 69 91 1B 40
0000000F.00000002.372345849.0000000003BE5000.00000004.00000001.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000005.00000002.831738365.0000000000402000.00000040.00000001.sdmp	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x3df27:$s1: DoUploadAndExecute 0x3e16b:$s2: DoDownloadAndExecute 0x3dcec:$s3: DoShellExecute 0x3e123:$s4: set_Processname 0x5824:$op1: 04 1E FE 02 04 16 FE 01 60 0x5748:$op2: 00 17 03 1F 20 17 19 15 28 0x61ae:$op3: 00 04 03 69 91 1B 40 0x69fe:$op3: 00 04 03 69 91 1B 40
00000005.00000002.831738365.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000014.00000002.358547843.0000000000402000.00000040.00000001.sdmp	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x3df27:$s1: DoUploadAndExecute 0x3e16b:$s2: DoDownloadAndExecute 0x3dcec:$s3: DoShellExecute 0x3e123:$s4: set_Processname 0x5824:$op1: 04 1E FE 02 04 16 FE 01 60 0x5748:$op2: 00 17 03 1F 20 17 19 15 28 0x61ae:$op3: 00 04 03 69 91 1B 40 0x69fe:$op3: 00 04 03 69 91 1B 40
00000014.00000002.358547843.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0000000E.00000002.355201046.00000000037C5000.00000004.00000001.sdmp	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0xe70d7:$s1: DoUploadAndExecute 0x13def7:$s1: DoUploadAndExecute 0xe731b:$s2: DoDownloadAndExecute 0x13e13b:$s2: DoDownloadAndExecute 0xe6e9c:$s3: DoShellExecute 0x13dcbc:$s3: DoShellExecute 0xe72d3:$s4: set_Processname 0x13e0f3:$s4: set_Processname 0xae9d4:$op1: 04 1E FE 02 04 16 FE 01 60 0x1057f4:$op1: 04 1E FE 02 04 16 FE 01 60 0xae8f8:$op2: 00 17 03 1F 20 17 19 15 28 0x105718:$op2: 00 17 03 1F 20 17 19 15 28 0xaf35e:$op3: 00 04 03 69 91 1B 40 0xafbae:$op3: 00 04 03 69 91 1B 40 0x10617e:$op3: 00 04 03 69 91 1B 40 0x1069ce:$op3: 00 04 03 69 91 1B 40
0000000E.00000002.355201046.00000000037C5000.00000004.00000001.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000015.00000002.376779243.0000000000402000.00000040.00000001.sdmp	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x3df27:$s1: DoUploadAndExecute 0x3e16b:$s2: DoDownloadAndExecute 0x3dcec:$s3: DoShellExecute 0x3e123:$s4: set_Processname 0x5824:$op1: 04 1E FE 02 04 16 FE 01 60 0x5748:$op2: 00 17 03 1F 20 17 19 15 28 0x61ae:$op3: 00 04 03 69 91 1B 40 0x69fe:$op3: 00 04 03 69 91 1B 40
00000015.00000002.376779243.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000000.00000002.269160984.0000000004035000.00000004.00000001.sdmp	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0xe70d7:$s1: DoUploadAndExecute 0x13def7:$s1: DoUploadAndExecute 0xe731b:$s2: DoDownloadAndExecute 0x13e13b:$s2: DoDownloadAndExecute 0xe6e9c:$s3: DoShellExecute 0x13dcbc:$s3: DoShellExecute 0xe72d3:$s4: set_Processname 0x13e0f3:$s4: set_Processname 0xae9d4:$op1: 04 1E FE 02 04 16 FE 01 60 0x1057f4:$op1: 04 1E FE 02 04 16 FE 01 60 0xae8f8:$op2: 00 17 03 1F 20 17 19 15 28 0x105718:$op2: 00 17 03 1F 20 17 19 15 28 0xaf35e:$op3: 00 04 03 69 91 1B 40 0xafbae:$op3: 00 04 03 69 91 1B 40 0x10617e:$op3: 00 04 03 69 91 1B 40 0x1069ce:$op3: 00 04 03 69 91 1B 40
00000000.00000002.269160984.0000000004035000.00000004.00000001.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Process Memory Space: vlc.exe PID: 2172	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Process Memory Space: CDC GUIDES COVID-19 Second Outbreak Warning release.exe PID: 2764	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Process Memory Space: vlc.exe PID: 4080	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Process Memory Space: vlc.exe PID: 6588	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Process Memory Space: CDC GUIDES COVID-19 Second Outbreak Warning release.exe PID: 5820	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Process Memory Space: vlc.exe PID: 6824	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Click to see the 13 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
21.2.vlc.exe.400000.0.unpack	Vermin_Keylogger_Jan18_1	Detects Vermin Keylogger	Florian Roth	0x3ec0a:$x3: GetKeyloggerLogsResponse 0x3de62:$x4: GetKeyloggerLogs 0x3e13a:$s1: <RunHidden>k__BackingField 0x3edd2:$s2: set_SystemInfos 0x3e163:$s3: set_RunHidden 0x3dc96:$s4: set_RemotePath 0x56628:$s6: Client.exe 0x566bc:$s6: Client.exe 0x32029:$s7: xClient.Core.ReverseProxy.Packets
21.2.vlc.exe.400000.0.unpack	xRAT_1	Detects Patchwork malware	Florian Roth	0x305c0:$x4: xClient.Properties.Resources.resources 0x30481:$s4: Client.exe 0x3e163:$s7: set_RunHidden
21.2.vlc.exe.400000.0.unpack	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x3e127:$s1: DoUploadAndExecute 0x3e36b:$s2: DoDownloadAndExecute 0x3deec:$s3: DoShellExecute 0x3e323:$s4: set_Processname 0x5a24:$op1: 04 1E FE 02 04 16 FE 01 60 0x5948:$op2: 00 17 03 1F 20 17 19 15 28 0x63ae:$op3: 00 04 03 69 91 1B 40 0x6bfe:$op3: 00 04 03 69 91 1B 40
21.2.vlc.exe.400000.0.unpack	Quasar_RAT_2	Detects Quasar RAT	Florian Roth	0x3ec0a:$x1: GetKeyloggerLogsResponse 0x3ee4a:$s1: DoShellExecuteResponse 0x3e7b9:$s2: GetPasswordsResponse 0x3ed1d:$s3: GetStartupItemsResponse 0x3e13b:$s5: RunHidden 0x3e159:$s5: RunHidden 0x3e167:$s5: RunHidden 0x3e17b:$s5: RunHidden
21.2.vlc.exe.400000.0.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x4f649:$xc1: 41 00 64 00 6D 00 69 00 6E 00 00 11 73 00 63 00 68 00 74 00 61 00 73 00 6B 00 73 00 00 1B 2F 00 ... 0x4f87f:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C ...
21.2.vlc.exe.400000.0.unpack	CN_disclosed_20180208_KeyLogger_1	Detects malware from disclosed CN malware set	Florian Roth	0x51633:$x2: Process already elevated. 0x3a2cf:$x4: get_encryptedPassword 0x3e36b:$x5: DoDownloadAndExecute
21.2.vlc.exe.400000.0.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
5.2.CDC GUIDES COVID-19 Second Outbreak Warning release.exe.400000.0.unpack	Vermin_Keylogger_Jan18_1	Detects Vermin Keylogger	Florian Roth	0x3ec0a:$x3: GetKeyloggerLogsResponse 0x3de62:$x4: GetKeyloggerLogs 0x3e13a:$s1: <RunHidden>k__BackingField 0x3edd2:$s2: set_SystemInfos 0x3e163:$s3: set_RunHidden 0x3dc96:$s4: set_RemotePath 0x56628:$s6: Client.exe 0x566bc:$s6: Client.exe 0x32029:$s7: xClient.Core.ReverseProxy.Packets
5.2.CDC GUIDES COVID-19 Second Outbreak Warning release.exe.400000.0.unpack	xRAT_1	Detects Patchwork malware	Florian Roth	0x305c0:$x4: xClient.Properties.Resources.resources 0x30481:$s4: Client.exe 0x3e163:$s7: set_RunHidden
5.2.CDC GUIDES COVID-19 Second Outbreak Warning release.exe.400000.0.unpack	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x3e127:$s1: DoUploadAndExecute 0x3e36b:$s2: DoDownloadAndExecute 0x3deec:$s3: DoShellExecute 0x3e323:$s4: set_Processname 0x5a24:$op1: 04 1E FE 02 04 16 FE 01 60 0x5948:$op2: 00 17 03 1F 20 17 19 15 28 0x63ae:$op3: 00 04 03 69 91 1B 40 0x6bfe:$op3: 00 04 03 69 91 1B 40
5.2.CDC GUIDES COVID-19 Second Outbreak Warning release.exe.400000.0.unpack	Quasar_RAT_2	Detects Quasar RAT	Florian Roth	0x3ec0a:$x1: GetKeyloggerLogsResponse 0x3ee4a:$s1: DoShellExecuteResponse 0x3e7b9:$s2: GetPasswordsResponse 0x3ed1d:$s3: GetStartupItemsResponse 0x3e13b:$s5: RunHidden 0x3e159:$s5: RunHidden 0x3e167:$s5: RunHidden 0x3e17b:$s5: RunHidden
5.2.CDC GUIDES COVID-19 Second Outbreak Warning release.exe.400000.0.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x4f649:$xc1: 41 00 64 00 6D 00 69 00 6E 00 00 11 73 00 63 00 68 00 74 00 61 00 73 00 6B 00 73 00 00 1B 2F 00 ... 0x4f87f:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C ...
5.2.CDC GUIDES COVID-19 Second Outbreak Warning release.exe.400000.0.unpack	CN_disclosed_20180208_KeyLogger_1	Detects malware from disclosed CN malware set	Florian Roth	0x51633:$x2: Process already elevated. 0x3a2cf:$x4: get_encryptedPassword 0x3e36b:$x5: DoDownloadAndExecute
5.2.CDC GUIDES COVID-19 Second Outbreak Warning release.exe.400000.0.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
20.2.vlc.exe.400000.0.unpack	Vermin_Keylogger_Jan18_1	Detects Vermin Keylogger	Florian Roth	0x3ec0a:$x3: GetKeyloggerLogsResponse 0x3de62:$x4: GetKeyloggerLogs 0x3e13a:$s1: <RunHidden>k__BackingField 0x3edd2:$s2: set_SystemInfos 0x3e163:$s3: set_RunHidden 0x3dc96:$s4: set_RemotePath 0x56628:$s6: Client.exe 0x566bc:$s6: Client.exe 0x32029:$s7: xClient.Core.ReverseProxy.Packets
20.2.vlc.exe.400000.0.unpack	xRAT_1	Detects Patchwork malware	Florian Roth	0x305c0:$x4: xClient.Properties.Resources.resources 0x30481:$s4: Client.exe 0x3e163:$s7: set_RunHidden
20.2.vlc.exe.400000.0.unpack	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x3e127:$s1: DoUploadAndExecute 0x3e36b:$s2: DoDownloadAndExecute 0x3deec:$s3: DoShellExecute 0x3e323:$s4: set_Processname 0x5a24:$op1: 04 1E FE 02 04 16 FE 01 60 0x5948:$op2: 00 17 03 1F 20 17 19 15 28 0x63ae:$op3: 00 04 03 69 91 1B 40 0x6bfe:$op3: 00 04 03 69 91 1B 40
20.2.vlc.exe.400000.0.unpack	Quasar_RAT_2	Detects Quasar RAT	Florian Roth	0x3ec0a:$x1: GetKeyloggerLogsResponse 0x3ee4a:$s1: DoShellExecuteResponse 0x3e7b9:$s2: GetPasswordsResponse 0x3ed1d:$s3: GetStartupItemsResponse 0x3e13b:$s5: RunHidden 0x3e159:$s5: RunHidden 0x3e167:$s5: RunHidden 0x3e17b:$s5: RunHidden
20.2.vlc.exe.400000.0.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x4f649:$xc1: 41 00 64 00 6D 00 69 00 6E 00 00 11 73 00 63 00 68 00 74 00 61 00 73 00 6B 00 73 00 00 1B 2F 00 ... 0x4f87f:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C ...
20.2.vlc.exe.400000.0.unpack	CN_disclosed_20180208_KeyLogger_1	Detects malware from disclosed CN malware set	Florian Roth	0x51633:$x2: Process already elevated. 0x3a2cf:$x4: get_encryptedPassword 0x3e36b:$x5: DoDownloadAndExecute
20.2.vlc.exe.400000.0.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Click to see the 16 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	ReversingLabs: Detection: 12%
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	ReversingLabs: Detection: 12%

Multi AV Scanner detection for submitted file

Show sources

Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe	ReversingLabs: Detection: 12%
Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe	ReversingLabs: Detection: 12%

Yara detected Quasar RAT

Show sources

Source: Yara match	File source: 0000000F.00000002.372345849.0000000003BE5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.831738365.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.358547843.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.355201046.00000000037C5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.376779243.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.269160984.0000000004035000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vlc.exe PID: 2172, type: MEMORY
Source: Yara match	File source: Process Memory Space: CDC GUIDES COVID-19 Second Outbreak Warning release.exe PID: 2764, type: MEMORY
Source: Yara match	File source: Process Memory Space: vlc.exe PID: 4080, type: MEMORY
Source: Yara match	File source: Process Memory Space: vlc.exe PID: 6588, type: MEMORY
Source: Yara match	File source: Process Memory Space: CDC GUIDES COVID-19 Second Outbreak Warning release.exe PID: 5820, type: MEMORY
Source: Yara match	File source: Process Memory Space: vlc.exe PID: 6824, type: MEMORY
Source: Yara match	File source: 21.2.vlc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.CDC GUIDES COVID-19 Second Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.vlc.exe.400000.0.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\9FFWrx9i8Kuq.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\9FFWrx9i8Kuq.exe	Joe Sandbox ML: detected

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior

Networking:

May check the online IP address of the machine

Show sources

Source: unknown	DNS query: name: ip-api.com
Source: unknown	DNS query: name: ip-api.com

Source: global traffic	TCP traffic: 192.168.2.3:49736 -> 185.244.26.221:4782
Source: global traffic	TCP traffic: 192.168.2.3:49736 -> 185.244.26.221:4782

Source: Joe Sandbox View	IP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox View	IP Address: 208.95.112.1 208.95.112.1

Source: global traffic	HTTP traffic detected: GET /json/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /json/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0Host: ip-api.comConnection: Keep-Alive

Source: global traffic	HTTP traffic detected: GET /json/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /json/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0Host: ip-api.comConnection: Keep-Alive

Source: unknown	DNS traffic detected: queries for: ip-api.com
Source: unknown	DNS traffic detected: queries for: ip-api.com

Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000000.00000002.267762525.0000000002F82000.00000004.00000001.sdmp, CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000005.00000002.831738365.0000000000402000.00000040.00000001.sdmp, vlc.exe, 0000000E.00000002.353478457.0000000002A3F000.00000004.00000001.sdmp, vlc.exe, 0000000F.00000002.372076333.0000000002E5F000.00000004.00000001.sdmp, vlc.exe, 00000014.00000002.358547843.0000000000402000.00000040.00000001.sdmp, vlc.exe, 00000015.00000002.376779243.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: http://api.ipify.org/
Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000005.00000002.839822026.0000000003207000.00000004.00000001.sdmp, 9FFWrx9i8Kuq.exe.5.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000005.00000002.839822026.0000000003207000.00000004.00000001.sdmp, 9FFWrx9i8Kuq.exe.5.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000005.00000002.839709535.00000000031D9000.00000004.00000001.sdmp	String found in binary or memory: http://crl.m0odoca
Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: 9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000000.00000002.267762525.0000000002F82000.00000004.00000001.sdmp, CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000005.00000002.831738365.0000000000402000.00000040.00000001.sdmp, vlc.exe, 0000000E.00000002.353478457.0000000002A3F000.00000004.00000001.sdmp, vlc.exe, 0000000F.00000002.372076333.0000000002E5F000.00000004.00000001.sdmp, vlc.exe, 00000014.00000002.358547843.0000000000402000.00000040.00000001.sdmp, vlc.exe, 00000015.00000002.376779243.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: http://freegeoip.net/xml/
Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000005.00000002.837102867.0000000002EDC000.00000004.00000001.sdmp	String found in binary or memory: http://ip-api.com
Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000000.00000002.267762525.0000000002F82000.00000004.00000001.sdmp, CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000005.00000002.837102867.0000000002EDC000.00000004.00000001.sdmp, CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000005.00000002.831738365.0000000000402000.00000040.00000001.sdmp, vlc.exe, 0000000E.00000002.353478457.0000000002A3F000.00000004.00000001.sdmp, vlc.exe, 0000000F.00000002.372076333.0000000002E5F000.00000004.00000001.sdmp, vlc.exe, 00000014.00000002.358547843.0000000000402000.00000040.00000001.sdmp, vlc.exe, 00000015.00000002.376779243.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: http://ip-api.com/json/
Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000005.00000002.837102867.0000000002EDC000.00000004.00000001.sdmp	String found in binary or memory: http://ip-api.com4
Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000005.00000002.839822026.0000000003207000.00000004.00000001.sdmp, 9FFWrx9i8Kuq.exe.5.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe	String found in binary or memory: http://ocsp.thawte.com0
Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe	String found in binary or memory: http://s.symcd.com06
Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000005.00000002.837474746.0000000002F23000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000005.00000002.837102867.0000000002EDC000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: 9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: 9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: 9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: 9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: 9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: 9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: 9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: 9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: 9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: 9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: 9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: 9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: 9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: 9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: 9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: 9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: 9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: 9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: 9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: 9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: 9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: 9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: 9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: 9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: 9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe	String found in binary or memory: https://d.symcb.com/cps0%
Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe	String found in binary or memory: https://d.symcb.com/rpa0
Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe	String found in binary or memory: https://d.symcb.com/rpa0.
Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000005.00000002.839822026.0000000003207000.00000004.00000001.sdmp, 9FFWrx9i8Kuq.exe.5.dr	String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0
Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe	String found in binary or memory: https://www.globalsign.com/repository/0
Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000000.00000002.267762525.0000000002F82000.00000004.00000001.sdmp, CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000005.00000002.831738365.0000000000402000.00000040.00000001.sdmp, vlc.exe, 0000000E.00000002.353478457.0000000002A3F000.00000004.00000001.sdmp, vlc.exe, 0000000F.00000002.372076333.0000000002E5F000.00000004.00000001.sdmp, vlc.exe, 00000014.00000002.358547843.0000000000402000.00000040.00000001.sdmp, vlc.exe, 00000015.00000002.376779243.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: http://api.ipify.org/
Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000005.00000002.839822026.0000000003207000.00000004.00000001.sdmp, 9FFWrx9i8Kuq.exe.5.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000005.00000002.839822026.0000000003207000.00000004.00000001.sdmp, 9FFWrx9i8Kuq.exe.5.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000005.00000002.839709535.00000000031D9000.00000004.00000001.sdmp	String found in binary or memory: http://crl.m0odoca
Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: 9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000000.00000002.267762525.0000000002F82000.00000004.00000001.sdmp, CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000005.00000002.831738365.0000000000402000.00000040.00000001.sdmp, vlc.exe, 0000000E.00000002.353478457.0000000002A3F000.00000004.00000001.sdmp, vlc.exe, 0000000F.00000002.372076333.0000000002E5F000.00000004.00000001.sdmp, vlc.exe, 00000014.00000002.358547843.0000000000402000.00000040.00000001.sdmp, vlc.exe, 00000015.00000002.376779243.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: http://freegeoip.net/xml/
Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000005.00000002.837102867.0000000002EDC000.00000004.00000001.sdmp	String found in binary or memory: http://ip-api.com
Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000000.00000002.267762525.0000000002F82000.00000004.00000001.sdmp, CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000005.00000002.837102867.0000000002EDC000.00000004.00000001.sdmp, CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000005.00000002.831738365.0000000000402000.00000040.00000001.sdmp, vlc.exe, 0000000E.00000002.353478457.0000000002A3F000.00000004.00000001.sdmp, vlc.exe, 0000000F.00000002.372076333.0000000002E5F000.00000004.00000001.sdmp, vlc.exe, 00000014.00000002.358547843.0000000000402000.00000040.00000001.sdmp, vlc.exe, 00000015.00000002.376779243.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: http://ip-api.com/json/
Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000005.00000002.837102867.0000000002EDC000.00000004.00000001.sdmp	String found in binary or memory: http://ip-api.com4
Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000005.00000002.839822026.0000000003207000.00000004.00000001.sdmp, 9FFWrx9i8Kuq.exe.5.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe	String found in binary or memory: http://ocsp.thawte.com0
Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe	String found in binary or memory: http://s.symcd.com06
Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000005.00000002.837474746.0000000002F23000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000005.00000002.837102867.0000000002EDC000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: 9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: 9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: 9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: 9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: 9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: 9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: 9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: 9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: 9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: 9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: 9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: 9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: 9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: 9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: 9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: 9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: 9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: 9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: 9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: 9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: 9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: 9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: 9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: 9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: 9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe	String found in binary or memory: https://d.symcb.com/cps0%
Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe	String found in binary or memory: https://d.symcb.com/rpa0
Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe	String found in binary or memory: https://d.symcb.com/rpa0.
Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000005.00000002.839822026.0000000003207000.00000004.00000001.sdmp, 9FFWrx9i8Kuq.exe.5.dr	String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0
Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe	String found in binary or memory: https://www.globalsign.com/repository/0

Source: vlc.exe, 0000000E.00000002.352476510.0000000000ACB000.00000004.00000020.sdmp	Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Source: vlc.exe, 0000000E.00000002.352476510.0000000000ACB000.00000004.00000020.sdmp	Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected Quasar RAT

Show sources

Source: Yara match	File source: 0000000F.00000002.372345849.0000000003BE5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.831738365.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.358547843.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.355201046.00000000037C5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.376779243.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.269160984.0000000004035000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vlc.exe PID: 2172, type: MEMORY
Source: Yara match	File source: Process Memory Space: CDC GUIDES COVID-19 Second Outbreak Warning release.exe PID: 2764, type: MEMORY
Source: Yara match	File source: Process Memory Space: vlc.exe PID: 4080, type: MEMORY
Source: Yara match	File source: Process Memory Space: vlc.exe PID: 6588, type: MEMORY
Source: Yara match	File source: Process Memory Space: CDC GUIDES COVID-19 Second Outbreak Warning release.exe PID: 5820, type: MEMORY
Source: Yara match	File source: Process Memory Space: vlc.exe PID: 6824, type: MEMORY
Source: Yara match	File source: 21.2.vlc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.CDC GUIDES COVID-19 Second Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.vlc.exe.400000.0.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 0000000F.00000002.372345849.0000000003BE5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000005.00000002.831738365.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000014.00000002.358547843.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 0000000E.00000002.355201046.00000000037C5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000015.00000002.376779243.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000000.00000002.269160984.0000000004035000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 21.2.vlc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Vermin Keylogger Author: Florian Roth
Source: 21.2.vlc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 21.2.vlc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 21.2.vlc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 21.2.vlc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 21.2.vlc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 5.2.CDC GUIDES COVID-19 Second Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Vermin Keylogger Author: Florian Roth
Source: 5.2.CDC GUIDES COVID-19 Second Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 5.2.CDC GUIDES COVID-19 Second Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 5.2.CDC GUIDES COVID-19 Second Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 5.2.CDC GUIDES COVID-19 Second Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 5.2.CDC GUIDES COVID-19 Second Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 20.2.vlc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Vermin Keylogger Author: Florian Roth
Source: 20.2.vlc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 20.2.vlc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 20.2.vlc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 20.2.vlc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 20.2.vlc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 0000000F.00000002.372345849.0000000003BE5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000005.00000002.831738365.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000014.00000002.358547843.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 0000000E.00000002.355201046.00000000037C5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000015.00000002.376779243.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000000.00000002.269160984.0000000004035000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 21.2.vlc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Vermin Keylogger Author: Florian Roth
Source: 21.2.vlc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 21.2.vlc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 21.2.vlc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 21.2.vlc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 21.2.vlc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 5.2.CDC GUIDES COVID-19 Second Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Vermin Keylogger Author: Florian Roth
Source: 5.2.CDC GUIDES COVID-19 Second Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 5.2.CDC GUIDES COVID-19 Second Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 5.2.CDC GUIDES COVID-19 Second Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 5.2.CDC GUIDES COVID-19 Second Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 5.2.CDC GUIDES COVID-19 Second Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 20.2.vlc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Vermin Keylogger Author: Florian Roth
Source: 20.2.vlc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 20.2.vlc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 20.2.vlc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 20.2.vlc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 20.2.vlc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth

Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Code function: 0_2_02D5FA70	0_2_02D5FA70
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Code function: 0_2_05D91FA8	0_2_05D91FA8
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Code function: 0_2_05D94660	0_2_05D94660
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Code function: 0_2_05D90910	0_2_05D90910
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Code function: 0_2_05D90040	0_2_05D90040
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Code function: 0_2_05D990F0	0_2_05D990F0
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Code function: 0_2_05D990E0	0_2_05D990E0
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Code function: 0_2_05D9A212	0_2_05D9A212
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Code function: 0_2_02D5FA70	0_2_02D5FA70
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Code function: 0_2_05D91FA8	0_2_05D91FA8
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Code function: 0_2_05D94660	0_2_05D94660
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Code function: 0_2_05D90910	0_2_05D90910
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Code function: 0_2_05D90040	0_2_05D90040
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Code function: 0_2_05D990F0	0_2_05D990F0
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Code function: 0_2_05D990E0	0_2_05D990E0
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Code function: 0_2_05D9A212	0_2_05D9A212
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Code function: 5_2_0142F090	5_2_0142F090
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Code function: 5_2_0142F960	5_2_0142F960
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Code function: 5_2_0142ED48	5_2_0142ED48
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Code function: 5_2_066CE6DB	5_2_066CE6DB
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Code function: 5_2_066C8EB8	5_2_066C8EB8
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Code function: 5_2_066C4A60	5_2_066C4A60
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Code function: 5_2_066C5864	5_2_066C5864
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Code function: 5_2_067342B8	5_2_067342B8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Code function: 14_2_00D0FA70	14_2_00D0FA70
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Code function: 14_2_04E21FA8	14_2_04E21FA8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Code function: 14_2_04E24890	14_2_04E24890
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Code function: 14_2_04E2487F	14_2_04E2487F
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Code function: 14_2_04E20040	14_2_04E20040
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Code function: 14_2_04E20910	14_2_04E20910
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Code function: 14_2_04E28AE1	14_2_04E28AE1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Code function: 14_2_04E28AF0	14_2_04E28AF0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Code function: 14_2_04E24B08	14_2_04E24B08
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Code function: 15_2_050E1FA8	15_2_050E1FA8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Code function: 15_2_050E0910	15_2_050E0910
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Code function: 15_2_050E0040	15_2_050E0040
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Code function: 15_2_050E487F	15_2_050E487F
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Code function: 15_2_050E4890	15_2_050E4890
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Code function: 15_2_050E8AE1	15_2_050E8AE1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Code function: 15_2_050E8AF0	15_2_050E8AF0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Code function: 20_2_032EF090	20_2_032EF090
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Code function: 20_2_032EF960	20_2_032EF960
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Code function: 20_2_032EED48	20_2_032EED48
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Code function: 21_2_02E2F090	21_2_02E2F090
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Code function: 21_2_02E2F960	21_2_02E2F960
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Code function: 21_2_02E2ED48	21_2_02E2ED48
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Code function: 21_2_055F5198	21_2_055F5198
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Code function: 21_2_055F51A8	21_2_055F51A8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Code function: 21_2_055F10B8	21_2_055F10B8

Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Static PE information: invalid certificate
Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Static PE information: invalid certificate

Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vlc.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vlc.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 9FFWrx9i8Kuq.exe.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 9FFWrx9i8Kuq.exe.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vlc.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vlc.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 9FFWrx9i8Kuq.exe.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 9FFWrx9i8Kuq.exe.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: 0000000F.00000002.372345849.0000000003BE5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000005.00000002.831738365.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000014.00000002.358547843.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000E.00000002.355201046.00000000037C5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000015.00000002.376779243.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.269160984.0000000004035000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 21.2.vlc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 21.2.vlc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 21.2.vlc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 21.2.vlc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 21.2.vlc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 21.2.vlc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.CDC GUIDES COVID-19 Second Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.CDC GUIDES COVID-19 Second Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.CDC GUIDES COVID-19 Second Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.CDC GUIDES COVID-19 Second Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 5.2.CDC GUIDES COVID-19 Second Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 5.2.CDC GUIDES COVID-19 Second Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 20.2.vlc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 20.2.vlc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 20.2.vlc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 20.2.vlc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 20.2.vlc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 20.2.vlc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000F.00000002.372345849.0000000003BE5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000005.00000002.831738365.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000014.00000002.358547843.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000E.00000002.355201046.00000000037C5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000015.00000002.376779243.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.269160984.0000000004035000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 21.2.vlc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 21.2.vlc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 21.2.vlc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 21.2.vlc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 21.2.vlc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 21.2.vlc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.CDC GUIDES COVID-19 Second Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.CDC GUIDES COVID-19 Second Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.CDC GUIDES COVID-19 Second Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.CDC GUIDES COVID-19 Second Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 5.2.CDC GUIDES COVID-19 Second Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 5.2.CDC GUIDES COVID-19 Second Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 20.2.vlc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 20.2.vlc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 20.2.vlc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 20.2.vlc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 20.2.vlc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 20.2.vlc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/

Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: vlc.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: vlc.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe, u0006/u0008.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: vlc.exe.0.dr, u0006/u0008.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.0.CDC GUIDES COVID-19 Second Outbreak Warning release.exe.b40000.0.unpack, u0006/u0008.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.CDC GUIDES COVID-19 Second Outbreak Warning release.exe.b40000.0.unpack, u0006/u0008.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.0.CDC GUIDES COVID-19 Second Outbreak Warning release.exe.b00000.0.unpack, u0006/u0008.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.CDC GUIDES COVID-19 Second Outbreak Warning release.exe.b00000.1.unpack, u0006/u0008.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 14.2.vlc.exe.340000.0.unpack, u0006/u0008.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 14.0.vlc.exe.340000.0.unpack, u0006/u0008.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 15.2.vlc.exe.600000.0.unpack, u0006/u0008.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 15.0.vlc.exe.600000.0.unpack, u0006/u0008.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 20.2.vlc.exe.df0000.1.unpack, u0006/u0008.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe, u0006/u0008.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: vlc.exe.0.dr, u0006/u0008.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.0.CDC GUIDES COVID-19 Second Outbreak Warning release.exe.b40000.0.unpack, u0006/u0008.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.CDC GUIDES COVID-19 Second Outbreak Warning release.exe.b40000.0.unpack, u0006/u0008.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.0.CDC GUIDES COVID-19 Second Outbreak Warning release.exe.b00000.0.unpack, u0006/u0008.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.CDC GUIDES COVID-19 Second Outbreak Warning release.exe.b00000.1.unpack, u0006/u0008.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 14.2.vlc.exe.340000.0.unpack, u0006/u0008.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 14.0.vlc.exe.340000.0.unpack, u0006/u0008.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 15.2.vlc.exe.600000.0.unpack, u0006/u0008.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 15.0.vlc.exe.600000.0.unpack, u0006/u0008.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 20.2.vlc.exe.df0000.1.unpack, u0006/u0008.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 5.2.CDC GUIDES COVID-19 Second Outbreak Warning release.exe.400000.0.unpack, ufffd?u23de?u2b96???ue028??ufd45???ufffd??ue0ca?.cs	Base64 encoded string: 'PWj6lHXDOxrLfwXNzfnaLMjOfzO9+W+4JxWWiTvfenV8SQApGzJ0Di/b8fuXcZ0M5PrXoL7V9sk8b6uX8xhtZw==', 'm0LUgy1TBJLS/Rv0+i1hOxLPRvKMsf09np12UQ5OrwBPWWSUYbRf+y9WQJ8KY1h7++uGSo0tWuw0x8ypgzipLl1b12b1d2xLp6CNHiFEtAk=', 'NcFtjbDOcsw7Evd3coMC0y4koy/SRZGydhNmno81ZOWOvdfg7sv0Cj5ad2ROUfX4QMscAIjYJdjrrs41+qcQwg==', 'T5995aiahDmRotzNR+wPzkhM3KlC5s/O43KC/1X3Cxu2swVztTyi14Z01j5qsLhy+ZSCP+lJl3YSu4KaMkTl74E6v3MGTgcDoCAikm98Vzg=', 'jLorJj8inqFdgz/bM7KXpwKX+vdTgIpVKMMjF72veNdt62nzBlqRLeihc0RWxDu4tSOd4DuvQwCqGcdB8QTCyQ=='
Source: 5.2.CDC GUIDES COVID-19 Second Outbreak Warning release.exe.400000.0.unpack, ufffd?u23de?u2b96???ue028??ufd45???ufffd??ue0ca?.cs	Base64 encoded string: 'PWj6lHXDOxrLfwXNzfnaLMjOfzO9+W+4JxWWiTvfenV8SQApGzJ0Di/b8fuXcZ0M5PrXoL7V9sk8b6uX8xhtZw==', 'm0LUgy1TBJLS/Rv0+i1hOxLPRvKMsf09np12UQ5OrwBPWWSUYbRf+y9WQJ8KY1h7++uGSo0tWuw0x8ypgzipLl1b12b1d2xLp6CNHiFEtAk=', 'NcFtjbDOcsw7Evd3coMC0y4koy/SRZGydhNmno81ZOWOvdfg7sv0Cj5ad2ROUfX4QMscAIjYJdjrrs41+qcQwg==', 'T5995aiahDmRotzNR+wPzkhM3KlC5s/O43KC/1X3Cxu2swVztTyi14Z01j5qsLhy+ZSCP+lJl3YSu4KaMkTl74E6v3MGTgcDoCAikm98Vzg=', 'jLorJj8inqFdgz/bM7KXpwKX+vdTgIpVKMMjF72veNdt62nzBlqRLeihc0RWxDu4tSOd4DuvQwCqGcdB8QTCyQ=='

Source: classification engine

Classification label: mal100.troj.evad.winEXE@11/5@2/2

Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN			Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN			Jump to behavior

Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Mutant created: \Sessions\1\BaseNamedObjects\QSR_MUTEX_aEyHRwA2EwWBI7cCGO
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Mutant created: \Sessions\1\BaseNamedObjects\QSR_MUTEX_aEyHRwA2EwWBI7cCGO

Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	File created: C:\Users\user\AppData\Local\Temp\9FFWrx9i8Kuq.exe			Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	File created: C:\Users\user\AppData\Local\Temp\9FFWrx9i8Kuq.exe			Jump to behavior

Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FFWrx9i8Kuq.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FFWrx9i8Kuq.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers			Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers			Jump to behavior

Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe	ReversingLabs: Detection: 12%
Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe	ReversingLabs: Detection: 12%

Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	File read: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe			Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	File read: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe			Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe 'C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe'
Source: unknown	Process created: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\9FFWrx9i8Kuq.exe C:\Users\user\AppData\Local\Temp\9FFWrx9i8Kuq.exe
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process created: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process created: C:\Users\user\AppData\Local\Temp\9FFWrx9i8Kuq.exe C:\Users\user\AppData\Local\Temp\9FFWrx9i8Kuq.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Jump to behavior
Source: unknown	Process created: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe 'C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe'
Source: unknown	Process created: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\9FFWrx9i8Kuq.exe C:\Users\user\AppData\Local\Temp\9FFWrx9i8Kuq.exe
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process created: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process created: C:\Users\user\AppData\Local\Temp\9FFWrx9i8Kuq.exe C:\Users\user\AppData\Local\Temp\9FFWrx9i8Kuq.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Jump to behavior

Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32			Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32			Jump to behavior

Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll			Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll			Jump to behavior

Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Code function: 0_2_02D5B712 pushfd ; iretd	0_2_02D5B771
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Code function: 0_2_02D5F438 pushfd ; iretd	0_2_02D5F43D
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Code function: 0_2_02D5B712 pushfd ; iretd	0_2_02D5B771
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Code function: 0_2_02D5F438 pushfd ; iretd	0_2_02D5F43D
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Code function: 5_2_066CD100 push es; ret	5_2_066CD104
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Code function: 5_2_066CDF3F push es; ret	5_2_066CDF40
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Code function: 14_2_00D0B718 pushfd ; iretd	14_2_00D0B771

Source: initial sample	Static PE information: section name: .text entropy: 7.95282361002
Source: initial sample	Static PE information: section name: .text entropy: 7.95282361002
Source: initial sample	Static PE information: section name: .text entropy: 7.95282361002
Source: initial sample	Static PE information: section name: .text entropy: 7.95282361002

Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	File created: \cdc guides covid-19 second outbreak warning release.exe	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	File created: \cdc guides covid-19 second outbreak warning release.exe	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	File created: \cdc guides covid-19 second outbreak warning release.exe	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	File created: \cdc guides covid-19 second outbreak warning release.exe	Jump to behavior

Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	File created: C:\Users\user\AppData\Local\Temp\9FFWrx9i8Kuq.exe	Jump to dropped file
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	File created: C:\Users\user\AppData\Local\Temp\9FFWrx9i8Kuq.exe	Jump to dropped file
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Jump to dropped file

Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe\:Zone.Identifier:$DATA	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe\:Zone.Identifier:$DATA	Jump to behavior

Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run vlc	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run vlc	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run vlc	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run vlc	Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	File opened: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	File opened: C:\Users\user\AppData\Local\Temp\9FFWrx9i8Kuq.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	File opened: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	File opened: C:\Users\user\AppData\Local\Temp\9FFWrx9i8Kuq.exe:Zone.Identifier read attributes \| delete	Jump to behavior

Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FFWrx9i8Kuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FFWrx9i8Kuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FFWrx9i8Kuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FFWrx9i8Kuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FFWrx9i8Kuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FFWrx9i8Kuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FFWrx9i8Kuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FFWrx9i8Kuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FFWrx9i8Kuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FFWrx9i8Kuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FFWrx9i8Kuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FFWrx9i8Kuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FFWrx9i8Kuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FFWrx9i8Kuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FFWrx9i8Kuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FFWrx9i8Kuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FFWrx9i8Kuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FFWrx9i8Kuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FFWrx9i8Kuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FFWrx9i8Kuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FFWrx9i8Kuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FFWrx9i8Kuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FFWrx9i8Kuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FFWrx9i8Kuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FFWrx9i8Kuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FFWrx9i8Kuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FFWrx9i8Kuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FFWrx9i8Kuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FFWrx9i8Kuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FFWrx9i8Kuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FFWrx9i8Kuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FFWrx9i8Kuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FFWrx9i8Kuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FFWrx9i8Kuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FFWrx9i8Kuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FFWrx9i8Kuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FFWrx9i8Kuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FFWrx9i8Kuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FFWrx9i8Kuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FFWrx9i8Kuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FFWrx9i8Kuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FFWrx9i8Kuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FFWrx9i8Kuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FFWrx9i8Kuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FFWrx9i8Kuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FFWrx9i8Kuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FFWrx9i8Kuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FFWrx9i8Kuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FFWrx9i8Kuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FFWrx9i8Kuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FFWrx9i8Kuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FFWrx9i8Kuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FFWrx9i8Kuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FFWrx9i8Kuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Show sources

Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BaseBoard
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BaseBoard
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BIOS

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000000.00000002.272529925.0000000005520000.00000004.00000001.sdmp, vlc.exe, 0000000E.00000002.354177047.00000000036E1000.00000004.00000001.sdmp, vlc.exe, 0000000F.00000002.372345849.0000000003BE5000.00000004.00000001.sdmp, 9FFWrx9i8Kuq.exe, 00000026.00000002.837912973.0000000004387000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLLHEAD
Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000000.00000002.272529925.0000000005520000.00000004.00000001.sdmp, vlc.exe, 0000000E.00000002.354177047.00000000036E1000.00000004.00000001.sdmp, vlc.exe, 0000000F.00000002.372345849.0000000003BE5000.00000004.00000001.sdmp, 9FFWrx9i8Kuq.exe, 00000026.00000002.837912973.0000000004387000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLLHEAD

Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Window / User API: threadDelayed 676	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Window / User API: threadDelayed 1715	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Window / User API: threadDelayed 676	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Window / User API: threadDelayed 1715	Jump to behavior

Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe TID: 4664	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe TID: 6232	Thread sleep count: 676 > 30	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe TID: 6232	Thread sleep count: 1715 > 30	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe TID: 5884	Thread sleep count: 44 > 30	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe TID: 5884	Thread sleep time: -110000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe TID: 6668	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe TID: 6868	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe TID: 4912	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe TID: 1380	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe TID: 4664	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe TID: 6232	Thread sleep count: 676 > 30	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe TID: 6232	Thread sleep count: 1715 > 30	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe TID: 5884	Thread sleep count: 44 > 30	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe TID: 5884	Thread sleep time: -110000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe TID: 6668	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe TID: 6868	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe TID: 4912	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe TID: 1380	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior

Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000005.00000002.842823257.00000000061E0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: vlc.exe, 0000000F.00000002.372076333.0000000002E5F000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: 9FFWrx9i8Kuq.exe, 00000026.00000002.837912973.0000000004387000.00000004.00000001.sdmp	Binary or memory string: vmware+microsoft corporation
Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000005.00000002.842823257.00000000061E0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000005.00000002.842823257.00000000061E0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000005.00000002.842823257.00000000061E0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000005.00000002.842823257.00000000061E0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: vlc.exe, 0000000F.00000002.372076333.0000000002E5F000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: 9FFWrx9i8Kuq.exe, 00000026.00000002.837912973.0000000004387000.00000004.00000001.sdmp	Binary or memory string: vmware+microsoft corporation
Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000005.00000002.842823257.00000000061E0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000005.00000002.842823257.00000000061E0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000005.00000002.842823257.00000000061E0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Memory allocated: page read and write \| page guard			Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Memory allocated: page read and write \| page guard			Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

.NET source code references suspicious native API functions

Show sources

Source: 5.2.CDC GUIDES COVID-19 Second Outbreak Warning release.exe.400000.0.unpack, ??u08bd????ue13eu26f9?ue3e2???uedca?uef61???.cs	Reference to suspicious API methods: ('????????????????????', 'LoadLibrary@kernel32.dll'), ('????????????????????', 'GetProcAddress@kernel32.dll')
Source: 5.2.CDC GUIDES COVID-19 Second Outbreak Warning release.exe.400000.0.unpack, ??uf6f5???ue4b2?????????????.cs	Reference to suspicious API methods: ('????????????????????', 'MapVirtualKeyEx@user32.dll')
Source: 5.2.CDC GUIDES COVID-19 Second Outbreak Warning release.exe.400000.0.unpack, ??u08bd????ue13eu26f9?ue3e2???uedca?uef61???.cs	Reference to suspicious API methods: ('????????????????????', 'LoadLibrary@kernel32.dll'), ('????????????????????', 'GetProcAddress@kernel32.dll')
Source: 5.2.CDC GUIDES COVID-19 Second Outbreak Warning release.exe.400000.0.unpack, ??uf6f5???ue4b2?????????????.cs	Reference to suspicious API methods: ('????????????????????', 'MapVirtualKeyEx@user32.dll')

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Memory written: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Memory written: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Memory written: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Memory written: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Memory written: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Memory written: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe base: 400000 value starts with: 4D5A	Jump to behavior

Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process created: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process created: C:\Users\user\AppData\Local\Temp\9FFWrx9i8Kuq.exe C:\Users\user\AppData\Local\Temp\9FFWrx9i8Kuq.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process created: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Process created: C:\Users\user\AppData\Local\Temp\9FFWrx9i8Kuq.exe C:\Users\user\AppData\Local\Temp\9FFWrx9i8Kuq.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Jump to behavior

Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000005.00000002.836473892.00000000018D0000.00000002.00000001.sdmp, 9FFWrx9i8Kuq.exe, 00000026.00000002.834891803.0000000001D20000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000005.00000002.836473892.00000000018D0000.00000002.00000001.sdmp, 9FFWrx9i8Kuq.exe, 00000026.00000002.834891803.0000000001D20000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000005.00000002.836473892.00000000018D0000.00000002.00000001.sdmp, 9FFWrx9i8Kuq.exe, 00000026.00000002.834891803.0000000001D20000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000005.00000002.836473892.00000000018D0000.00000002.00000001.sdmp, 9FFWrx9i8Kuq.exe, 00000026.00000002.834891803.0000000001D20000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000005.00000002.836473892.00000000018D0000.00000002.00000001.sdmp, 9FFWrx9i8Kuq.exe, 00000026.00000002.834891803.0000000001D20000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000005.00000002.836473892.00000000018D0000.00000002.00000001.sdmp, 9FFWrx9i8Kuq.exe, 00000026.00000002.834891803.0000000001D20000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000005.00000002.836473892.00000000018D0000.00000002.00000001.sdmp, 9FFWrx9i8Kuq.exe, 00000026.00000002.834891803.0000000001D20000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000005.00000002.836473892.00000000018D0000.00000002.00000001.sdmp, 9FFWrx9i8Kuq.exe, 00000026.00000002.834891803.0000000001D20000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Queries volume information: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Queries volume information: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FFWrx9i8Kuq.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\9FFWrx9i8Kuq.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FFWrx9i8Kuq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FFWrx9i8Kuq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FFWrx9i8Kuq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FFWrx9i8Kuq.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FFWrx9i8Kuq.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FFWrx9i8Kuq.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FFWrx9i8Kuq.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FFWrx9i8Kuq.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FFWrx9i8Kuq.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FFWrx9i8Kuq.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Queries volume information: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Queries volume information: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FFWrx9i8Kuq.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\9FFWrx9i8Kuq.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FFWrx9i8Kuq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FFWrx9i8Kuq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FFWrx9i8Kuq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FFWrx9i8Kuq.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FFWrx9i8Kuq.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FFWrx9i8Kuq.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FFWrx9i8Kuq.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FFWrx9i8Kuq.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FFWrx9i8Kuq.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9FFWrx9i8Kuq.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Code function: 0_2_05D9EC10 GetUserNameA,		0_2_05D9EC10
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Code function: 0_2_05D9EC10 GetUserNameA,		0_2_05D9EC10

Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid			Jump to behavior
Source: C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid			Jump to behavior

Stealing of Sensitive Information:

Yara detected Quasar RAT

Show sources

Source: Yara match	File source: 0000000F.00000002.372345849.0000000003BE5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.831738365.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.358547843.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.355201046.00000000037C5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.376779243.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.269160984.0000000004035000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vlc.exe PID: 2172, type: MEMORY
Source: Yara match	File source: Process Memory Space: CDC GUIDES COVID-19 Second Outbreak Warning release.exe PID: 2764, type: MEMORY
Source: Yara match	File source: Process Memory Space: vlc.exe PID: 4080, type: MEMORY
Source: Yara match	File source: Process Memory Space: vlc.exe PID: 6588, type: MEMORY
Source: Yara match	File source: Process Memory Space: CDC GUIDES COVID-19 Second Outbreak Warning release.exe PID: 5820, type: MEMORY
Source: Yara match	File source: Process Memory Space: vlc.exe PID: 6824, type: MEMORY
Source: Yara match	File source: 21.2.vlc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.CDC GUIDES COVID-19 Second Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.vlc.exe.400000.0.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected Quasar RAT

Show sources

Source: Yara match	File source: 0000000F.00000002.372345849.0000000003BE5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.831738365.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.358547843.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.355201046.00000000037C5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.376779243.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.269160984.0000000004035000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vlc.exe PID: 2172, type: MEMORY
Source: Yara match	File source: Process Memory Space: CDC GUIDES COVID-19 Second Outbreak Warning release.exe PID: 2764, type: MEMORY
Source: Yara match	File source: Process Memory Space: vlc.exe PID: 4080, type: MEMORY
Source: Yara match	File source: Process Memory Space: vlc.exe PID: 6588, type: MEMORY
Source: Yara match	File source: Process Memory Space: CDC GUIDES COVID-19 Second Outbreak Warning release.exe PID: 5820, type: MEMORY
Source: Yara match	File source: Process Memory Space: vlc.exe PID: 6824, type: MEMORY
Source: Yara match	File source: 21.2.vlc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.CDC GUIDES COVID-19 Second Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.vlc.exe.400000.0.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation121	Registry Run Keys / Startup Folder11	Process Injection112	Disable or Modify Tools1	Input Capture1	Account Discovery1	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Ingress Tool Transfer1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API1	Boot or Logon Initialization Scripts	Registry Run Keys / Startup Folder11	Deobfuscate/Decode Files or Information1	LSASS Memory	File and Directory Discovery1	Remote Desktop Protocol	Input Capture1	Exfiltration Over Bluetooth	Encrypted Channel1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information21	Security Account Manager	System Information Discovery123	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Standard Port1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Software Packing2	NTDS	Security Software Discovery221	Distributed Component Object Model	Input Capture	Scheduled Transfer	Non-Application Layer Protocol2	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Masquerading1	LSA Secrets	Virtualization/Sandbox Evasion4	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol12	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Virtualization/Sandbox Evasion4	Cached Domain Credentials	Process Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Process Injection112	DCSync	Application Window Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Hidden Files and Directories1	Proc Filesystem	System Owner/User Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	Remote System Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Invalid Code Signature	Network Sniffing	System Network Configuration Discovery1	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
CDC GUIDES COVID-19 Second Outbreak Warning release.exe	12%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\9FFWrx9i8Kuq.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	12%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Download
21.2.vlc.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1135947	Download File
5.2.CDC GUIDES COVID-19 Second Outbreak Warning release.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1135947	Download File
20.2.vlc.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1135947	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://crl.m0odoca	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://schemas.datacontract.org/2004/07/	0%	URL Reputation	safe
http://schemas.datacontract.org/2004/07/	0%	URL Reputation	safe
http://schemas.datacontract.org/2004/07/	0%	URL Reputation	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
https://www.chiark.greenend.org.uk/~sgtatham/putty/0	0%	Avira URL Cloud	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://ip-api.com4	0%	Avira URL Cloud	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ip-api.com	208.95.112.1	true	false		high
devils.shacknet.us	185.244.26.221	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ip-api.com/json/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com	9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designersG	9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmp	false		high
http://freegeoip.net/xml/	CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000000.00000002.267762525.0000000002F82000.00000004.00000001.sdmp, CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000005.00000002.831738365.0000000000402000.00000040.00000001.sdmp, vlc.exe, 0000000E.00000002.353478457.0000000002A3F000.00000004.00000001.sdmp, vlc.exe, 0000000F.00000002.372076333.0000000002E5F000.00000004.00000001.sdmp, vlc.exe, 00000014.00000002.358547843.0000000000402000.00000040.00000001.sdmp, vlc.exe, 00000015.00000002.376779243.0000000000402000.00000040.00000001.sdmp	false		high
http://www.fontbureau.com/designers/?	9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmp	false		high
http://crl.m0odoca	CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000005.00000002.839709535.00000000031D9000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cn/bThe	9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.datacontract.org/2004/07/	CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000005.00000002.837474746.0000000002F23000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmp	false		high
http://ocsp.thawte.com0	CDC GUIDES COVID-19 Second Outbreak Warning release.exe	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.tiro.com	9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers	9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmp	false		high
http://www.goodfont.co.kr	9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.chiark.greenend.org.uk/~sgtatham/putty/0	CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000005.00000002.839822026.0000000003207000.00000004.00000001.sdmp, 9FFWrx9i8Kuq.exe.5.dr	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.coml	9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://ip-api.com4	CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000005.00000002.837102867.0000000002EDC000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sajatypeworks.com	9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/cThe	9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn	9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmp	false		high
http://crl.thawte.com/ThawteTimestampingCA.crl0	CDC GUIDES COVID-19 Second Outbreak Warning release.exe	false		high
http://www.jiyu-kobo.co.jp/	9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://ip-api.com	CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000005.00000002.837102867.0000000002EDC000.00000004.00000001.sdmp	false		high
http://www.galapagosdesign.com/DPlease	9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://api.ipify.org/	CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000000.00000002.267762525.0000000002F82000.00000004.00000001.sdmp, CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000005.00000002.831738365.0000000000402000.00000040.00000001.sdmp, vlc.exe, 0000000E.00000002.353478457.0000000002A3F000.00000004.00000001.sdmp, vlc.exe, 0000000F.00000002.372076333.0000000002E5F000.00000004.00000001.sdmp, vlc.exe, 00000014.00000002.358547843.0000000000402000.00000040.00000001.sdmp, vlc.exe, 00000015.00000002.376779243.0000000000402000.00000040.00000001.sdmp	false		high
http://www.fontbureau.com/designers8	9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmp	false		high
http://www.fonts.com	9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmp	false		high
http://www.sandoll.co.kr	9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.deDPlease	9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000005.00000002.837102867.0000000002EDC000.00000004.00000001.sdmp	false		high
http://www.sakkal.com	9FFWrx9i8Kuq.exe, 00000026.00000002.842466971.00000000063A0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
208.95.112.1	unknown	United States		53334	TUT-ASUS	false
185.244.26.221	unknown	Netherlands		47158	VAMU-ASIP-TRANSITVAMURU	false

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	319216
Start date:	18.11.2020
Start time:	05:46:57
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 15m 2s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	CDC GUIDES COVID-19 Second Outbreak Warning release.scr (renamed file extension from scr to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	39
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@11/5@2/2
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 0.7% (good quality ratio 0.4%) Quality average: 47.1% Quality standard deviation: 39.7%
HCA Information:	Successful, ratio: 96% Number of executed functions: 87 Number of non-executed functions: 6
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, RuntimeBroker.exe, backgroundTaskHost.exe, UsoClient.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, MusNotifyIcon.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 104.42.151.234, 104.43.139.144, 51.104.139.180, 2.20.84.85, 20.54.26.129, 2.20.142.210, 2.20.142.209, 92.122.213.194, 92.122.213.247, 52.155.217.156, 40.90.23.247, 40.90.137.127, 40.90.137.124, 40.90.23.154, 40.90.23.208, 13.104.215.69, 40.90.137.120, 40.90.137.126, 51.11.168.232 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, www.tm.lg.prod.aadmsa.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, login.live.com, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, fs.microsoft.com, db3p-ris-pf-prod-atm.trafficmanager.net, ris-prod.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, settings-win.data.microsoft.com, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, login.msa.msidentity.com, settingsfd-geo.trafficmanager.net, ris.api.iris.microsoft.com, umwatsonrouting.trafficmanager.net, skypedataprdcolwus16.cloudapp.net Report creation exceeded maximum time and may have missing disassembly code information. Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found. VT rate limit hit for: /opt/package/joesandbox/database/analysis/319216/sample/CDC GUIDES COVID-19 Second Outbreak Warning release.exe

Simulations

Behavior and APIs

Time	Type	Description
05:48:17	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run vlc "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe"
05:48:25	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run vlc "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe"

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
208.95.112.1	JfBrVoAbZJ.exe	Get hash	malicious	Browse	ip-api.com/json/
	COMSurrogate.exe	Get hash	malicious	Browse	ip-api.com/xml
	XbVizOmLp2.exe	Get hash	malicious	Browse	ip-api.com/line/
	5GdTme5iYr.exe	Get hash	malicious	Browse	ip-api.com/line/
	ASX9zO2dRS.exe	Get hash	malicious	Browse	ip-api.com/json
	nW6wmlBvYs.exe	Get hash	malicious	Browse	ip-api.com/line/
	58M6JBEHW4.exe	Get hash	malicious	Browse	ip-api.com/json/
	wQDprpZ6i7.exe	Get hash	malicious	Browse	ip-api.com/json/
	Xxgm9UF1xP.exe	Get hash	malicious	Browse	ip-api.com/json/
	mY08H9Efjn.exe	Get hash	malicious	Browse	ip-api.com/line/
	DHL Shipment Notice of Arrival AWB 8032697940773.js	Get hash	malicious	Browse	ip-api.com/json/
	UuKzWnNMP6.exe	Get hash	malicious	Browse	ip-api.com/json/
	xGaL85Q9T2.exe	Get hash	malicious	Browse	ip-api.com/line/
	J7y5VaY5WM.exe	Get hash	malicious	Browse	ip-api.com/line/
	M5tzeNIe5t.exe	Get hash	malicious	Browse	ip-api.com/json/
	1LdcfAJXhM.exe	Get hash	malicious	Browse	ip-api.com/json/
	hjeBW2gHjq.exe	Get hash	malicious	Browse	ip-api.com/line/
	FOZUynGAgb.exe	Get hash	malicious	Browse	ip-api.com/line/?fields
	s2VoGiX9ai.exe	Get hash	malicious	Browse	ip-api.com/line/
	Bo0YWPrh0j.exe	Get hash	malicious	Browse	ip-api.com/line/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
ip-api.com	JfBrVoAbZJ.exe	Get hash	malicious	Browse	208.95.112.1
	COMSurrogate.exe	Get hash	malicious	Browse	208.95.112.1
	XbVizOmLp2.exe	Get hash	malicious	Browse	208.95.112.1
	5GdTme5iYr.exe	Get hash	malicious	Browse	208.95.112.1
	ASX9zO2dRS.exe	Get hash	malicious	Browse	208.95.112.1
	nW6wmlBvYs.exe	Get hash	malicious	Browse	208.95.112.1
	58M6JBEHW4.exe	Get hash	malicious	Browse	208.95.112.1
	wQDprpZ6i7.exe	Get hash	malicious	Browse	208.95.112.1
	Xxgm9UF1xP.exe	Get hash	malicious	Browse	208.95.112.1
	mY08H9Efjn.exe	Get hash	malicious	Browse	208.95.112.1
	DHL Shipment Notice of Arrival AWB 8032697940773.js	Get hash	malicious	Browse	208.95.112.1
	UuKzWnNMP6.exe	Get hash	malicious	Browse	208.95.112.1
	xGaL85Q9T2.exe	Get hash	malicious	Browse	208.95.112.1
	J7y5VaY5WM.exe	Get hash	malicious	Browse	208.95.112.1
	M5tzeNIe5t.exe	Get hash	malicious	Browse	208.95.112.1
	1LdcfAJXhM.exe	Get hash	malicious	Browse	208.95.112.1
	hjeBW2gHjq.exe	Get hash	malicious	Browse	208.95.112.1
	FOZUynGAgb.exe	Get hash	malicious	Browse	208.95.112.1
	s2VoGiX9ai.exe	Get hash	malicious	Browse	208.95.112.1
	Bo0YWPrh0j.exe	Get hash	malicious	Browse	208.95.112.1

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
VAMU-ASIP-TRANSITVAMURU	85RNPseqgJ.exe	Get hash	malicious	Browse	185.244.26.206
	Olzcqxcxnf9.exe	Get hash	malicious	Browse	185.244.26.213
	R1MfM3z2Nz.exe	Get hash	malicious	Browse	185.244.26.206
	Fh06tuCZaK.exe	Get hash	malicious	Browse	185.244.26.206
	AlTKG0L5d8.exe	Get hash	malicious	Browse	185.244.26.206
	Rbmmuoavjkz8.exe	Get hash	malicious	Browse	185.244.26.213
	PO 6300019918..exe	Get hash	malicious	Browse	185.244.26.206
	gSTnUDrWFe.exe	Get hash	malicious	Browse	185.244.26.199
	FpK385nmHk.exe	Get hash	malicious	Browse	185.244.26.199
	7sbXVpHq6E.exe	Get hash	malicious	Browse	185.244.26.199
	Order N#U00b022019.exe	Get hash	malicious	Browse	185.244.26.219
	scan.exe	Get hash	malicious	Browse	185.244.26.219
	3kpUlycHABfLMj6.exe	Get hash	malicious	Browse	185.244.26.228
	BTQBVILB.EXE	Get hash	malicious	Browse	185.244.26.228
	NCNRDEZ1.EXE	Get hash	malicious	Browse	185.244.26.228
	BM6GMIYN.EXE	Get hash	malicious	Browse	185.244.26.228
	QPI51NCL.EXE	Get hash	malicious	Browse	185.244.26.228
	LqyD3LqYjmUTl0n.exe	Get hash	malicious	Browse	185.244.26.228
	B6X9zW00qtAZXYd.exe	Get hash	malicious	Browse	185.244.26.228
	uPtScCCsvXI2Nj0.exe	Get hash	malicious	Browse	185.244.26.228
TUT-ASUS	JfBrVoAbZJ.exe	Get hash	malicious	Browse	208.95.112.1
	COMSurrogate.exe	Get hash	malicious	Browse	208.95.112.1
	XbVizOmLp2.exe	Get hash	malicious	Browse	208.95.112.1
	5GdTme5iYr.exe	Get hash	malicious	Browse	208.95.112.1
	nW6wmlBvYs.exe	Get hash	malicious	Browse	208.95.112.1
	58M6JBEHW4.exe	Get hash	malicious	Browse	208.95.112.1
	wQDprpZ6i7.exe	Get hash	malicious	Browse	208.95.112.1
	Xxgm9UF1xP.exe	Get hash	malicious	Browse	208.95.112.1
	mY08H9Efjn.exe	Get hash	malicious	Browse	208.95.112.1
	DHL Shipment Notice of Arrival AWB 8032697940773.js	Get hash	malicious	Browse	208.95.112.1
	UuKzWnNMP6.exe	Get hash	malicious	Browse	208.95.112.1
	xGaL85Q9T2.exe	Get hash	malicious	Browse	208.95.112.1
	J7y5VaY5WM.exe	Get hash	malicious	Browse	208.95.112.1
	M5tzeNIe5t.exe	Get hash	malicious	Browse	208.95.112.1
	1LdcfAJXhM.exe	Get hash	malicious	Browse	208.95.112.1
	hjeBW2gHjq.exe	Get hash	malicious	Browse	208.95.112.1
	FOZUynGAgb.exe	Get hash	malicious	Browse	208.95.112.1
	s2VoGiX9ai.exe	Get hash	malicious	Browse	208.95.112.1
	Bo0YWPrh0j.exe	Get hash	malicious	Browse	208.95.112.1
	UJr2wEBvsX.exe	Get hash	malicious	Browse	208.95.112.1

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\CDC GUIDES COVID-19 Second Outbreak Warning release.exe.log Download File
Process:	C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	517
Entropy (8bit):	5.335306720429945
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPk21OKbbDLI4MWuPJKiUrRZ9I0ZKhaxzAbDLI4M6:ML9E4Ks2wKDE4KhK3VZ9pKhmsXE4j
MD5:	BB6624785B5CCCA1B27C160A2F19C179
SHA1:	51C3A976DB55F4E09009C1E7663643A2205FBEA5
SHA-256:	CF05D58CFF71D857664AAB4D49D3ABABFD0D59A65303B0FA5B1996C1CD3E66DA
SHA-512:	83C5B206F17844ECE6D3F8330C661A66C76803DF80BDD29780C541963D4693F89947407336D4CDE03F1F902C8F50B64E4F49C1577B99AAB09EDA16F1677CA843
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..2,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\vlc.exe.log Download File
Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	517
Entropy (8bit):	5.335306720429945
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPk21OKbbDLI4MWuPJKiUrRZ9I0ZKhaxzAbDLI4M6:ML9E4Ks2wKDE4KhK3VZ9pKhmsXE4j
MD5:	BB6624785B5CCCA1B27C160A2F19C179
SHA1:	51C3A976DB55F4E09009C1E7663643A2205FBEA5
SHA-256:	CF05D58CFF71D857664AAB4D49D3ABABFD0D59A65303B0FA5B1996C1CD3E66DA
SHA-512:	83C5B206F17844ECE6D3F8330C661A66C76803DF80BDD29780C541963D4693F89947407336D4CDE03F1F902C8F50B64E4F49C1577B99AAB09EDA16F1677CA843
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..2,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

C:\Users\user\AppData\Local\Temp\9FFWrx9i8Kuq.exe Download File
Process:	C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	287120
Entropy (8bit):	4.744226336831956
Encrypted:	false
SSDEEP:	6144:ZL9q3/hFX11OUPKLIIjjGzIAh9+B2UTeZis7OiQGYH649Mwxz:J0/X11OUPK5jjSAB2UTKpOiQGYH3Mwxz
MD5:	082B27BB1AAA169A5D0C4CD536976F99
SHA1:	F0C3E75BDC2D2F57B1309F3A26FB99E67546012C
SHA-256:	A8886AF066529DB9AE1A07AE170DC1B80726952DE1094ED5E14520922DC47A54
SHA-512:	BD2175E9EDF2B314901904E4F0EB81C7969B2ADAD2F9033BC95B0F28ACDB2D2C15B9B2EE5A2D36D31D20A4066BF768012344001D1EF1FFE4641674C3C35F2239
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...y.._............................"'... ...@....@.. ....................................@..................................&..W....@...............$...=...`....................................................... ............... ..H............text...(.... ...................... ..`.rsrc........@......................@..@.reloc.......`......."..............@..B.................'......H............$......;...h4...............................................0.............-.&(....+.&+.....0..h....... .....-.&~.....,.&+).+..+....(....r...p(.....-.&. ....Z.+..+.. .&..1..(.... .H... _......Z...Y.. ....0..0.............-.&(....+.&+.....0..........r...p.-.&+.(....+...0...........%.-.&9....+..+..r...p(....-B.r/..p(....-H.rA..p(....-N.rY..p(....-L.ri..p(....-J.r...p(....-Hr...p.-.&+.(....+.r...p.-.&+.(....+.r...p(....r...p(....r...p(....r...p(....*....0..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe Download File
Process:	C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	645440
Entropy (8bit):	7.920263997977594
Encrypted:	false
SSDEEP:	12288:/4WN/IQY26pufbscH9POzQpGf2JUC5KJq7n8eUUI+PBUJXAXq:/Bb6ZcdOH2+CMJ2aiBUJXAXq
MD5:	DC8D9C9A86FE4830053697C1DC59DC6F
SHA1:	A63FA3CC878EFE75ECF849111C3E3D417FEF4FDD
SHA-256:	5DCD1649D97E0DA882778EC70677BE52B49603B6596B044518F02C278D93D0F2
SHA-512:	8F91ACA4B85D53745F395888FFB8E2D5F17F06AFC7E302F2ED19C840377C70EF807BA14748FEFD2A756B27B54808651087FBCBA572F0D162B06C8A0E9283EF8C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 12%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......_.................b...D........... ........@.. ....................... ............@....................................J........@..............@1........................................................... ............... ..H............text....a... ...b.................. ..`.rsrc....@.......B...d..............@..@.reloc..............................@..B........................H............>..........h...e...........................................N+.+.(....+.(....+..0.......... ..a.%,[8....8....&8.... ....a%..^8....8.....Y.-..:v...E........ .......5...P....,.+.8{... .{V.%,7Z ...&a.-.+m+.+l I.46Z ..p.a+a8.......(..... }.m.Z ..z.a.8m.... Z.}.Z (>.Ea.8Z....8T...(q...8O....8O....8X....8W....8.....+..+..+...(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(....*..(.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.920263997977594
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	CDC GUIDES COVID-19 Second Outbreak Warning release.exe
File size:	645440
MD5:	dc8d9c9a86fe4830053697c1dc59dc6f
SHA1:	a63fa3cc878efe75ecf849111c3e3d417fef4fdd
SHA256:	5dcd1649d97e0da882778ec70677be52b49603b6596b044518f02c278d93d0f2
SHA512:	8f91aca4b85d53745f395888ffb8e2d5f17f06afc7e302f2ed19c840377c70ef807ba14748fefd2a756b27b54808651087fbcba572f0d162b06c8a0e9283ef8c
SSDEEP:	12288:/4WN/IQY26pufbscH9POzQpGf2JUC5KJq7n8eUUI+PBUJXAXq:/Bb6ZcdOH2+CMJ2aiBUJXAXq
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......_.................b...D........... ........@.. ....................... ............@................................

File Icon


Icon Hash:	3b3b332b696932b2

Static PE Info

General
Entrypoint:	0x488117
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x5FB3FDCD [Tue Nov 17 16:43:57 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=GlobalSign CodeSigning CA - SHA256 - G3, O=GlobalSign nv-sa, C=BE
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	8/25/2020 6:42:07 AM 8/26/2023 6:42:07 AM
Subject Chain	CN=win.rar GmbH, O=win.rar GmbH, L=Berlin, S=Berlin, C=DE
Version:	3
Thumbprint MD5:	185DBD4A2E2671589EEB3E7E1920EA9F
Thumbprint SHA-1:	B3DF816A17A25557316D181DDB9F46254D6D8CA0
Thumbprint SHA-256:	66DB1C86D38273627C837F4638122FA88BBFFFF31C4052115B98CAF6CE0C631E
Serial:	731D40AE3F3A1FB2BC3D8395

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x880cd	0x4a	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x8a000	0x14003	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x9a800	0x3140	.rsrc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xa0000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x8611d	0x86200	False	0.959510426375	data	7.95282361002	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x8a000	0x14003	0x14200	False	0.831982725155	data	7.61557514964	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xa0000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0x8a09c	0x568	GLS_BINARY_LSB_FIRST
RT_ICON	0x8a628	0x8a8	dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0
RT_ICON	0x8aef4	0xea8	data
RT_ICON	0x8bdc0	0x468	GLS_BINARY_LSB_FIRST
RT_ICON	0x8c24c	0x10a8	dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0
RT_ICON	0x8d318	0x25a8	dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0
RT_ICON	0x8f8e4	0xd646	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
RT_GROUP_ICON	0x9cf66	0x68	data
RT_VERSION	0x9d00a	0x368	data
RT_MANIFEST	0x9d3ae	0xc55	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 18, 2020 05:48:18.525491953 CET	49735	80	192.168.2.3	208.95.112.1
Nov 18, 2020 05:48:18.556354046 CET	80	49735	208.95.112.1	192.168.2.3
Nov 18, 2020 05:48:18.556437969 CET	49735	80	192.168.2.3	208.95.112.1
Nov 18, 2020 05:48:18.556812048 CET	49735	80	192.168.2.3	208.95.112.1
Nov 18, 2020 05:48:18.587726116 CET	80	49735	208.95.112.1	192.168.2.3
Nov 18, 2020 05:48:18.638310909 CET	49735	80	192.168.2.3	208.95.112.1
Nov 18, 2020 05:48:19.751044989 CET	49736	4782	192.168.2.3	185.244.26.221
Nov 18, 2020 05:48:19.984572887 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:48:19.984734058 CET	49736	4782	192.168.2.3	185.244.26.221
Nov 18, 2020 05:48:20.218857050 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:48:20.263480902 CET	49736	4782	192.168.2.3	185.244.26.221
Nov 18, 2020 05:48:20.783591032 CET	49736	4782	192.168.2.3	185.244.26.221
Nov 18, 2020 05:48:21.018487930 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:48:21.060591936 CET	49736	4782	192.168.2.3	185.244.26.221
Nov 18, 2020 05:48:46.031399965 CET	49736	4782	192.168.2.3	185.244.26.221
Nov 18, 2020 05:48:46.265988111 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:48:46.294056892 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:48:46.294157982 CET	49736	4782	192.168.2.3	185.244.26.221
Nov 18, 2020 05:49:11.283453941 CET	49736	4782	192.168.2.3	185.244.26.221
Nov 18, 2020 05:49:11.516608000 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:49:11.533206940 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:49:11.533683062 CET	49736	4782	192.168.2.3	185.244.26.221
Nov 18, 2020 05:49:32.079123974 CET	80	49735	208.95.112.1	192.168.2.3
Nov 18, 2020 05:49:32.079448938 CET	49735	80	192.168.2.3	208.95.112.1
Nov 18, 2020 05:49:36.519959927 CET	49736	4782	192.168.2.3	185.244.26.221
Nov 18, 2020 05:49:36.753957987 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:49:36.774738073 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:49:36.774939060 CET	49736	4782	192.168.2.3	185.244.26.221
Nov 18, 2020 05:49:58.611615896 CET	49735	80	192.168.2.3	208.95.112.1
Nov 18, 2020 05:49:58.642582893 CET	80	49735	208.95.112.1	192.168.2.3
Nov 18, 2020 05:50:01.787627935 CET	49736	4782	192.168.2.3	185.244.26.221
Nov 18, 2020 05:50:02.125547886 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:50:27.009057045 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:50:27.009284019 CET	49736	4782	192.168.2.3	185.244.26.221
Nov 18, 2020 05:50:27.133411884 CET	49736	4782	192.168.2.3	185.244.26.221
Nov 18, 2020 05:50:27.365962982 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:50:52.246691942 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:50:52.246948004 CET	49736	4782	192.168.2.3	185.244.26.221
Nov 18, 2020 05:50:52.373559952 CET	49736	4782	192.168.2.3	185.244.26.221
Nov 18, 2020 05:50:52.606232882 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:51:17.475369930 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:51:17.475509882 CET	49736	4782	192.168.2.3	185.244.26.221
Nov 18, 2020 05:51:17.610186100 CET	49736	4782	192.168.2.3	185.244.26.221
Nov 18, 2020 05:51:17.842860937 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:51:42.710359097 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:51:42.710527897 CET	49736	4782	192.168.2.3	185.244.26.221
Nov 18, 2020 05:51:42.846751928 CET	49736	4782	192.168.2.3	185.244.26.221
Nov 18, 2020 05:51:43.079406023 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:07.948128939 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:07.948257923 CET	49736	4782	192.168.2.3	185.244.26.221
Nov 18, 2020 05:52:08.083033085 CET	49736	4782	192.168.2.3	185.244.26.221
Nov 18, 2020 05:52:08.315323114 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:33.186500072 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:33.188303947 CET	49736	4782	192.168.2.3	185.244.26.221
Nov 18, 2020 05:52:33.320658922 CET	49736	4782	192.168.2.3	185.244.26.221
Nov 18, 2020 05:52:33.552930117 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:35.871159077 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:35.871495008 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:35.871567011 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:35.871581078 CET	49736	4782	192.168.2.3	185.244.26.221
Nov 18, 2020 05:52:35.871627092 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:35.871773005 CET	49736	4782	192.168.2.3	185.244.26.221
Nov 18, 2020 05:52:36.104974985 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:36.105020046 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:36.105078936 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:36.105122089 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:36.105211020 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:36.105252981 CET	49736	4782	192.168.2.3	185.244.26.221
Nov 18, 2020 05:52:36.105282068 CET	49736	4782	192.168.2.3	185.244.26.221
Nov 18, 2020 05:52:36.105376005 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:36.105456114 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:36.105468988 CET	49736	4782	192.168.2.3	185.244.26.221
Nov 18, 2020 05:52:36.105578899 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:36.105665922 CET	49736	4782	192.168.2.3	185.244.26.221
Nov 18, 2020 05:52:36.339184999 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:36.339503050 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:36.339589119 CET	49736	4782	192.168.2.3	185.244.26.221
Nov 18, 2020 05:52:36.339943886 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:36.340055943 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:36.340131998 CET	49736	4782	192.168.2.3	185.244.26.221
Nov 18, 2020 05:52:36.340162992 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:36.340217113 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:36.340281963 CET	49736	4782	192.168.2.3	185.244.26.221
Nov 18, 2020 05:52:36.340287924 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:36.340622902 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:36.340780973 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:36.340825081 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:36.340882063 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:36.340892076 CET	49736	4782	192.168.2.3	185.244.26.221
Nov 18, 2020 05:52:36.340925932 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:36.340977907 CET	49736	4782	192.168.2.3	185.244.26.221
Nov 18, 2020 05:52:36.341006041 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:36.341070890 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:36.341137886 CET	49736	4782	192.168.2.3	185.244.26.221
Nov 18, 2020 05:52:36.341173887 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:36.341243982 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:36.341303110 CET	49736	4782	192.168.2.3	185.244.26.221
Nov 18, 2020 05:52:36.572417021 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:36.572464943 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:36.572628021 CET	49736	4782	192.168.2.3	185.244.26.221
Nov 18, 2020 05:52:36.573127985 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:36.573169947 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:36.573254108 CET	49736	4782	192.168.2.3	185.244.26.221
Nov 18, 2020 05:52:36.575958967 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:36.576350927 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:36.576445103 CET	49736	4782	192.168.2.3	185.244.26.221
Nov 18, 2020 05:52:36.576741934 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:36.576941013 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:36.576981068 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:36.577019930 CET	49736	4782	192.168.2.3	185.244.26.221
Nov 18, 2020 05:52:36.577415943 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:36.577507019 CET	49736	4782	192.168.2.3	185.244.26.221
Nov 18, 2020 05:52:36.577735901 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:36.577775002 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:36.577835083 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:36.577862978 CET	49736	4782	192.168.2.3	185.244.26.221
Nov 18, 2020 05:52:36.577883959 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:36.577944040 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:36.577972889 CET	49736	4782	192.168.2.3	185.244.26.221
Nov 18, 2020 05:52:36.577989101 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:36.578041077 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:36.578064919 CET	49736	4782	192.168.2.3	185.244.26.221
Nov 18, 2020 05:52:36.578078032 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:36.578128099 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:36.578146935 CET	49736	4782	192.168.2.3	185.244.26.221
Nov 18, 2020 05:52:36.578166962 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:36.578222990 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:36.578252077 CET	49736	4782	192.168.2.3	185.244.26.221
Nov 18, 2020 05:52:36.578263998 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:36.578322887 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:36.578353882 CET	49736	4782	192.168.2.3	185.244.26.221
Nov 18, 2020 05:52:36.578372002 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:36.578430891 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:36.578450918 CET	49736	4782	192.168.2.3	185.244.26.221
Nov 18, 2020 05:52:36.578475952 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:36.578557014 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:36.578557014 CET	49736	4782	192.168.2.3	185.244.26.221
Nov 18, 2020 05:52:36.578653097 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:36.578712940 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:36.578722954 CET	49736	4782	192.168.2.3	185.244.26.221
Nov 18, 2020 05:52:36.578831911 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:36.578911066 CET	49736	4782	192.168.2.3	185.244.26.221
Nov 18, 2020 05:52:36.579003096 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:36.579041958 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:36.579108000 CET	49736	4782	192.168.2.3	185.244.26.221
Nov 18, 2020 05:52:36.805301905 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:36.805377960 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:36.805428028 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:36.805514097 CET	49736	4782	192.168.2.3	185.244.26.221
Nov 18, 2020 05:52:36.805568933 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:36.805664062 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:36.805679083 CET	49736	4782	192.168.2.3	185.244.26.221
Nov 18, 2020 05:52:36.805968046 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:36.806047916 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:36.806055069 CET	49736	4782	192.168.2.3	185.244.26.221
Nov 18, 2020 05:52:36.806109905 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:36.806205988 CET	49736	4782	192.168.2.3	185.244.26.221
Nov 18, 2020 05:52:36.808546066 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:36.808640003 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:36.808692932 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:36.808716059 CET	49736	4782	192.168.2.3	185.244.26.221
Nov 18, 2020 05:52:36.808768034 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:36.808852911 CET	49736	4782	192.168.2.3	185.244.26.221
Nov 18, 2020 05:52:36.809614897 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:36.809964895 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:36.810024023 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:36.810045004 CET	49736	4782	192.168.2.3	185.244.26.221
Nov 18, 2020 05:52:36.810081959 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:36.810139894 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:36.810151100 CET	49736	4782	192.168.2.3	185.244.26.221
Nov 18, 2020 05:52:36.810195923 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:36.810254097 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:36.810271025 CET	49736	4782	192.168.2.3	185.244.26.221
Nov 18, 2020 05:52:36.810314894 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:36.810396910 CET	49736	4782	192.168.2.3	185.244.26.221
Nov 18, 2020 05:52:36.810827971 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:36.810889006 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:36.810945034 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:36.810987949 CET	49736	4782	192.168.2.3	185.244.26.221
Nov 18, 2020 05:52:36.811168909 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:36.811250925 CET	49736	4782	192.168.2.3	185.244.26.221
Nov 18, 2020 05:52:36.811292887 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:36.811615944 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:36.811690092 CET	49736	4782	192.168.2.3	185.244.26.221
Nov 18, 2020 05:52:36.811729908 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:36.811810017 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:36.811882973 CET	49736	4782	192.168.2.3	185.244.26.221
Nov 18, 2020 05:52:36.812048912 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:36.812131882 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:36.812184095 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:36.812222958 CET	49736	4782	192.168.2.3	185.244.26.221
Nov 18, 2020 05:52:36.812235117 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:36.812287092 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:36.812335014 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:36.812361002 CET	49736	4782	192.168.2.3	185.244.26.221
Nov 18, 2020 05:52:36.812422991 CET	49736	4782	192.168.2.3	185.244.26.221
Nov 18, 2020 05:52:36.812772989 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:36.812891006 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:36.812935114 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:36.812983990 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:36.813014984 CET	49736	4782	192.168.2.3	185.244.26.221
Nov 18, 2020 05:52:36.813034058 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:36.813071012 CET	49736	4782	192.168.2.3	185.244.26.221
Nov 18, 2020 05:52:36.813112020 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:36.813163042 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:36.813191891 CET	49736	4782	192.168.2.3	185.244.26.221
Nov 18, 2020 05:52:36.813226938 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:36.813276052 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:36.813287020 CET	49736	4782	192.168.2.3	185.244.26.221
Nov 18, 2020 05:52:36.813328028 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:36.813374996 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:36.813393116 CET	49736	4782	192.168.2.3	185.244.26.221
Nov 18, 2020 05:52:36.813457966 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:36.813507080 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:36.813539028 CET	49736	4782	192.168.2.3	185.244.26.221
Nov 18, 2020 05:52:36.813559055 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:36.813615084 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:36.813632011 CET	49736	4782	192.168.2.3	185.244.26.221
Nov 18, 2020 05:52:36.813669920 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:36.813725948 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:36.813739061 CET	49736	4782	192.168.2.3	185.244.26.221
Nov 18, 2020 05:52:36.866559982 CET	49736	4782	192.168.2.3	185.244.26.221
Nov 18, 2020 05:52:37.039053917 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:37.039098978 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:37.039175987 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:37.039208889 CET	49736	4782	192.168.2.3	185.244.26.221
Nov 18, 2020 05:52:37.039335012 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:37.039424896 CET	49736	4782	192.168.2.3	185.244.26.221
Nov 18, 2020 05:52:37.039427042 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:37.039503098 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:37.039570093 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:37.039572001 CET	49736	4782	192.168.2.3	185.244.26.221
Nov 18, 2020 05:52:37.039639950 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:37.039707899 CET	49736	4782	192.168.2.3	185.244.26.221
Nov 18, 2020 05:52:37.045463085 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:37.045490980 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:37.045583010 CET	49736	4782	192.168.2.3	185.244.26.221
Nov 18, 2020 05:52:37.045629978 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:37.045689106 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:37.045773983 CET	49736	4782	192.168.2.3	185.244.26.221
Nov 18, 2020 05:52:37.045958042 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:37.046075106 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:37.046152115 CET	49736	4782	192.168.2.3	185.244.26.221
Nov 18, 2020 05:52:37.046154022 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:37.046214104 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:37.046267033 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:37.046289921 CET	49736	4782	192.168.2.3	185.244.26.221
Nov 18, 2020 05:52:37.046339035 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:37.046386957 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:37.046408892 CET	49736	4782	192.168.2.3	185.244.26.221
Nov 18, 2020 05:52:37.046471119 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:37.046552896 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:37.046608925 CET	49736	4782	192.168.2.3	185.244.26.221
Nov 18, 2020 05:52:37.046711922 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:37.046787977 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:37.046802998 CET	49736	4782	192.168.2.3	185.244.26.221
Nov 18, 2020 05:52:37.046904087 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:37.046983004 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:37.046983957 CET	49736	4782	192.168.2.3	185.244.26.221
Nov 18, 2020 05:52:37.047193050 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:37.047265053 CET	49736	4782	192.168.2.3	185.244.26.221
Nov 18, 2020 05:52:37.047271967 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:37.047393084 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:37.047471046 CET	49736	4782	192.168.2.3	185.244.26.221
Nov 18, 2020 05:52:37.047508955 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:37.047535896 CET	4782	49736	185.244.26.221	192.168.2.3
Nov 18, 2020 05:52:37.047621965 CET	49736	4782	192.168.2.3	185.244.26.221
Nov 18, 2020 05:52:37.404109001 CET	49736	4782	192.168.2.3	185.244.26.221
Nov 18, 2020 05:52:37.686585903 CET	4782	49736	185.244.26.221	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 18, 2020 05:47:50.012521982 CET	50141	53	192.168.2.3	8.8.8.8
Nov 18, 2020 05:47:50.048382998 CET	53	50141	8.8.8.8	192.168.2.3
Nov 18, 2020 05:47:51.043196917 CET	53023	53	192.168.2.3	8.8.8.8
Nov 18, 2020 05:47:51.070591927 CET	53	53023	8.8.8.8	192.168.2.3
Nov 18, 2020 05:47:52.042040110 CET	49563	53	192.168.2.3	8.8.8.8
Nov 18, 2020 05:47:52.069349051 CET	53	49563	8.8.8.8	192.168.2.3
Nov 18, 2020 05:47:52.983020067 CET	51352	53	192.168.2.3	8.8.8.8
Nov 18, 2020 05:47:53.010381937 CET	53	51352	8.8.8.8	192.168.2.3
Nov 18, 2020 05:47:53.781693935 CET	59349	53	192.168.2.3	8.8.8.8
Nov 18, 2020 05:47:53.809468031 CET	53	59349	8.8.8.8	192.168.2.3
Nov 18, 2020 05:47:56.386013985 CET	57084	53	192.168.2.3	8.8.8.8
Nov 18, 2020 05:47:56.413583040 CET	53	57084	8.8.8.8	192.168.2.3
Nov 18, 2020 05:47:59.936918020 CET	58823	53	192.168.2.3	8.8.8.8
Nov 18, 2020 05:47:59.964804888 CET	53	58823	8.8.8.8	192.168.2.3
Nov 18, 2020 05:48:01.808809042 CET	57568	53	192.168.2.3	8.8.8.8
Nov 18, 2020 05:48:01.844299078 CET	53	57568	8.8.8.8	192.168.2.3
Nov 18, 2020 05:48:02.866597891 CET	50540	53	192.168.2.3	8.8.8.8
Nov 18, 2020 05:48:02.893863916 CET	53	50540	8.8.8.8	192.168.2.3
Nov 18, 2020 05:48:05.870398998 CET	54366	53	192.168.2.3	8.8.8.8
Nov 18, 2020 05:48:05.897926092 CET	53	54366	8.8.8.8	192.168.2.3
Nov 18, 2020 05:48:05.942739964 CET	53034	53	192.168.2.3	8.8.8.8
Nov 18, 2020 05:48:05.970174074 CET	53	53034	8.8.8.8	192.168.2.3
Nov 18, 2020 05:48:06.722620010 CET	57762	53	192.168.2.3	8.8.8.8
Nov 18, 2020 05:48:06.750351906 CET	53	57762	8.8.8.8	192.168.2.3
Nov 18, 2020 05:48:09.962953091 CET	55435	53	192.168.2.3	8.8.8.8
Nov 18, 2020 05:48:09.990643024 CET	53	55435	8.8.8.8	192.168.2.3
Nov 18, 2020 05:48:11.889908075 CET	50713	53	192.168.2.3	8.8.8.8
Nov 18, 2020 05:48:11.917452097 CET	53	50713	8.8.8.8	192.168.2.3
Nov 18, 2020 05:48:12.983668089 CET	56132	53	192.168.2.3	8.8.8.8
Nov 18, 2020 05:48:13.011457920 CET	53	56132	8.8.8.8	192.168.2.3
Nov 18, 2020 05:48:14.170641899 CET	58987	53	192.168.2.3	8.8.8.8
Nov 18, 2020 05:48:14.222070932 CET	53	58987	8.8.8.8	192.168.2.3
Nov 18, 2020 05:48:18.481765032 CET	56579	53	192.168.2.3	8.8.8.8
Nov 18, 2020 05:48:18.509390116 CET	53	56579	8.8.8.8	192.168.2.3
Nov 18, 2020 05:48:19.676497936 CET	60633	53	192.168.2.3	8.8.8.8
Nov 18, 2020 05:48:19.720848083 CET	53	60633	8.8.8.8	192.168.2.3
Nov 18, 2020 05:48:20.004332066 CET	61292	53	192.168.2.3	8.8.8.8
Nov 18, 2020 05:48:20.032116890 CET	53	61292	8.8.8.8	192.168.2.3
Nov 18, 2020 05:48:29.786113024 CET	63619	53	192.168.2.3	8.8.8.8
Nov 18, 2020 05:48:29.824052095 CET	53	63619	8.8.8.8	192.168.2.3
Nov 18, 2020 05:48:39.943408012 CET	64938	53	192.168.2.3	8.8.8.8
Nov 18, 2020 05:48:39.971239090 CET	53	64938	8.8.8.8	192.168.2.3
Nov 18, 2020 05:48:42.993231058 CET	61946	53	192.168.2.3	8.8.8.8
Nov 18, 2020 05:48:43.030543089 CET	53	61946	8.8.8.8	192.168.2.3
Nov 18, 2020 05:49:14.649454117 CET	64910	53	192.168.2.3	8.8.8.8
Nov 18, 2020 05:49:14.677381039 CET	53	64910	8.8.8.8	192.168.2.3
Nov 18, 2020 05:49:15.810158968 CET	52123	53	192.168.2.3	8.8.8.8
Nov 18, 2020 05:49:15.854407072 CET	53	52123	8.8.8.8	192.168.2.3
Nov 18, 2020 05:50:30.843565941 CET	56130	53	192.168.2.3	8.8.8.8
Nov 18, 2020 05:50:30.895143986 CET	53	56130	8.8.8.8	192.168.2.3
Nov 18, 2020 05:50:31.429007053 CET	56338	53	192.168.2.3	8.8.8.8
Nov 18, 2020 05:50:31.467190981 CET	53	56338	8.8.8.8	192.168.2.3
Nov 18, 2020 05:50:31.871423006 CET	59420	53	192.168.2.3	8.8.8.8
Nov 18, 2020 05:50:31.907816887 CET	53	59420	8.8.8.8	192.168.2.3
Nov 18, 2020 05:50:32.373737097 CET	58784	53	192.168.2.3	8.8.8.8
Nov 18, 2020 05:50:32.422290087 CET	53	58784	8.8.8.8	192.168.2.3
Nov 18, 2020 05:50:32.810376883 CET	63978	53	192.168.2.3	8.8.8.8
Nov 18, 2020 05:50:32.845983982 CET	53	63978	8.8.8.8	192.168.2.3
Nov 18, 2020 05:50:33.219400883 CET	62938	53	192.168.2.3	8.8.8.8
Nov 18, 2020 05:50:33.255281925 CET	53	62938	8.8.8.8	192.168.2.3
Nov 18, 2020 05:50:33.778590918 CET	55708	53	192.168.2.3	8.8.8.8
Nov 18, 2020 05:50:33.814464092 CET	53	55708	8.8.8.8	192.168.2.3
Nov 18, 2020 05:50:34.817584991 CET	56803	53	192.168.2.3	8.8.8.8
Nov 18, 2020 05:50:34.853290081 CET	53	56803	8.8.8.8	192.168.2.3
Nov 18, 2020 05:50:35.515963078 CET	57145	53	192.168.2.3	8.8.8.8
Nov 18, 2020 05:50:35.551986933 CET	53	57145	8.8.8.8	192.168.2.3
Nov 18, 2020 05:50:35.847608089 CET	55359	53	192.168.2.3	8.8.8.8
Nov 18, 2020 05:50:35.874603033 CET	53	55359	8.8.8.8	192.168.2.3
Nov 18, 2020 05:52:31.505094051 CET	58306	53	192.168.2.3	8.8.8.8
Nov 18, 2020 05:52:31.542376995 CET	53	58306	8.8.8.8	192.168.2.3
Nov 18, 2020 05:52:32.180982113 CET	64124	53	192.168.2.3	8.8.8.8
Nov 18, 2020 05:52:32.226928949 CET	53	64124	8.8.8.8	192.168.2.3
Nov 18, 2020 05:52:35.734662056 CET	49361	53	192.168.2.3	8.8.8.8
Nov 18, 2020 05:52:35.778562069 CET	53	49361	8.8.8.8	192.168.2.3
Nov 18, 2020 05:52:38.909137964 CET	63150	53	192.168.2.3	8.8.8.8
Nov 18, 2020 05:52:38.944977999 CET	53	63150	8.8.8.8	192.168.2.3
Nov 18, 2020 05:52:39.208183050 CET	53279	53	192.168.2.3	8.8.8.8
Nov 18, 2020 05:52:39.244232893 CET	53	53279	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Nov 18, 2020 05:48:18.481765032 CET	192.168.2.3	8.8.8.8	0xda1d	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)
Nov 18, 2020 05:48:19.676497936 CET	192.168.2.3	8.8.8.8	0x43a3	Standard query (0)	devils.shacknet.us	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Nov 18, 2020 05:48:18.509390116 CET	8.8.8.8	192.168.2.3	0xda1d	No error (0)	ip-api.com		208.95.112.1	A (IP address)	IN (0x0001)
Nov 18, 2020 05:48:19.720848083 CET	8.8.8.8	192.168.2.3	0x43a3	No error (0)	devils.shacknet.us		185.244.26.221	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49735	208.95.112.1	80	C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe

Timestamp	kBytes transferred	Direction	Data
Nov 18, 2020 05:48:18.556812048 CET	339	OUT	GET /json/ HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0 Host: ip-api.com Connection: Keep-Alive
Nov 18, 2020 05:48:18.587726116 CET	339	IN	HTTP/1.1 200 OK Date: Wed, 18 Nov 2020 04:48:17 GMT Content-Type: application/json; charset=utf-8 Content-Length: 281 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 53 77 69 74 7a 65 72 6c 61 6e 64 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 43 48 22 2c 22 72 65 67 69 6f 6e 22 3a 22 5a 48 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 5a 75 72 69 63 68 22 2c 22 63 69 74 79 22 3a 22 5a 75 72 69 63 68 22 2c 22 7a 69 70 22 3a 22 38 31 35 32 22 2c 22 6c 61 74 22 3a 34 37 2e 34 33 2c 22 6c 6f 6e 22 3a 38 2e 35 37 31 38 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 45 75 72 6f 70 65 2f 5a 75 72 69 63 68 22 2c 22 69 73 70 22 3a 22 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 22 6f 72 67 22 3a 22 43 64 6e 37 37 20 5a 55 52 20 49 54 58 22 2c 22 61 73 22 3a 22 41 53 36 30 30 36 38 20 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 22 71 75 65 72 79 22 3a 22 38 34 2e 31 37 2e 35 32 2e 34 30 22 7d Data Ascii: {"status":"success","country":"Switzerland","countryCode":"CH","region":"ZH","regionName":"Zurich","city":"Zurich","zip":"8152","lat":47.43,"lon":8.5718,"timezone":"Europe/Zurich","isp":"Datacamp Limited","org":"Cdn77 ZUR ITX","as":"AS60068 Datacamp Limited","query":"84.17.52.40"}

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: CDC GUIDES COVID-19 Second Outbreak Warning release.exe PID: 2764 Parent PID: 5664

General

Start time:	05:47:44
Start date:	18/11/2020
Path:	C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe'
Imagebase:	0xb40000
File size:	645440 bytes
MD5 hash:	DC8D9C9A86FE4830053697C1DC59DC6F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 00000000.00000002.269160984.0000000004035000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000002.269160984.0000000004035000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: CDC GUIDES COVID-19 Second Outbreak Warning release.exe PID: 5820 Parent PID: 2764

General

Start time:	05:48:15
Start date:	18/11/2020
Path:	C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\CDC GUIDES COVID-19 Second Outbreak Warning release.exe
Imagebase:	0xb00000
File size:	645440 bytes
MD5 hash:	DC8D9C9A86FE4830053697C1DC59DC6F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 00000005.00000002.831738365.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000005.00000002.831738365.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: vlc.exe PID: 6588 Parent PID: 3388

General

Start time:	05:48:25
Start date:	18/11/2020
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe'
Imagebase:	0x340000
File size:	645440 bytes
MD5 hash:	DC8D9C9A86FE4830053697C1DC59DC6F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 0000000E.00000002.355201046.00000000037C5000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000000E.00000002.355201046.00000000037C5000.00000004.00000001.sdmp, Author: Joe Security
Antivirus matches:	Detection: 12%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: vlc.exe PID: 6824 Parent PID: 3388

General

Start time:	05:48:34
Start date:	18/11/2020
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe'
Imagebase:	0x600000
File size:	645440 bytes
MD5 hash:	DC8D9C9A86FE4830053697C1DC59DC6F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 0000000F.00000002.372345849.0000000003BE5000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000000F.00000002.372345849.0000000003BE5000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: vlc.exe PID: 2172 Parent PID: 6588

General

Start time:	05:48:54
Start date:	18/11/2020
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
Imagebase:	0xdf0000
File size:	645440 bytes
MD5 hash:	DC8D9C9A86FE4830053697C1DC59DC6F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 00000014.00000002.358547843.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000014.00000002.358547843.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: vlc.exe PID: 4080 Parent PID: 6824

General

Start time:	05:49:03
Start date:	18/11/2020
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
Imagebase:	0xca0000
File size:	645440 bytes
MD5 hash:	DC8D9C9A86FE4830053697C1DC59DC6F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 00000015.00000002.376779243.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000015.00000002.376779243.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: 9FFWrx9i8Kuq.exe PID: 496 Parent PID: 5820

General

Start time:	05:52:36
Start date:	18/11/2020
Path:	C:\Users\user\AppData\Local\Temp\9FFWrx9i8Kuq.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\9FFWrx9i8Kuq.exe
Imagebase:	0xf20000
File size:	287120 bytes
MD5 hash:	082B27BB1AAA169A5D0C4CD536976F99
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: CDC GUIDES COVID-19 Second Outbreak Warning release.exe PID: 2764 Parent PID: 5664 CDC GUIDES COVID-19 Second Outbreak Warning release.exeCOMMON

Execution Graph

Execution Coverage:	13%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	3.1%
Total number of Nodes:	97
Total number of Limit Nodes:	4

Executed Functions

Function 05D94660, Relevance: 2.1, Strings: 1, Instructions: 822
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\l, xrefs: 05D94822

Memory Dump Source

Source File: 00000000.00000002.272686153.0000000005D90000.00000040.00000001.sdmp, Offset: 05D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d90000_CDC GUIDES COVID-19 Second Outbreak Warning release.jbxd

Similarity

API ID:
String ID: \l
API String ID: 0-3304691678
Opcode ID: 5c2d4dbf162cd253e61a334bff1b9bbc986779cfd02de71bf15c6d71cf62836a
Instruction ID: f64ca5085ca8fda9900c6684f35b39a0d2d01d5842a59155a82ef67b975c6550
Opcode Fuzzy Hash: 5c2d4dbf162cd253e61a334bff1b9bbc986779cfd02de71bf15c6d71cf62836a
Instruction Fuzzy Hash: D8722C34A00614CFCB68DF65D894AADB7B2FF89304F1185AAD54A9B365DB30EC81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05D9EC10, Relevance: 1.6, APIs: 1, Instructions: 140
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserNameA.ADVAPI32(00000000), ref: 05D9ED5C

Memory Dump Source

Source File: 00000000.00000002.272686153.0000000005D90000.00000040.00000001.sdmp, Offset: 05D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d90000_CDC GUIDES COVID-19 Second Outbreak Warning release.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 14c11688b6397ab76dddfea34625819d5f0ec5b933c325c0e4b7f0c7f6fd6bdd
Instruction ID: 8eb4e802f6e5b831b62b3f0a34ae7ffd2d98dd95693372680d2986a9ccf5cbb1
Opcode Fuzzy Hash: 14c11688b6397ab76dddfea34625819d5f0ec5b933c325c0e4b7f0c7f6fd6bdd
Instruction Fuzzy Hash: 13512670D042489FDB18DFA9C884B9EBBF5FF88304F25812AD816AB391DB749945CF91

Uniqueness

Uniqueness Score: -1.00%

Function 05D91FA8, Relevance: 1.6, Strings: 1, Instructions: 341
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

<l, xrefs: 05D921F5

Memory Dump Source

Source File: 00000000.00000002.272686153.0000000005D90000.00000040.00000001.sdmp, Offset: 05D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d90000_CDC GUIDES COVID-19 Second Outbreak Warning release.jbxd

Similarity

API ID:
String ID: <l
API String ID: 0-2278483159
Opcode ID: c32a5e77bbc5e3f1ac97466d1edbfad24b652568d73ff41f34dd87fdb29d2648
Instruction ID: b3974f381355f89d10b2ce853a8c0075ac9f17f95b1175fc5aeb8b0960159b5a
Opcode Fuzzy Hash: c32a5e77bbc5e3f1ac97466d1edbfad24b652568d73ff41f34dd87fdb29d2648
Instruction Fuzzy Hash: 1CD14C74E002099FCF18DFA9C884AAEFBF2FF48314F15855AE515AB351DB34A946CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05D90040, Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.272686153.0000000005D90000.00000040.00000001.sdmp, Offset: 05D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d90000_CDC GUIDES COVID-19 Second Outbreak Warning release.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e56fd54f3a731fa8c226fb7537b7a2538f7e5ea6075251bf7e170cd92d1e517
Instruction ID: 9ff8df91a0679c0547bc366fa71f20b6894a2de16b3abf2a066bab619fb56116
Opcode Fuzzy Hash: 9e56fd54f3a731fa8c226fb7537b7a2538f7e5ea6075251bf7e170cd92d1e517
Instruction Fuzzy Hash: 7DB12B70E04219DFDF14CFA9D8897EEBBF2BF88314F14812AD819A7254EB749845CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05D90910, Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.272686153.0000000005D90000.00000040.00000001.sdmp, Offset: 05D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d90000_CDC GUIDES COVID-19 Second Outbreak Warning release.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8eceb0796715f7a5bc24d1d9e481df37d25a28bf7bf45df311807e804709bb8
Instruction ID: fcfa67323502182c05060cd5425661851b628f40f821b3c40bede058a0570530
Opcode Fuzzy Hash: a8eceb0796715f7a5bc24d1d9e481df37d25a28bf7bf45df311807e804709bb8
Instruction Fuzzy Hash: F7B13B70E042199FDF14CFA9E8897AEBBF2BF88358F14812AD419E7254DB749845CB81

Uniqueness

Uniqueness Score: -1.00%

Function 05D9E7FC, Relevance: 2.1, APIs: 1, Instructions: 646
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserNameA.ADVAPI32(00000000), ref: 05D9ED5C

Memory Dump Source

Source File: 00000000.00000002.272686153.0000000005D90000.00000040.00000001.sdmp, Offset: 05D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d90000_CDC GUIDES COVID-19 Second Outbreak Warning release.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: d3bd5915d2ac012a5fd0714065b69f1062fcd5f6586c52721bc118a13fbd6911
Instruction ID: 95557aba7029b9de07b260540b70f61d313ccdc6b05e20937ef7e103e380e0b5
Opcode Fuzzy Hash: d3bd5915d2ac012a5fd0714065b69f1062fcd5f6586c52721bc118a13fbd6911
Instruction Fuzzy Hash: 3F61AC70D042488FDB19DFA9C894BDDBBF1FF49304F14806AD446AB391DB789849CB95

Uniqueness

Uniqueness Score: -1.00%

Function 05D9CF4C, Relevance: 1.7, APIs: 1, Instructions: 245
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 05D9D18E

Memory Dump Source

Source File: 00000000.00000002.272686153.0000000005D90000.00000040.00000001.sdmp, Offset: 05D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d90000_CDC GUIDES COVID-19 Second Outbreak Warning release.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: e79f08aa19fc7c631ace23434242870289bbf76f557eec8a00c284cfd39653f1
Instruction ID: 267e569d5dadf2377868540e8353f9b361aedb118cab5935bc12eb0c2a8c75bc
Opcode Fuzzy Hash: e79f08aa19fc7c631ace23434242870289bbf76f557eec8a00c284cfd39653f1
Instruction Fuzzy Hash: 41918C71D04219CFDF14DFA8C881BEDBBB2BF48314F55856AE809A7280DB749986CF91

Uniqueness

Uniqueness Score: -1.00%

Function 05D9CF58, Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 05D9D18E

Memory Dump Source

Source File: 00000000.00000002.272686153.0000000005D90000.00000040.00000001.sdmp, Offset: 05D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d90000_CDC GUIDES COVID-19 Second Outbreak Warning release.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: d7d749b522be281af1e85afd0fd58f644b3d847f2d980fadf9e7197e9432630c
Instruction ID: 39b53b0fd93be86699fa48459767b932245290ec8a685db84bf5f1f99955cf66
Opcode Fuzzy Hash: d7d749b522be281af1e85afd0fd58f644b3d847f2d980fadf9e7197e9432630c
Instruction Fuzzy Hash: 0B918D71D04219DFDF14DFA8C880BEDBBB2BF48304F54856AE809A7280DB749986CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02D5D2B4, Relevance: 1.6, APIs: 1, Instructions: 98
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?), ref: 02D5D3A7

Memory Dump Source

Source File: 00000000.00000002.267617733.0000000002D50000.00000040.00000001.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d50000_CDC GUIDES COVID-19 Second Outbreak Warning release.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 2154c32e9d48c2a094d57f98ea7fb4d6765a27fffc2620a8b191182b1d15d678
Instruction ID: a03acd68c66122661c0c1fb17a35cfa437ae987461024ec0fdfbb94ebc469b1e
Opcode Fuzzy Hash: 2154c32e9d48c2a094d57f98ea7fb4d6765a27fffc2620a8b191182b1d15d678
Instruction Fuzzy Hash: 3D4129B0D106688FDB10CF99D88579DBBF2FB48304F14812AD855EB380D7B49845CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02D59BB8, Relevance: 1.6, APIs: 1, Instructions: 97
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?), ref: 02D5D3A7

Memory Dump Source

Source File: 00000000.00000002.267617733.0000000002D50000.00000040.00000001.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d50000_CDC GUIDES COVID-19 Second Outbreak Warning release.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 765acf0284caa4cf4dcb0a494873bf058b6ef7ab58f80be2355e0e471c392d8d
Instruction ID: fa42f9b526740f8b52d4035ba43f707483bff468e713ad601405311eccc4cfa7
Opcode Fuzzy Hash: 765acf0284caa4cf4dcb0a494873bf058b6ef7ab58f80be2355e0e471c392d8d
Instruction Fuzzy Hash: 6E413AB0D106689FDB10CFA9D88579EBBF2FB48314F14812AD855EB380D7B4A845CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05D9CC28, Relevance: 1.6, APIs: 1, Instructions: 72
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 05D9CCC0

Memory Dump Source

Source File: 00000000.00000002.272686153.0000000005D90000.00000040.00000001.sdmp, Offset: 05D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d90000_CDC GUIDES COVID-19 Second Outbreak Warning release.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 7cca70a0dbac6dba1ed7f7337250255d4c8af53cba150cd4de15de1cc2ca9be5
Instruction ID: fed460e2f6730b4d44e32ea41966bac72737b829b818fd356fb2432b72b7ba4d
Opcode Fuzzy Hash: 7cca70a0dbac6dba1ed7f7337250255d4c8af53cba150cd4de15de1cc2ca9be5
Instruction Fuzzy Hash: 202106B19043499FCF10DFAAC8847DEBBB5BF48214F14842AE919A7351DB789944CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0617C838, Relevance: 1.6, APIs: 1, Instructions: 70
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CopyFileW.KERNELBASE(?,00000000,?), ref: 0617C8D1

Memory Dump Source

Source File: 00000000.00000002.272808190.0000000006170000.00000040.00000001.sdmp, Offset: 06170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6170000_CDC GUIDES COVID-19 Second Outbreak Warning release.jbxd

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: b4b73311b803513b0d84efc1896cf55f75ed16241728754e474bf99dc7fe0eec
Instruction ID: 3c27e2bd39c1b0995cbc0d7b5e61839a2f1ea29c925c3e242844b64016c59d67
Opcode Fuzzy Hash: b4b73311b803513b0d84efc1896cf55f75ed16241728754e474bf99dc7fe0eec
Instruction Fuzzy Hash: 4E212AB1D016199FCB50CFAAD5847EEFBF5EF88320F14816AE818E7241D7749A44DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 05D9CC30, Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 05D9CCC0

Memory Dump Source

Source File: 00000000.00000002.272686153.0000000005D90000.00000040.00000001.sdmp, Offset: 05D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d90000_CDC GUIDES COVID-19 Second Outbreak Warning release.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 78f339d2d3d4b61d375a7add37fbdde69d343ffc9d6394629a64625e76c11740
Instruction ID: 9b76f56f828cc95e24665ca3b067cd3a7e23f85404f04463a5a58b7924116969
Opcode Fuzzy Hash: 78f339d2d3d4b61d375a7add37fbdde69d343ffc9d6394629a64625e76c11740
Instruction Fuzzy Hash: EC21F5B19003499FCF10DFAAC884BDEBBF5BF48314F14842AE919A7651DB789944CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 05D9CD19, Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 05D9CDA0

Memory Dump Source

Source File: 00000000.00000002.272686153.0000000005D90000.00000040.00000001.sdmp, Offset: 05D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d90000_CDC GUIDES COVID-19 Second Outbreak Warning release.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 750dfbfe4c70addef4a0512890819ba1659548eb6be262b7ea1c182dbb646074
Instruction ID: 7ff648e9ee365ba76ff1a2fd13fd42580305b0bf5357b7a2987058dda6cdb6ed
Opcode Fuzzy Hash: 750dfbfe4c70addef4a0512890819ba1659548eb6be262b7ea1c182dbb646074
Instruction Fuzzy Hash: 5F2139B18003499FCF10DFAAC8807DEBBB5FF88314F14842AE519A7351D7789945CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 05D9CA91, Relevance: 1.6, APIs: 1, Instructions: 65
threadinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 05D9CB16

Memory Dump Source

Source File: 00000000.00000002.272686153.0000000005D90000.00000040.00000001.sdmp, Offset: 05D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d90000_CDC GUIDES COVID-19 Second Outbreak Warning release.jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 8b6a3e31cb2fb91d01d9a255ded24153c41ec98619b6364ed5c3193edddce965
Instruction ID: 5f88d57db2d3a4e804bcd2262bf09a80df6b5e5cdb5c3153f97be4687b706f7b
Opcode Fuzzy Hash: 8b6a3e31cb2fb91d01d9a255ded24153c41ec98619b6364ed5c3193edddce965
Instruction Fuzzy Hash: FE213871D043098FCB10DFAAC4847EEBBF4EF88258F14842AD519A7341DB78A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05D9CD20, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 05D9CDA0

Memory Dump Source

Source File: 00000000.00000002.272686153.0000000005D90000.00000040.00000001.sdmp, Offset: 05D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d90000_CDC GUIDES COVID-19 Second Outbreak Warning release.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: d8a69231baa559fefe20f30d77aabda0b147f6f7a0bf5c1454e1f57dd2492cbc
Instruction ID: cd04cc15081457b7ee356a85b3a3893a46a85814759959cc27e390b557ee9122
Opcode Fuzzy Hash: d8a69231baa559fefe20f30d77aabda0b147f6f7a0bf5c1454e1f57dd2492cbc
Instruction Fuzzy Hash: B22119B18003499FCF10DFAAC8806DEBBB5FF48314F10842AE519A7251C7749945CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 05D9CA98, Relevance: 1.6, APIs: 1, Instructions: 63threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 05D9CB16

Memory Dump Source

Source File: 00000000.00000002.272686153.0000000005D90000.00000040.00000001.sdmp, Offset: 05D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d90000_CDC GUIDES COVID-19 Second Outbreak Warning release.jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 3f5e2d09cd4d4df430dbcc4b01fc95a9d9b6e12bcbd10fb547b5b6993c5e51ee
Instruction ID: c04b1421f01a1388c999c4a71db604d4108a04048f83bd864a0ecc71270aae3a
Opcode Fuzzy Hash: 3f5e2d09cd4d4df430dbcc4b01fc95a9d9b6e12bcbd10fb547b5b6993c5e51ee
Instruction Fuzzy Hash: 812135B1D043098FCB10DFAAC4847EEBBF4EF88264F14842AD519A7341CB78A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05D9CB68, Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 05D9CBDE

Memory Dump Source

Source File: 00000000.00000002.272686153.0000000005D90000.00000040.00000001.sdmp, Offset: 05D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d90000_CDC GUIDES COVID-19 Second Outbreak Warning release.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a087f689990d8175ee5dd9d2d36492fecbfdc23ca953b2aff297a680b8cd72d2
Instruction ID: 21d7a29bf7ace5d3bcf651d1a0f38e33cd563096698a62ee103d75c9c79f5105
Opcode Fuzzy Hash: a087f689990d8175ee5dd9d2d36492fecbfdc23ca953b2aff297a680b8cd72d2
Instruction Fuzzy Hash: 8A1159729042499BCF10DFAAC844BDFBBF5AF48314F14841AE519A7310CB759944CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 05D9CB70, Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 05D9CBDE

Memory Dump Source

Source File: 00000000.00000002.272686153.0000000005D90000.00000040.00000001.sdmp, Offset: 05D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d90000_CDC GUIDES COVID-19 Second Outbreak Warning release.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: b6340e9ce1c24c648b184e7ebb84dd2670a453d24bf97827041686f322adb74a
Instruction ID: b96773940fdb09a9434a6f4fcd4826975601828898368f41c033e74f771b1d60
Opcode Fuzzy Hash: b6340e9ce1c24c648b184e7ebb84dd2670a453d24bf97827041686f322adb74a
Instruction Fuzzy Hash: B31137719042499FCF10DFAAD844BDFBBF5AF88324F14841AE525A7250CB759944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02D5D589, Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 02D5D5F2

Memory Dump Source

Source File: 00000000.00000002.267617733.0000000002D50000.00000040.00000001.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d50000_CDC GUIDES COVID-19 Second Outbreak Warning release.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 99a5ac2c0d26b51f1f5466e0a4aba267ac372fb99c74e6956ef84f634e77b96b
Instruction ID: a17b64f01c45bb2c0f8c6122f0113f7933b4921b22bd4b4c523c1098d80fe265
Opcode Fuzzy Hash: 99a5ac2c0d26b51f1f5466e0a4aba267ac372fb99c74e6956ef84f634e77b96b
Instruction Fuzzy Hash: CC1158B19043488BCB10DFAAC8447DFFBF5EF88228F24841AD519A7700CB74A945CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02D5D590, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 02D5D5F2

Memory Dump Source

Source File: 00000000.00000002.267617733.0000000002D50000.00000040.00000001.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d50000_CDC GUIDES COVID-19 Second Outbreak Warning release.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 56af7f8e5fda9faf4f6133718cf0111d730ed0116954f3357f044358189b3455
Instruction ID: 873fc5cd22aed33779d5c98f83d9532b10899b4cce53de9d589a94ae85da6bea
Opcode Fuzzy Hash: 56af7f8e5fda9faf4f6133718cf0111d730ed0116954f3357f044358189b3455
Instruction Fuzzy Hash: CF113AB1D043488BCB10DFAAC4447DFFBF5AF88224F248419D519A7740CB74A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02D5FA70, Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.267617733.0000000002D50000.00000040.00000001.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d50000_CDC GUIDES COVID-19 Second Outbreak Warning release.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fbf13fb2b42e7f35729dbec691a77430b25a315669b7bae7785c8d13e85d595
Instruction ID: 60df5560c7b750b151659cdeec3f84ad4b1e3e17fbc0142ad1a5c768ff2e032a
Opcode Fuzzy Hash: 5fbf13fb2b42e7f35729dbec691a77430b25a315669b7bae7785c8d13e85d595
Instruction Fuzzy Hash: 1A917F70E00619CFDF10CFA9C9917EEBBF2AF89348F248129D815AB754DBB49845CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05D9A212, Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.272686153.0000000005D90000.00000040.00000001.sdmp, Offset: 05D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d90000_CDC GUIDES COVID-19 Second Outbreak Warning release.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0562ea00ba9625369878edc7f89e60125628768e7ba3a42d7c27f71488ae2ae6
Instruction ID: d2c0ac167e6b78b71c8f2d2fa1aea804c2f1921258c67c1570a8145c0e0e12d8
Opcode Fuzzy Hash: 0562ea00ba9625369878edc7f89e60125628768e7ba3a42d7c27f71488ae2ae6
Instruction Fuzzy Hash: A4816F32A09208CFDF18CB99D8847AEF7F2FB88304F08952BD15697645D735E885CB51

Uniqueness

Uniqueness Score: -1.00%

Function 05D990F0, Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.272686153.0000000005D90000.00000040.00000001.sdmp, Offset: 05D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d90000_CDC GUIDES COVID-19 Second Outbreak Warning release.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c2294a3917058253012ccd88967baf54fed98b8ca6c3f247bab775b6e7371f0
Instruction ID: e029726a9cb02530a5ce6e458b680446dff04b10842afb6bff9c0076cd921470
Opcode Fuzzy Hash: 4c2294a3917058253012ccd88967baf54fed98b8ca6c3f247bab775b6e7371f0
Instruction Fuzzy Hash: AE818B31A05209DFDF29CF99D8A97AABBF2FB85300F00852FD146A7644C374A985CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05D990E0, Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.272686153.0000000005D90000.00000040.00000001.sdmp, Offset: 05D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d90000_CDC GUIDES COVID-19 Second Outbreak Warning release.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bded037001d6638587414ed146cc20f71cf353187ed2b561c0b3a0ab2256044
Instruction ID: 1f566f1524a208c431c99e8b629f35a3f6b371852faea68524772e4702bbe556
Opcode Fuzzy Hash: 8bded037001d6638587414ed146cc20f71cf353187ed2b561c0b3a0ab2256044
Instruction Fuzzy Hash: B8816B71A05209DFDF29CF89D8A97AABBF2FB85304F04852FC146A7644C374E985CB61

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: CDC GUIDES COVID-19 Second Outbreak Warning release.exe PID: 5820 Parent PID: 2764 CDC GUIDES COVID-19 Second Outbreak Warning release.exeCOMMON

Execution Graph

Execution Coverage:	5.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	20
Total number of Limit Nodes:	1

Executed Functions

Function 067342B8, Relevance: .3, Instructions: 305COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.843309706.0000000006730000.00000040.00000001.sdmp, Offset: 06730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6730000_CDC GUIDES COVID-19 Second Outbreak Warning release.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22c1e6fb05e27de3d936282f179b4eb18ebd22f32e392d3111bafe5df726ebde
Instruction ID: 3d39f1df2272cbc24008eae96387a74d11423a487048cdfaa1e9336f38472763
Opcode Fuzzy Hash: 22c1e6fb05e27de3d936282f179b4eb18ebd22f32e392d3111bafe5df726ebde
Instruction Fuzzy Hash: EAA1C2761092708BCF9FCF70C865175BBE1BB86320B589D95C943BB51FC320995287AE

Uniqueness

Uniqueness Score: -1.00%

Function 06732271, Relevance: 6.7, Strings: 4, Instructions: 1727COMMON

Download Yara Rule

Strings

t%l, xrefs: 06733BFF
t%l, xrefs: 06733C09
\l, xrefs: 0673379E
\l, xrefs: 067337A8

Memory Dump Source

Source File: 00000005.00000002.843309706.0000000006730000.00000040.00000001.sdmp, Offset: 06730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6730000_CDC GUIDES COVID-19 Second Outbreak Warning release.jbxd

Similarity

API ID:
String ID: \l$\l$t%l$t%l
API String ID: 0-978669101
Opcode ID: 20670edb4ed3c13a761fd338edf649a90c8f25f375f8bca22afafc61c77370fd
Instruction ID: e1e7693eecd3b4398aad118ced42fd23614e6cef177b4a8b7f46137d7bd41aba
Opcode Fuzzy Hash: 20670edb4ed3c13a761fd338edf649a90c8f25f375f8bca22afafc61c77370fd
Instruction Fuzzy Hash: 9AC2E930FA57A0ABEEF40A184C91BB6A1DB6B50B65F14411EF641FA2C7CFF58DC48251

Uniqueness

Uniqueness Score: -1.00%

Function 06732282, Relevance: 6.7, Strings: 4, Instructions: 1717COMMON

Download Yara Rule

Strings

t%l, xrefs: 06733BFF
t%l, xrefs: 06733C09
\l, xrefs: 0673379E
\l, xrefs: 067337A8

Memory Dump Source

Source File: 00000005.00000002.843309706.0000000006730000.00000040.00000001.sdmp, Offset: 06730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6730000_CDC GUIDES COVID-19 Second Outbreak Warning release.jbxd

Similarity

API ID:
String ID: \l$\l$t%l$t%l
API String ID: 0-978669101
Opcode ID: f7e809a34ce11992c22e91e6dfd7672c2d5eb98d235ebdfcf129a46b2d4fa635
Instruction ID: 96a8fb661685a5bc069cbd5943deb7b0e82d5fa6b9c6d16d463d444a84845261
Opcode Fuzzy Hash: f7e809a34ce11992c22e91e6dfd7672c2d5eb98d235ebdfcf129a46b2d4fa635
Instruction Fuzzy Hash: 3AC2E930FA17A1ABEEF40A184C91BB6A1DB6B50B25F14411EF641FA2C7CFF58DC48651

Uniqueness

Uniqueness Score: -1.00%

Function 06732278, Relevance: 4.1, Strings: 2, Instructions: 1648COMMON

Download Yara Rule

Strings

t%l, xrefs: 06733BFF
\l, xrefs: 0673379E

Memory Dump Source

Source File: 00000005.00000002.843309706.0000000006730000.00000040.00000001.sdmp, Offset: 06730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6730000_CDC GUIDES COVID-19 Second Outbreak Warning release.jbxd

Similarity

API ID:
String ID: \l$t%l
API String ID: 0-770256137
Opcode ID: bd890190749d9788bd74039958269229202a4985d17e704bfbe9260c41da18c8
Instruction ID: 9c71543a7a7014160a2b93933e086aaacff70b900409d961c213a3dea196cb42
Opcode Fuzzy Hash: bd890190749d9788bd74039958269229202a4985d17e704bfbe9260c41da18c8
Instruction Fuzzy Hash: 86B2B730FE1BA0ABEEF456695C96BFE508F6B50B14F10841AB601FA2C7CFF589C541A1

Uniqueness

Uniqueness Score: -1.00%

Function 06730048, Relevance: 1.7, Strings: 1, Instructions: 427
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

?, xrefs: 067300AD

Memory Dump Source

Source File: 00000005.00000002.843309706.0000000006730000.00000040.00000001.sdmp, Offset: 06730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6730000_CDC GUIDES COVID-19 Second Outbreak Warning release.jbxd

Similarity

API ID:
String ID: ?
API String ID: 0-1684325040
Opcode ID: 366c9f2ff7d3071940411c1c3336a022ee210cf9cdc94cb121acc5f9c0721f16
Instruction ID: 10f9dd455ddfc6b30258f2a3ca06a997af0d1ea2a7e9ee373e45df6280d18d57
Opcode Fuzzy Hash: 366c9f2ff7d3071940411c1c3336a022ee210cf9cdc94cb121acc5f9c0721f16
Instruction Fuzzy Hash: 0AF1BE34F106598FDB64DBA4C881B7EB7B2BF84304F248429D5069B7A6DB34ED42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0142C996, Relevance: 1.6, APIs: 1, Instructions: 99
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?), ref: 0142CA87

Memory Dump Source

Source File: 00000005.00000002.836333035.0000000001420000.00000040.00000001.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1420000_CDC GUIDES COVID-19 Second Outbreak Warning release.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 9ad9c67dc392fc3b7ca9b94c428a62f2d84e984c8854222487dbd9165b691e9c
Instruction ID: d6e14ee4d6f7283cf6cb08c4335d172f013d796189213ebc76863cff20dcd4ca
Opcode Fuzzy Hash: 9ad9c67dc392fc3b7ca9b94c428a62f2d84e984c8854222487dbd9165b691e9c
Instruction Fuzzy Hash: F24145B1E006688FDB24CFA8C88579EBBF1FB48314F14812AD815EB795D7749886CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0142928C, Relevance: 1.6, APIs: 1, Instructions: 97
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?), ref: 0142CA87

Memory Dump Source

Source File: 00000005.00000002.836333035.0000000001420000.00000040.00000001.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1420000_CDC GUIDES COVID-19 Second Outbreak Warning release.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 29262be9ad7034616340f46c27efe2b3c53ce5366d2cd01dc1685b769529b3a7
Instruction ID: 29c2abb8106fc737877547c8aab1542bfd2737b149f038c4607a601496ea3387
Opcode Fuzzy Hash: 29262be9ad7034616340f46c27efe2b3c53ce5366d2cd01dc1685b769529b3a7
Instruction Fuzzy Hash: DE417AB1E006288FDB24CFA9C88479EBBF1FB48304F14812AD815E7395D7749886CF91

Uniqueness

Uniqueness Score: -1.00%

Function 01422F24, Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 01422FE1

Memory Dump Source

Source File: 00000005.00000002.836333035.0000000001420000.00000040.00000001.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1420000_CDC GUIDES COVID-19 Second Outbreak Warning release.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 5114d53079b689abebb1420dc7bb85dbd3855061bc89ae183ba1ac436ab783c7
Instruction ID: 8507d1fc2de6e5c8881dc26aa6024497974c96be51a2123ee573940f36a947c0
Opcode Fuzzy Hash: 5114d53079b689abebb1420dc7bb85dbd3855061bc89ae183ba1ac436ab783c7
Instruction Fuzzy Hash: 1E41F4B1C0465CCFDB24CFA9C884BDEBBB1BF49304F24805AD409AB265DB75594ACF50

Uniqueness

Uniqueness Score: -1.00%

Function 01421A88, Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 01422FE1

Memory Dump Source

Source File: 00000005.00000002.836333035.0000000001420000.00000040.00000001.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1420000_CDC GUIDES COVID-19 Second Outbreak Warning release.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 5d2aa580918f13327cbf84717e2ec5c0a9d81a7ccbcbcbf907f72d0f914f57d1
Instruction ID: e31e08dfa8cd80b11c86c23fec0c37f77d7c17bf46afcb2771d18e20a146aacb
Opcode Fuzzy Hash: 5d2aa580918f13327cbf84717e2ec5c0a9d81a7ccbcbcbf907f72d0f914f57d1
Instruction Fuzzy Hash: 0141F3B1C0462CCBDB24CFA9C844BDEBBB1BF49304F60805AD509AB265DB756949CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 06730001, Relevance: 1.5, Strings: 1, Instructions: 253
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

?, xrefs: 067300AD

Memory Dump Source

Source File: 00000005.00000002.843309706.0000000006730000.00000040.00000001.sdmp, Offset: 06730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6730000_CDC GUIDES COVID-19 Second Outbreak Warning release.jbxd

Similarity

API ID:
String ID: ?
API String ID: 0-1684325040
Opcode ID: ac5230b691750852d86ae323a2e8c5923bbbcfb3256077604577e0694e51ee2e
Instruction ID: b80b352bcb0fd888f279c6059d0992ead5061b8fccee67db751d1f48f0bff3cd
Opcode Fuzzy Hash: ac5230b691750852d86ae323a2e8c5923bbbcfb3256077604577e0694e51ee2e
Instruction Fuzzy Hash: AD911470F107558FEB688B64C891BAE7BB6AF85308F288469D101DF3A6DEB5DC01C791

Uniqueness

Uniqueness Score: -1.00%

Function 06734578, Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.843309706.0000000006730000.00000040.00000001.sdmp, Offset: 06730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6730000_CDC GUIDES COVID-19 Second Outbreak Warning release.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aefc97faf0dfe25c5c764dd7b38b85add94e41e9391cb5bf447569b703c37229
Instruction ID: 3e42c77948c00fed359a07ec993ee30ff10f2d88824546d00032fd8c1d7ccad2
Opcode Fuzzy Hash: aefc97faf0dfe25c5c764dd7b38b85add94e41e9391cb5bf447569b703c37229
Instruction Fuzzy Hash: 2B21F43134414A8F9B59CB38C4A4E7C7BE2EF8921439540A8E54ACB366DF34EC56C798

Uniqueness

Uniqueness Score: -1.00%

Function 0673441D, Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.843309706.0000000006730000.00000040.00000001.sdmp, Offset: 06730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6730000_CDC GUIDES COVID-19 Second Outbreak Warning release.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7117ecfc49d0f94a3a6f70d60a5e432d9612a174a0ca43299dd08947ba5c81fd
Instruction ID: 8a6a8c5291361b94f12dc47dab9a1f2513cd9a8289e846bf24abe4e213064c80
Opcode Fuzzy Hash: 7117ecfc49d0f94a3a6f70d60a5e432d9612a174a0ca43299dd08947ba5c81fd
Instruction Fuzzy Hash: 5221A07A305B519FC7069B20D87442DBBB7FB8D2003046546D856C374BDB38AE62CBEA

Uniqueness

Uniqueness Score: -1.00%

Function 0136D4EC, Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.836089658.000000000136D000.00000040.00000001.sdmp, Offset: 0136D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_136d000_CDC GUIDES COVID-19 Second Outbreak Warning release.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13f5b56cbc29f4a5e3c15cc1bc1ee4866e3ffca633d29d5ccd08a0ebf3a0bc42
Instruction ID: 13caae1df8b10e245efafbb73fdbfc08f991e5ff58344397ccf94cfd0d2e626c
Opcode Fuzzy Hash: 13f5b56cbc29f4a5e3c15cc1bc1ee4866e3ffca633d29d5ccd08a0ebf3a0bc42
Instruction Fuzzy Hash: E221F371604244DFDB01CF94D8C0B16BF65FB8832CF24C5A9EA490F65AC336D916CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0137D140, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.836123302.000000000137D000.00000040.00000001.sdmp, Offset: 0137D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_137d000_CDC GUIDES COVID-19 Second Outbreak Warning release.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fadf91961b3e9a6eba7ae3dbefccf41d0eeef62103c6cbeb5e286a17809e2246
Instruction ID: 58ec1bc1097ebed53d5a2ffc785b1f7511353b65c52ed869be22ffa5b5ba9d13
Opcode Fuzzy Hash: fadf91961b3e9a6eba7ae3dbefccf41d0eeef62103c6cbeb5e286a17809e2246
Instruction Fuzzy Hash: 0C11E1B5504244DFDB11CF94E9C0B26BBA1FF84328F24C6ADE8094E746C33AD806CA61

Uniqueness

Uniqueness Score: -1.00%

Function 06734460, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.843309706.0000000006730000.00000040.00000001.sdmp, Offset: 06730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6730000_CDC GUIDES COVID-19 Second Outbreak Warning release.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9318fb92741e20717f97381990d78ce002ecb7c4848a7264d96330f33e528849
Instruction ID: 8b6aa33108e07e6d67ae97275a1c06fa9b430fe0f1f2dffcfcf01b079d1d668f
Opcode Fuzzy Hash: 9318fb92741e20717f97381990d78ce002ecb7c4848a7264d96330f33e528849
Instruction Fuzzy Hash: 0711B179300A15DB87059B11D47842EB7B7FBCC615310A614DD1AC374ADB34BEA38AE9

Uniqueness

Uniqueness Score: -1.00%

Function 0136D57E, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.836089658.000000000136D000.00000040.00000001.sdmp, Offset: 0136D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_136d000_CDC GUIDES COVID-19 Second Outbreak Warning release.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42d9e2d5638be81c4c55ae2ffa6c37ec15d81233bed137c28215548ac88b7147
Instruction ID: 0830f400e0dde32bd844d3a9fa2606eb668dd11e306d506d6027573f3f549fdf
Opcode Fuzzy Hash: 42d9e2d5638be81c4c55ae2ffa6c37ec15d81233bed137c28215548ac88b7147
Instruction Fuzzy Hash: 60119E75504244DFCF06CF54D5C0B66BF62FB88328F28C6A9D94A0F61AC336D556CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0137D1C9, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.836123302.000000000137D000.00000040.00000001.sdmp, Offset: 0137D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_137d000_CDC GUIDES COVID-19 Second Outbreak Warning release.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c5f53d78366b38dee22a24772efceccba442e808d3846d610b6ac72b4e025d3
Instruction ID: 84c6218c34fe469c5a0de3eb1db62f6d396a44b13c35a84da6e2bc870d2672fd
Opcode Fuzzy Hash: 7c5f53d78366b38dee22a24772efceccba442e808d3846d610b6ac72b4e025d3
Instruction Fuzzy Hash: 8F11AC75504244DFCB12CF54E584B16BBA2FF84328F24C6A9D80A4F75AC33AD446CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 06731D4D, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.843309706.0000000006730000.00000040.00000001.sdmp, Offset: 06730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6730000_CDC GUIDES COVID-19 Second Outbreak Warning release.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c93742f2c85d0d59674fd029cd73824c9f727295936ead63ac77e136fe4c501
Instruction ID: 41628564306faf007849f29b19a666a3d076eea3e262958acc0ce17aedac8431
Opcode Fuzzy Hash: 3c93742f2c85d0d59674fd029cd73824c9f727295936ead63ac77e136fe4c501
Instruction Fuzzy Hash: A7D0A736B011199EEB40D648E4408DCF365EB94210F608077D204D7004CF305E5A8B93

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 066C0868, Relevance: 6.1, APIs: 4, Instructions: 127threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 066C08D8
GetCurrentThread.KERNEL32 ref: 066C0915
GetCurrentProcess.KERNEL32 ref: 066C0952
GetCurrentThreadId.KERNEL32 ref: 066C09AB

Memory Dump Source

Source File: 00000005.00000002.843260897.00000000066C0000.00000040.00000001.sdmp, Offset: 066C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_66c0000_CDC GUIDES COVID-19 Second Outbreak Warning release.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: e55f0feffcd4147e30930785384bc6d1a85c1f61217f54cfd86599a5f0ef3275
Instruction ID: 7b7591b1d4b0653d2908056380d9f2058ef2481875512759a886f398950e3a40
Opcode Fuzzy Hash: e55f0feffcd4147e30930785384bc6d1a85c1f61217f54cfd86599a5f0ef3275
Instruction Fuzzy Hash: 125174B0D00A498FDB54DFAAD989BAEBBF0EB48314F20845EE019A7351CB355985CB61

Uniqueness

Uniqueness Score: -1.00%

Function 066C0878, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 066C08D8
GetCurrentThread.KERNEL32 ref: 066C0915
GetCurrentProcess.KERNEL32 ref: 066C0952
GetCurrentThreadId.KERNEL32 ref: 066C09AB

Memory Dump Source

Source File: 00000005.00000002.843260897.00000000066C0000.00000040.00000001.sdmp, Offset: 066C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_66c0000_CDC GUIDES COVID-19 Second Outbreak Warning release.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: eb38b6cdbff6b9d937947f47a8c301a3322a7b6943a62ebc8d12d0b1aa3ff7ff
Instruction ID: 85949a6e68bfd439a762a055a75a9f5f626540bd903b043a3ef57254ed495696
Opcode Fuzzy Hash: eb38b6cdbff6b9d937947f47a8c301a3322a7b6943a62ebc8d12d0b1aa3ff7ff
Instruction Fuzzy Hash: DF5153B0D00B498FDB54DFAAD949BAEBBF0EB48314F20845EE019A7351DB355984CB61

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: vlc.exe PID: 6588 Parent PID: 3388 vlc.exeCOMMON

Execution Graph

Execution Coverage:	8.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	100
Total number of Limit Nodes:	0

Executed Functions

Function 04E2CD4C, Relevance: 1.7, APIs: 1, Instructions: 244
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 04E2CF8E

Memory Dump Source

Source File: 0000000E.00000002.356782418.0000000004E20000.00000040.00000001.sdmp, Offset: 04E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4e20000_vlc.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: fd04b9719a5f249912d7e9ae33f0e74343e2f17f9641046b18395e3d962364b4
Instruction ID: 3a0346c169080dc9c5ae3a09729c666c87c13e6a6e54d990210fe959411aabf4
Opcode Fuzzy Hash: fd04b9719a5f249912d7e9ae33f0e74343e2f17f9641046b18395e3d962364b4
Instruction Fuzzy Hash: 7C915D71D00229DFDF10DF68C981BEDBBB2BF48318F248569E909A7290DB749985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 04E2CD58, Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 04E2CF8E

Memory Dump Source

Source File: 0000000E.00000002.356782418.0000000004E20000.00000040.00000001.sdmp, Offset: 04E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4e20000_vlc.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 333a4b0d89f9448c3e49a0ded158addefb3f63589c20de08bc51ea75177ee154
Instruction ID: 217dbd88bf5b2bd0afb3ef23b1b425e8d77a0844a46db4fc967acecce2daa6be
Opcode Fuzzy Hash: 333a4b0d89f9448c3e49a0ded158addefb3f63589c20de08bc51ea75177ee154
Instruction Fuzzy Hash: 92915C71D00229DFDB10DF68C941BEDBBB2BF48318F248569E809A7290DB74A985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 04E2E604, Relevance: 1.6, APIs: 1, Instructions: 144
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserNameA.ADVAPI32(00000000), ref: 04E2E75C

Memory Dump Source

Source File: 0000000E.00000002.356782418.0000000004E20000.00000040.00000001.sdmp, Offset: 04E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4e20000_vlc.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 70d634b439773351939878edc52b985928c03a2d942093927a8eb2624cc7afd7
Instruction ID: 4d0585bfbb9faaf05e877d666091de2151053da942202727195e7c355a59970f
Opcode Fuzzy Hash: 70d634b439773351939878edc52b985928c03a2d942093927a8eb2624cc7afd7
Instruction Fuzzy Hash: 0C514A70D002288FDB14CFA9C995BDDBBF1AF48308F248429E816BB391D774A945CF91

Uniqueness

Uniqueness Score: -1.00%

Function 04E2E610, Relevance: 1.6, APIs: 1, Instructions: 140
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserNameA.ADVAPI32(00000000), ref: 04E2E75C

Memory Dump Source

Source File: 0000000E.00000002.356782418.0000000004E20000.00000040.00000001.sdmp, Offset: 04E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4e20000_vlc.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 5ede044c31727d3a85ca2b10a3eb928f94d24b6461ae36b44103dc83dac081c1
Instruction ID: bf5b6d4d9d005d8eec4004c45bc9aaaa67d7fa7b72ad3aaacf51c263e72269e9
Opcode Fuzzy Hash: 5ede044c31727d3a85ca2b10a3eb928f94d24b6461ae36b44103dc83dac081c1
Instruction Fuzzy Hash: 09512A70D002288FDB14CFA9C595BDEBBF5AF48314F24842DD815AB391DB74A945CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00D0D2B4, Relevance: 1.6, APIs: 1, Instructions: 98
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?), ref: 00D0D3A7

Memory Dump Source

Source File: 0000000E.00000002.352617520.0000000000D00000.00000040.00000001.sdmp, Offset: 00D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_d00000_vlc.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 768b46e50d7d9cd1a13d16dd3b55fc0ea620878f2421529403c2fc3862575a03
Instruction ID: 2ea6561c981917dbe9ec41dbdda67f0399bade7b4c23e3fae12c1bf8468c0e4e
Opcode Fuzzy Hash: 768b46e50d7d9cd1a13d16dd3b55fc0ea620878f2421529403c2fc3862575a03
Instruction Fuzzy Hash: 62413670D006588FDB10CFE9D88579EBBF2AB48314F14852AE819E7381D774A846CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 00D09BB8, Relevance: 1.6, APIs: 1, Instructions: 97
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?), ref: 00D0D3A7

Memory Dump Source

Source File: 0000000E.00000002.352617520.0000000000D00000.00000040.00000001.sdmp, Offset: 00D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_d00000_vlc.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: cb13c2c6e869403621aad58c830f0137dcce02a2de64bef97c49b4c161af46a4
Instruction ID: 55a9899107ca347ef143085756a74486282b5c72d399f42bfe8e2dfc40daf58c
Opcode Fuzzy Hash: cb13c2c6e869403621aad58c830f0137dcce02a2de64bef97c49b4c161af46a4
Instruction Fuzzy Hash: 5E412771D106588FDB10CFE9D88579EBBF2AB48314F14812AE819EB385D774A845CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 04E2CA2A, Relevance: 1.6, APIs: 1, Instructions: 71
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 04E2CAC0

Memory Dump Source

Source File: 0000000E.00000002.356782418.0000000004E20000.00000040.00000001.sdmp, Offset: 04E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4e20000_vlc.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 84f31db40accedc4a770d6df10cadb0175022031f6b6f98d15af1110dd7ffe3f
Instruction ID: 63c53512bd1d93da532bda079483a07d489ec4e0d7d5f79e6787d2111f68e12c
Opcode Fuzzy Hash: 84f31db40accedc4a770d6df10cadb0175022031f6b6f98d15af1110dd7ffe3f
Instruction Fuzzy Hash: 70215AB19003599FCF10DFAAC9817DEBBF4FF48314F148429E959A7640DB78A944CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04E2CA30, Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 04E2CAC0

Memory Dump Source

Source File: 0000000E.00000002.356782418.0000000004E20000.00000040.00000001.sdmp, Offset: 04E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4e20000_vlc.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: c8298d9828f7ae5cc5c44118d7b798621a15ed519bb01e2235d38b8c4526e934
Instruction ID: c2243b29bc02d347d193eddafb15b6bf72cf6dffd2e0eef3cd3859c4c2057257
Opcode Fuzzy Hash: c8298d9828f7ae5cc5c44118d7b798621a15ed519bb01e2235d38b8c4526e934
Instruction Fuzzy Hash: E42139B19003599FCF10CFAAC9857DEBBF5FF48314F148429E959A7241DB78A944CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04E2C892, Relevance: 1.6, APIs: 1, Instructions: 65
threadinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 04E2C916

Memory Dump Source

Source File: 0000000E.00000002.356782418.0000000004E20000.00000040.00000001.sdmp, Offset: 04E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4e20000_vlc.jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 1dbc2f47985fd740e0729c703e504d758b90532c74de27a1e1c8e7fb7dd9178d
Instruction ID: 4f8798ef18ba8fd6cba13d71567198fe291c7e5279e982ba03af937c60656084
Opcode Fuzzy Hash: 1dbc2f47985fd740e0729c703e504d758b90532c74de27a1e1c8e7fb7dd9178d
Instruction Fuzzy Hash: BC2157719003188FDB10DFAAC8857EEBBF4EF48224F54842AD519A7641CB78A945CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 04E2CB18, Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 04E2CBA0

Memory Dump Source

Source File: 0000000E.00000002.356782418.0000000004E20000.00000040.00000001.sdmp, Offset: 04E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4e20000_vlc.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 92c45063e52cb1e45a5554ed9ed95a9ce91ac09294a672ab4c72be65e3bdacad
Instruction ID: b04ffc51b9fe23c9480b473b2ecdb13baec46ad38b6758493deb769ebc5818a0
Opcode Fuzzy Hash: 92c45063e52cb1e45a5554ed9ed95a9ce91ac09294a672ab4c72be65e3bdacad
Instruction Fuzzy Hash: 1D212771C003499FCB10DFAAC9846DEBBB5FF48314F14842AE959A7241C7789944CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 04E2C898, Relevance: 1.6, APIs: 1, Instructions: 63
threadinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 04E2C916

Memory Dump Source

Source File: 0000000E.00000002.356782418.0000000004E20000.00000040.00000001.sdmp, Offset: 04E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4e20000_vlc.jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: b816e6de7efa6f7718641b8e1a7b88b2dc4e0d86a03c3aedf62ed3072291b543
Instruction ID: c568112e0cb68b54f22f5c8b6516e2df7321f890b87001ed0d4d592799fc77bb
Opcode Fuzzy Hash: b816e6de7efa6f7718641b8e1a7b88b2dc4e0d86a03c3aedf62ed3072291b543
Instruction Fuzzy Hash: AD216571D003088FDB10DFAAC8857EEBBF4EF48324F24842AD519A7241CB78A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04E2CB20, Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 04E2CBA0

Memory Dump Source

Source File: 0000000E.00000002.356782418.0000000004E20000.00000040.00000001.sdmp, Offset: 04E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4e20000_vlc.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 69c113867166c56d8913f13f807ac488bb5f04842825237ca467d5b8741a193f
Instruction ID: c704511c4c8c5ebf7947fe953402d9f00751342545294cd23916a5bda2872f10
Opcode Fuzzy Hash: 69c113867166c56d8913f13f807ac488bb5f04842825237ca467d5b8741a193f
Instruction Fuzzy Hash: 132116718003599FCB10DFAAC984AEEBBF5FF48314F10842AE919A7241CB789944CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 04E2C96A, Relevance: 1.6, APIs: 1, Instructions: 55
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 04E2C9DE

Memory Dump Source

Source File: 0000000E.00000002.356782418.0000000004E20000.00000040.00000001.sdmp, Offset: 04E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4e20000_vlc.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 4aa85661dc6f175b3a1ddd5f06d74d2f4a733d22902e7e52bc8b480e5c62b3b5
Instruction ID: caff7da3eeeec42e01bf452c9de8e40154c1cec0cb97964d68832d84582f992f
Opcode Fuzzy Hash: 4aa85661dc6f175b3a1ddd5f06d74d2f4a733d22902e7e52bc8b480e5c62b3b5
Instruction Fuzzy Hash: B0116A728002489FCF10DFAAC8457EFBBF5EF48324F248819E515A7650CB79A944CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 04E2C970, Relevance: 1.6, APIs: 1, Instructions: 53
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 04E2C9DE

Memory Dump Source

Source File: 0000000E.00000002.356782418.0000000004E20000.00000040.00000001.sdmp, Offset: 04E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4e20000_vlc.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: fc5f2c63034bee5f39eea55f1c6cc02dd85f48e59fe8694de86dce3afd8362c4
Instruction ID: a4d0d5e2e04f7fc34e161e65a8d16551bd7e5b6f1f00872a0f50c15830769812
Opcode Fuzzy Hash: fc5f2c63034bee5f39eea55f1c6cc02dd85f48e59fe8694de86dce3afd8362c4
Instruction Fuzzy Hash: FF1137729002499FCF10DFAAD8457EFBBF5AF48324F248819E525A7250CB75A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00D0D589, Relevance: 1.6, APIs: 1, Instructions: 52
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNELBASE ref: 00D0D5F2

Memory Dump Source

Source File: 0000000E.00000002.352617520.0000000000D00000.00000040.00000001.sdmp, Offset: 00D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_d00000_vlc.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: fe22604424ed049f42f7e57dcc1a6ba5847ed2ce70372901154a70c3184eccfc
Instruction ID: 3df023040428d6baeab647e7ad0f02922e27e69e7acff67d0d1c0c7c724237bf
Opcode Fuzzy Hash: fe22604424ed049f42f7e57dcc1a6ba5847ed2ce70372901154a70c3184eccfc
Instruction Fuzzy Hash: B01116B19042488FDB20DFAAD8447EFBBF5AB88324F24841AD519B7650CB789945CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00D0D590, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 00D0D5F2

Memory Dump Source

Source File: 0000000E.00000002.352617520.0000000000D00000.00000040.00000001.sdmp, Offset: 00D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_d00000_vlc.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: fe663a4be77f251a99b084811fdcd8acf5a1eb11224cb5796524c59ebbbcbec1
Instruction ID: 3ecebdb38889a5bec7db67f95130fc1e1bfa9bf2fda2d422d5e58bea06d003d6
Opcode Fuzzy Hash: fe663a4be77f251a99b084811fdcd8acf5a1eb11224cb5796524c59ebbbcbec1
Instruction Fuzzy Hash: A5113A719043488BCB10DFAAD8447DFFBF5AF88324F24841AD519A7740CB78A944CFA0

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: vlc.exe PID: 6824 Parent PID: 3388 vlc.exeCOMMON

Execution Graph

Execution Coverage:	5.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	63
Total number of Limit Nodes:	2

Executed Functions

Function 050ECD4C, Relevance: 1.7, APIs: 1, Instructions: 246
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 050ECF8E

Memory Dump Source

Source File: 0000000F.00000002.375744002.00000000050E0000.00000040.00000001.sdmp, Offset: 050E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_50e0000_vlc.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 56d3837ac243b3b682e8245e8022b6b5664412105a8ef94821180faa1fb9f7e6
Instruction ID: f1982d59985309ce7d47460b8e2f8192ec247b641b151916305ee17d966534b4
Opcode Fuzzy Hash: 56d3837ac243b3b682e8245e8022b6b5664412105a8ef94821180faa1fb9f7e6
Instruction Fuzzy Hash: BBA18871D04219CFEB20CF68D884BEDBBF2BF48304F248569E809A7280DB759985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 050ECD58, Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 050ECF8E

Memory Dump Source

Source File: 0000000F.00000002.375744002.00000000050E0000.00000040.00000001.sdmp, Offset: 050E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_50e0000_vlc.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 66b16ac4293f55d7b150c1c02a942e823f74dae3a809a7c53476c636af0342b0
Instruction ID: 1afea5c96e248ba8b4739ecb3dc57a222b432b1a2c4752a5ab8dd83bc755c791
Opcode Fuzzy Hash: 66b16ac4293f55d7b150c1c02a942e823f74dae3a809a7c53476c636af0342b0
Instruction Fuzzy Hash: EE917871D00219CFEB20CF68D884BEDBBF2FB48304F248569E809A7280DB759985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 050EE604, Relevance: 1.6, APIs: 1, Instructions: 148
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserNameA.ADVAPI32(00000000), ref: 050EE75C

Memory Dump Source

Source File: 0000000F.00000002.375744002.00000000050E0000.00000040.00000001.sdmp, Offset: 050E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_50e0000_vlc.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 706bc503fcda182995c24a9c5a2491333d91511e5089e304df8a9f28c9b88b17
Instruction ID: 85e889c518d55a2a0b7cb96bf481652210622e87c792aad124d0f10f649a934f
Opcode Fuzzy Hash: 706bc503fcda182995c24a9c5a2491333d91511e5089e304df8a9f28c9b88b17
Instruction Fuzzy Hash: F0517774D042088FDB14CFA9D994BEDBBF5BF49304F248029E816AB391DB749845CF90

Uniqueness

Uniqueness Score: -1.00%

Function 050EE610, Relevance: 1.6, APIs: 1, Instructions: 140
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserNameA.ADVAPI32(00000000), ref: 050EE75C

Memory Dump Source

Source File: 0000000F.00000002.375744002.00000000050E0000.00000040.00000001.sdmp, Offset: 050E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_50e0000_vlc.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: e8896e27117211b4facf0ae3be0a9be20a2d5b692d6921338977077e3dd3931c
Instruction ID: 620e8e68abd7cdbdb25550e36dfc4a15dbdf9c3ccc52fd0dbd987b359b9367eb
Opcode Fuzzy Hash: e8896e27117211b4facf0ae3be0a9be20a2d5b692d6921338977077e3dd3931c
Instruction Fuzzy Hash: C4512770E042088FDB14CFA9D994BDEBBF5BF48304F248029D856AB391DB749945CF91

Uniqueness

Uniqueness Score: -1.00%

Function 050ECA2B, Relevance: 1.6, APIs: 1, Instructions: 70
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 050ECAC0

Memory Dump Source

Source File: 0000000F.00000002.375744002.00000000050E0000.00000040.00000001.sdmp, Offset: 050E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_50e0000_vlc.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: df725f274da31daeb1a8ad8497a7303fe7ddcd105f13df55d769a7a98962307e
Instruction ID: 1c388d38b863a66e942003c75d4539aa48b9589b9c94eb65a0f50736985c8e9e
Opcode Fuzzy Hash: df725f274da31daeb1a8ad8497a7303fe7ddcd105f13df55d769a7a98962307e
Instruction Fuzzy Hash: AE2126729003499FCB10CFAAD885BDEBBF5FF48314F14842AE919A7641DB789944CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 050ECA30, Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 050ECAC0

Memory Dump Source

Source File: 0000000F.00000002.375744002.00000000050E0000.00000040.00000001.sdmp, Offset: 050E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_50e0000_vlc.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 8ede358ec99e155955b7b4fb9808be042f1b3eeed0badfe759540be81acbeb2d
Instruction ID: 0d7c7a587b615408ff3187ca98717ef4f1bfce62dd3623a9387bc5fbfc2215d4
Opcode Fuzzy Hash: 8ede358ec99e155955b7b4fb9808be042f1b3eeed0badfe759540be81acbeb2d
Instruction Fuzzy Hash: 832126719003499FCB10CFAAD885BDEBBF5FF48314F14842AE919A7641DB789944CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 050ECB18, Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 050ECBA0

Memory Dump Source

Source File: 0000000F.00000002.375744002.00000000050E0000.00000040.00000001.sdmp, Offset: 050E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_50e0000_vlc.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 38c87d62ad1c90ffe2edc2ecb222c639ae52167d3e4b29103c02e6da949fe77d
Instruction ID: 2129e09e5c0c88111dfd7ed12b0a9570a0cbb9a5d04be56c0481262feb9012be
Opcode Fuzzy Hash: 38c87d62ad1c90ffe2edc2ecb222c639ae52167d3e4b29103c02e6da949fe77d
Instruction Fuzzy Hash: E2213671C007499FCB10DFAAC880AEEBBF5FF48314F14842EE959A7241CB789945CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 050EC893, Relevance: 1.6, APIs: 1, Instructions: 64
threadinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 050EC916

Memory Dump Source

Source File: 0000000F.00000002.375744002.00000000050E0000.00000040.00000001.sdmp, Offset: 050E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_50e0000_vlc.jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 4a373a8252b4ffcdcd91454025e6c3f41215c427b25baa4e455fcc36d43be48d
Instruction ID: 66f690cf87bfbc75c4969d38edf7b1e2c30b8e565a524ab9c2bad814728a97a4
Opcode Fuzzy Hash: 4a373a8252b4ffcdcd91454025e6c3f41215c427b25baa4e455fcc36d43be48d
Instruction Fuzzy Hash: 27214371D043088FDB10DFAAC8857AEBBF4EB48224F14802AE519A7241CB78A944CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 050EC898, Relevance: 1.6, APIs: 1, Instructions: 63
threadinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 050EC916

Memory Dump Source

Source File: 0000000F.00000002.375744002.00000000050E0000.00000040.00000001.sdmp, Offset: 050E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_50e0000_vlc.jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 92c9726319bdf23b0016e11078394e5c9d5ec2831846610dcd2d1500eeea5aa8
Instruction ID: 258a9fb0af17f68bf009221e89f0b8648d4f76acf97e46ec70709d6799e636ab
Opcode Fuzzy Hash: 92c9726319bdf23b0016e11078394e5c9d5ec2831846610dcd2d1500eeea5aa8
Instruction Fuzzy Hash: B1213471D043098FDB10DFAAC4857EEBBF4FF48224F14842AD559A7241CB78A945CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 050ECB20, Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 050ECBA0

Memory Dump Source

Source File: 0000000F.00000002.375744002.00000000050E0000.00000040.00000001.sdmp, Offset: 050E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_50e0000_vlc.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 894ad855ce5cc49c08c18b34d6f42db17864aaad91a5fbc8d3412fc6d73300a4
Instruction ID: 39f3ac6aa384c8e28212b65c256ec070eb759a5bf6235d2d63b919f528bbca82
Opcode Fuzzy Hash: 894ad855ce5cc49c08c18b34d6f42db17864aaad91a5fbc8d3412fc6d73300a4
Instruction Fuzzy Hash: EE212871C007499FCF10DFAAD880AEEBBF5FF48314F14842AE519A7241CB789944CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 050EC96B, Relevance: 1.6, APIs: 1, Instructions: 54
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 050EC9DE

Memory Dump Source

Source File: 0000000F.00000002.375744002.00000000050E0000.00000040.00000001.sdmp, Offset: 050E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_50e0000_vlc.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 0a28b651b3b33649a6e9b81280ec953b5004416f205d2bc0fd476c4c80b0b195
Instruction ID: 61f3215a274ae6cf5b9331331e2609cb44f38b3ffa97cebad06fca8b7956bdea
Opcode Fuzzy Hash: 0a28b651b3b33649a6e9b81280ec953b5004416f205d2bc0fd476c4c80b0b195
Instruction Fuzzy Hash: 1D1156729002489FCF10DFAAD8447EEBBF5EF48324F248419E525A7250CB759944CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 050EC970, Relevance: 1.6, APIs: 1, Instructions: 53
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 050EC9DE

Memory Dump Source

Source File: 0000000F.00000002.375744002.00000000050E0000.00000040.00000001.sdmp, Offset: 050E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_50e0000_vlc.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 344abef96d4ec8990419ba85bafa2cce488402f00952cca234a2ec20905feaaf
Instruction ID: fb4dd4727423a535caf76fe30da15c28ccaa1840062a50f2e0dccc3e1721aa95
Opcode Fuzzy Hash: 344abef96d4ec8990419ba85bafa2cce488402f00952cca234a2ec20905feaaf
Instruction Fuzzy Hash: 9B1137729042499FCF10DFAAD8447EFBBF5EF48324F248419E525A7250CB759944CFA0

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: vlc.exe PID: 2172 Parent PID: 6588 vlc.exeCOMMON

Execution Graph

Execution Coverage:	11.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	20
Total number of Limit Nodes:	1

Executed Functions

Function 032E2F24, Relevance: 1.6, APIs: 1, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 032E2FE1

Memory Dump Source

Source File: 00000014.00000002.359956519.00000000032E0000.00000040.00000001.sdmp, Offset: 032E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_32e0000_vlc.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: c19610d153355623871664541264881a52f018550e76111ef3922c9aac56c5b6
Instruction ID: 3dca1b791c41d339d14de34383b4938adcb672b5e4f4c22c87126fe652e13e57
Opcode Fuzzy Hash: c19610d153355623871664541264881a52f018550e76111ef3922c9aac56c5b6
Instruction Fuzzy Hash: 994130B1C00259CFCB20DFA9C884BCEBBB5BF88304F248059D419AB252DB752949CF90

Uniqueness

Uniqueness Score: -1.00%

Function 032E928C, Relevance: 1.6, APIs: 1, Instructions: 97
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?), ref: 032ECA87

Memory Dump Source

Source File: 00000014.00000002.359956519.00000000032E0000.00000040.00000001.sdmp, Offset: 032E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_32e0000_vlc.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 557719f480a1784c0061fb3ec429a43a11e4a4e492928ee3bf8a8277728dea48
Instruction ID: 594722116fa75ba9add13ee112569825f7f76b05007efe3122ab9355371481e5
Opcode Fuzzy Hash: 557719f480a1784c0061fb3ec429a43a11e4a4e492928ee3bf8a8277728dea48
Instruction Fuzzy Hash: 644155B1D106298FDB10DFA9C885B9EBBF5BB48304F148129E815EB380D7749885CF91

Uniqueness

Uniqueness Score: -1.00%

Function 032EC997, Relevance: 1.6, APIs: 1, Instructions: 96
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?), ref: 032ECA87

Memory Dump Source

Source File: 00000014.00000002.359956519.00000000032E0000.00000040.00000001.sdmp, Offset: 032E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_32e0000_vlc.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: f22abfe4d5baadcd33fa9444a646d4200b399981046cd52f2a2a831bbe4d01a0
Instruction ID: 30d0b335adc52ef3ff8672eec4b98bf01613b7bb257f200549b3104313f86850
Opcode Fuzzy Hash: f22abfe4d5baadcd33fa9444a646d4200b399981046cd52f2a2a831bbe4d01a0
Instruction Fuzzy Hash: 8E4155B1D106298FDB10CFE8C88679EBBF5BB48304F14812AD815EB385D7749886CF91

Uniqueness

Uniqueness Score: -1.00%

Function 032E1A88, Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 032E2FE1

Memory Dump Source

Source File: 00000014.00000002.359956519.00000000032E0000.00000040.00000001.sdmp, Offset: 032E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_32e0000_vlc.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 6f3806bedcdd8fd7fa85c8dc7533c890c77c6b4a62cafc58ec03fdedc6c5eb03
Instruction ID: 459cbf04b07abcd2d46ee8203f0de8c3aa13515037bbe90b64171ec0fdf42f42
Opcode Fuzzy Hash: 6f3806bedcdd8fd7fa85c8dc7533c890c77c6b4a62cafc58ec03fdedc6c5eb03
Instruction Fuzzy Hash: 52411070C1471DCFDB24DFA9C884B9EBBB5BF48304F24806AD509AB251DB756989CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0179D4D8, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.359756848.000000000179D000.00000040.00000001.sdmp, Offset: 0179D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_179d000_vlc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dae556d0209c068011d1f564a47f715c2a52f1293f73d55b1fc13c17f6872f2c
Instruction ID: b772b17ce55af6e7e4053cf01959cc70a32571f05651b44efccff3bf60df7ea5
Opcode Fuzzy Hash: dae556d0209c068011d1f564a47f715c2a52f1293f73d55b1fc13c17f6872f2c
Instruction Fuzzy Hash: 1A212871504240DFDF11DF94E9C0B26FB65FB88328F3485A9E9094B246C336D849C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 0179D4D3, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.359756848.000000000179D000.00000040.00000001.sdmp, Offset: 0179D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_179d000_vlc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 475f330473868ad3c29f7e884537fa5e2c046c0b54d26c118bd7d839c6bfe152
Instruction ID: 6ff06fb2d87ea418d13a0d6b642e0355d8b2915cb683c3a4bf63c8673c74a3c9
Opcode Fuzzy Hash: 475f330473868ad3c29f7e884537fa5e2c046c0b54d26c118bd7d839c6bfe152
Instruction Fuzzy Hash: F111AF76404280CFCF12CF54E5C4B16FF71FB84324F2886A9D8090B656C33AD55ACBA2

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: vlc.exe PID: 4080 Parent PID: 6824 vlc.exeCOMMON

Execution Graph

Execution Coverage:	9.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	76
Total number of Limit Nodes:	3

Executed Functions

Function 055F44A9, Relevance: 6.1, APIs: 4, Instructions: 125
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 055F4518
GetCurrentThread.KERNEL32 ref: 055F4555
GetCurrentProcess.KERNEL32 ref: 055F4592
GetCurrentThreadId.KERNEL32 ref: 055F45EB

Memory Dump Source

Source File: 00000015.00000002.381712267.00000000055F0000.00000040.00000001.sdmp, Offset: 055F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_55f0000_vlc.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 068fee6ac6c64dc0554de9fee1611845949e0c84e2933f50a52170199523450a
Instruction ID: 43f1f4a2e00dc1f5a0d4e00463e73ee5b61ed4a6d751a03973c675a627081fdd
Opcode Fuzzy Hash: 068fee6ac6c64dc0554de9fee1611845949e0c84e2933f50a52170199523450a
Instruction Fuzzy Hash: 9F5154B0900648CFDB10DFAAD9497EEBBF1FB48314F20845AE019A7351DB749984CF61

Uniqueness

Uniqueness Score: -1.00%

Function 055F3CE0, Relevance: 6.1, APIs: 4, Instructions: 124
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 055F4518
GetCurrentThread.KERNEL32 ref: 055F4555
GetCurrentProcess.KERNEL32 ref: 055F4592
GetCurrentThreadId.KERNEL32 ref: 055F45EB

Memory Dump Source

Source File: 00000015.00000002.381712267.00000000055F0000.00000040.00000001.sdmp, Offset: 055F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_55f0000_vlc.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 0903836f57adcf85e17a3dfb05323e7b5b97ab1e8158815d5f9b327ef9bad06c
Instruction ID: 47b80edffb3e7a377df89996692b75212f5997003728f4ce2600838c97729fc1
Opcode Fuzzy Hash: 0903836f57adcf85e17a3dfb05323e7b5b97ab1e8158815d5f9b327ef9bad06c
Instruction Fuzzy Hash: 965165B0900648CFDB10EFAAD9497AEBBF1FF48314F20845AE119A7350DB749984CF65

Uniqueness

Uniqueness Score: -1.00%

Function 02E2C996, Relevance: 1.6, APIs: 1, Instructions: 99
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?), ref: 02E2CA87

Memory Dump Source

Source File: 00000015.00000002.379257389.0000000002E20000.00000040.00000001.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_2e20000_vlc.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: c7071d0bceb03c51406388cfd7d9ec71802588b57dc07d7ce2e487c359045ae0
Instruction ID: 56ed77dc9f68e0f1f8b72089281cfdab5806eac35f80b17cd6ef44496cf89d5f
Opcode Fuzzy Hash: c7071d0bceb03c51406388cfd7d9ec71802588b57dc07d7ce2e487c359045ae0
Instruction Fuzzy Hash: C8412AB1D406688FDB10CFA9C8857DEBBF1BB48318F25A12AD816E7381D7749846CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02E2928C, Relevance: 1.6, APIs: 1, Instructions: 97
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?), ref: 02E2CA87

Memory Dump Source

Source File: 00000015.00000002.379257389.0000000002E20000.00000040.00000001.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_2e20000_vlc.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 6d0f7183da260668b0a54df9b40283245a579c2caa0018eb01451ec5a4fc0b0a
Instruction ID: 3cadc790afa8cf7fb823a0b0c51c9cdeb2311049fac42960c00dee79c6c317cc
Opcode Fuzzy Hash: 6d0f7183da260668b0a54df9b40283245a579c2caa0018eb01451ec5a4fc0b0a
Instruction Fuzzy Hash: 06413AB0D406688FDB10CFA9C88579EBBF1FB48318F25A12AD816E7380D7749849CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02E22F24, Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02E22FE1

Memory Dump Source

Source File: 00000015.00000002.379257389.0000000002E20000.00000040.00000001.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_2e20000_vlc.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 36258b98a836cd471f6eaab90d568925fccaf9891ad597c45f609edba2ceb2c3
Instruction ID: 8c7cae1bf7a84345aa4f0e09fb49cbf28b0ebc88c19042d1f891b19235ff028f
Opcode Fuzzy Hash: 36258b98a836cd471f6eaab90d568925fccaf9891ad597c45f609edba2ceb2c3
Instruction Fuzzy Hash: 6B41F2B1C0465CCFDB24CFA9C884BDEBBB1BF49308F248099D409AB251DB75594ACFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02E21A88, Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02E22FE1

Memory Dump Source

Source File: 00000015.00000002.379257389.0000000002E20000.00000040.00000001.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_2e20000_vlc.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 1453d9e97f27f5549e994af0ff5f2132627eda83d1bf1aab4a53d17cb554c029
Instruction ID: a79e6b9cb4b25adedbe682f0f61ab87cb7245e0780a493274eb4b67831b99bee
Opcode Fuzzy Hash: 1453d9e97f27f5549e994af0ff5f2132627eda83d1bf1aab4a53d17cb554c029
Instruction Fuzzy Hash: 7441E5B1C4472CCBDB14DFA9C844BDEBBB5BF49308F20805AD509AB251DB755949CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 055F46D9, Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 055F4767

Memory Dump Source

Source File: 00000015.00000002.381712267.00000000055F0000.00000040.00000001.sdmp, Offset: 055F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_55f0000_vlc.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: f8934ec88d2fc019e74e23fe0a58d721df379de155d634a8e76fe7ad13a6982c
Instruction ID: 84045cc2c787be1ef74eeb85c20013d524b9e0ad25239ddf37b1cc1b2723e1e5
Opcode Fuzzy Hash: f8934ec88d2fc019e74e23fe0a58d721df379de155d634a8e76fe7ad13a6982c
Instruction Fuzzy Hash: 3A21E0B5901249DFDB10CFA9D984AEEBBF4FB48324F14841AE914B7310D778A945CF60

Uniqueness

Uniqueness Score: -1.00%

Function 055F46E0, Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 055F4767

Memory Dump Source

Source File: 00000015.00000002.381712267.00000000055F0000.00000040.00000001.sdmp, Offset: 055F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_55f0000_vlc.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: f1ec03debe79b815e2d351ed272d642c4cc8054e6df02c4d558e4a283737feed
Instruction ID: 4e6d7b3ee0ebfb589bd6817656ba2236b97b4561a31f3520c92f9c1057637b33
Opcode Fuzzy Hash: f1ec03debe79b815e2d351ed272d642c4cc8054e6df02c4d558e4a283737feed
Instruction Fuzzy Hash: 4121C2B5901348DFDB10CFAAD984ADEBBF9FB48324F14841AE914A7310D778A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 055F6568, Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 055F65C8

Memory Dump Source

Source File: 00000015.00000002.381712267.00000000055F0000.00000040.00000001.sdmp, Offset: 055F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_55f0000_vlc.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: d1d78d60deace1b5569996c4f113125fa75c41106f5f12d43b79369c8fab07fd
Instruction ID: e7c5a39c8ea3bb0245d871e1beda95d379e1a033c81a20386c8f7d7fb55f2170
Opcode Fuzzy Hash: d1d78d60deace1b5569996c4f113125fa75c41106f5f12d43b79369c8fab07fd
Instruction Fuzzy Hash: D01125B28007598FCB10DF99D485BDEBBF4FB48324F24841AD559A7740CB38A949CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 055F6570, Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 055F65C8

Memory Dump Source

Source File: 00000015.00000002.381712267.00000000055F0000.00000040.00000001.sdmp, Offset: 055F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_55f0000_vlc.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: d2b0f40f91242b1342625dba8b852574dd547a80dd9a9bc8392f7c7aa75e42e7
Instruction ID: e09c7aa3dc390510672f57806b5162f5283c8e78e8eb199d835eea4b7276dfd1
Opcode Fuzzy Hash: d2b0f40f91242b1342625dba8b852574dd547a80dd9a9bc8392f7c7aa75e42e7
Instruction Fuzzy Hash: 4E1103B18007498FCB10DF99D445BEEBBF4FB48324F24841AD559A7740DB38AA45CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 055F4428, Relevance: 1.5, APIs: 1, Instructions: 46
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleInitialize.OLE32(00000000), ref: 055F515D

Memory Dump Source

Source File: 00000015.00000002.381712267.00000000055F0000.00000040.00000001.sdmp, Offset: 055F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_55f0000_vlc.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 17d5a82fab40c48e16299a869b2df924c1de06b4a06900ae063154ec50515219
Instruction ID: 2a44f9d8f1763b67af86cc6ed414b9a5c312c90b2ee19463ed8e30545df3caff
Opcode Fuzzy Hash: 17d5a82fab40c48e16299a869b2df924c1de06b4a06900ae063154ec50515219
Instruction Fuzzy Hash: 4A1115B19047488FCB10DFAAD845BDEBBF4FB48324F20841AD559A7700D774A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 055F5100, Relevance: 1.5, APIs: 1, Instructions: 45
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleInitialize.OLE32(00000000), ref: 055F515D

Memory Dump Source

Source File: 00000015.00000002.381712267.00000000055F0000.00000040.00000001.sdmp, Offset: 055F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_55f0000_vlc.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 2369f4843c5c68066210291d52cfaefc1915a0ff0eba738b894ebc00c003fafd
Instruction ID: 7c3b788120f78775c8d34358326c50efef0ec02f7e3e951ad23116b37396d83a
Opcode Fuzzy Hash: 2369f4843c5c68066210291d52cfaefc1915a0ff0eba738b894ebc00c003fafd
Instruction Fuzzy Hash: 1E1130B19003488FCB10DFA9D849BDEBBF4BB48324F24841AD119B7700D778A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02DBD4D8, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.378527632.0000000002DBD000.00000040.00000001.sdmp, Offset: 02DBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_2dbd000_vlc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33fe53f9f7c3578dba07004c723e12574cc9ac705a7241d984192673dd74b603
Instruction ID: 070f2b5cae9d8a0ff3a22d4066a189b8f74a89890d6fe9edaea52b09622ff3bd
Opcode Fuzzy Hash: 33fe53f9f7c3578dba07004c723e12574cc9ac705a7241d984192673dd74b603
Instruction Fuzzy Hash: 76213A71504240DFDB06DF54D9D0B56BBA6FF89328F24856DE90A4B346C336DC45C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 02DBD4D3, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.378527632.0000000002DBD000.00000040.00000001.sdmp, Offset: 02DBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_2dbd000_vlc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 475f330473868ad3c29f7e884537fa5e2c046c0b54d26c118bd7d839c6bfe152
Instruction ID: b7cfd4a6059cc58223af5e7b0bc3deddaf037dbf193dcc0516a28c5ab1b812d7
Opcode Fuzzy Hash: 475f330473868ad3c29f7e884537fa5e2c046c0b54d26c118bd7d839c6bfe152
Instruction Fuzzy Hash: 2011D676404240CFCB12CF10D5C4B56BFB2FF85324F2486A9D8050B756C33AD856CBA2

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000000.00000000.200975576.0000000000BCA000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameZzjjddspu2.exe0 vs CDC GUIDES COVID-19 Second Outbreak Warning release.exe
Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000000.00000002.272315963.0000000005390000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs CDC GUIDES COVID-19 Second Outbreak Warning release.exe
Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000000.00000002.272529925.0000000005520000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamePtgjunquq.dll4 vs CDC GUIDES COVID-19 Second Outbreak Warning release.exe
Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000000.00000002.267762525.0000000002F82000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameClassLibrary3.dll< vs CDC GUIDES COVID-19 Second Outbreak Warning release.exe
Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000000.00000002.267762525.0000000002F82000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameClient.exe" vs CDC GUIDES COVID-19 Second Outbreak Warning release.exe
Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000005.00000002.833556159.0000000000B8A000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameZzjjddspu2.exe0 vs CDC GUIDES COVID-19 Second Outbreak Warning release.exe
Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000005.00000002.839822026.0000000003207000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDyxylehx1.exe8 vs CDC GUIDES COVID-19 Second Outbreak Warning release.exe
Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000005.00000002.833725048.0000000000F38000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs CDC GUIDES COVID-19 Second Outbreak Warning release.exe
Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000005.00000002.832620216.000000000045A000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameClient.exe" vs CDC GUIDES COVID-19 Second Outbreak Warning release.exe
Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000005.00000002.842823257.00000000061E0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs CDC GUIDES COVID-19 Second Outbreak Warning release.exe
Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Binary or memory string: OriginalFilenameZzjjddspu2.exe0 vs CDC GUIDES COVID-19 Second Outbreak Warning release.exe
Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000000.00000000.200975576.0000000000BCA000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameZzjjddspu2.exe0 vs CDC GUIDES COVID-19 Second Outbreak Warning release.exe
Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000000.00000002.272315963.0000000005390000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs CDC GUIDES COVID-19 Second Outbreak Warning release.exe
Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000000.00000002.272529925.0000000005520000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamePtgjunquq.dll4 vs CDC GUIDES COVID-19 Second Outbreak Warning release.exe
Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000000.00000002.267762525.0000000002F82000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameClassLibrary3.dll< vs CDC GUIDES COVID-19 Second Outbreak Warning release.exe
Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000000.00000002.267762525.0000000002F82000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameClient.exe" vs CDC GUIDES COVID-19 Second Outbreak Warning release.exe
Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000005.00000002.833556159.0000000000B8A000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameZzjjddspu2.exe0 vs CDC GUIDES COVID-19 Second Outbreak Warning release.exe
Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000005.00000002.839822026.0000000003207000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDyxylehx1.exe8 vs CDC GUIDES COVID-19 Second Outbreak Warning release.exe
Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000005.00000002.833725048.0000000000F38000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs CDC GUIDES COVID-19 Second Outbreak Warning release.exe
Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000005.00000002.832620216.000000000045A000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameClient.exe" vs CDC GUIDES COVID-19 Second Outbreak Warning release.exe
Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe, 00000005.00000002.842823257.00000000061E0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs CDC GUIDES COVID-19 Second Outbreak Warning release.exe
Source: CDC GUIDES COVID-19 Second Outbreak Warning release.exe	Binary or memory string: OriginalFilenameZzjjddspu2.exe0 vs CDC GUIDES COVID-19 Second Outbreak Warning release.exe

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report CDC GUIDES COVID-19 Second Outbreak Warning release.scr

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

Function 05D94660, Relevance: 2.1, Strings: 1, Instructions: 822
COMMON

Function 05D9EC10, Relevance: 1.6, APIs: 1, Instructions: 140
COMMON

Function 05D91FA8, Relevance: 1.6, Strings: 1, Instructions: 341
COMMON

Function 05D9E7FC, Relevance: 2.1, APIs: 1, Instructions: 646
COMMON

Function 05D9CF4C, Relevance: 1.7, APIs: 1, Instructions: 245
processCOMMON

Function 05D9CF58, Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Function 02D5D2B4, Relevance: 1.6, APIs: 1, Instructions: 98
libraryCOMMON

Function 02D59BB8, Relevance: 1.6, APIs: 1, Instructions: 97
libraryCOMMON

Function 05D9CC28, Relevance: 1.6, APIs: 1, Instructions: 72
injectionCOMMON

Function 0617C838, Relevance: 1.6, APIs: 1, Instructions: 70
fileCOMMON

Function 05D9CC30, Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Function 05D9CD19, Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Function 05D9CA91, Relevance: 1.6, APIs: 1, Instructions: 65
threadinjectionCOMMON

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre