Analysis Report COVID-19 CDC Secon Outbreak Warning release.scr

Overview

General Information

Sample Name:	COVID-19 CDC Secon Outbreak Warning release.scr (renamed file extension from scr to exe)
Analysis ID:	319976
MD5:	db0d632b83738dfc64013b9b5b7c339e
SHA1:	2f9269bfc05473a6dce71c56d25b37d8b5490bcd
SHA256:	6fb60c80bdc9cd558a384b468dc8b8467fb2e02764728e6a0ebc28ca865f31f6
Tags:	QuasarRATscr
Most interesting Screenshot:

Detection

Quasar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected Quasar RAT

.NET source code references suspicious native API functions

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

May check the online IP address of the machine

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates processes with suspicious names

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

PE file contains strange resources

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Stores files to the Windows start menu directory

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Signatures

AV Detection:

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Virustotal: Detection: 52%	Perma Link
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	ReversingLabs: Detection: 58%
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Virustotal: Detection: 52%	Perma Link
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	ReversingLabs: Detection: 58%

Multi AV Scanner detection for submitted file

Source: COVID-19 CDC Secon Outbreak Warning release.exe	Virustotal: Detection: 52%	Perma Link
Source: COVID-19 CDC Secon Outbreak Warning release.exe	ReversingLabs: Detection: 58%
Source: COVID-19 CDC Secon Outbreak Warning release.exe	Virustotal: Detection: 52%	Perma Link
Source: COVID-19 CDC Secon Outbreak Warning release.exe	ReversingLabs: Detection: 58%

Yara detected Quasar RAT

Source: Yara match	File source: 0000000F.00000002.827897659.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.822302365.00000000040E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.924590953.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.808322166.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.808237163.00000000042C5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.822958398.00000000041C5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.730551537.0000000003C35000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: winrar.exe PID: 4576, type: MEMORY
Source: Yara match	File source: Process Memory Space: winrar.exe PID: 5256, type: MEMORY
Source: Yara match	File source: Process Memory Space: COVID-19 CDC Secon Outbreak Warning release.exe PID: 5856, type: MEMORY
Source: Yara match	File source: Process Memory Space: winrar.exe PID: 5576, type: MEMORY
Source: Yara match	File source: Process Memory Space: COVID-19 CDC Secon Outbreak Warning release.exe PID: 7040, type: MEMORY
Source: Yara match	File source: Process Memory Space: winrar.exe PID: 6972, type: MEMORY
Source: Yara match	File source: 15.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: COVID-19 CDC Secon Outbreak Warning release.exe	Joe Sandbox ML: detected
Source: COVID-19 CDC Secon Outbreak Warning release.exe	Joe Sandbox ML: detected

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior

Networking:

May check the online IP address of the machine

Source: unknown	DNS query: name: ip-api.com
Source: unknown	DNS query: name: ip-api.com

Detected TCP or UDP traffic on non-standard ports

Source: global traffic	TCP traffic: 192.168.2.4:49748 -> 185.244.26.221:4782
Source: global traffic	TCP traffic: 192.168.2.4:49748 -> 185.244.26.221:4782

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox View	IP Address: 208.95.112.1 208.95.112.1

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /json/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /json/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0Host: ip-api.comConnection: Keep-Alive

Source: global traffic	HTTP traffic detected: GET /json/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /json/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0Host: ip-api.comConnection: Keep-Alive

Source: unknown	DNS traffic detected: queries for: ip-api.com
Source: unknown	DNS traffic detected: queries for: ip-api.com

Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000000.00000002.730193991.0000000002E97000.00000004.00000001.sdmp, COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.924590953.0000000000402000.00000040.00000001.sdmp, winrar.exe, 00000005.00000002.807724606.0000000003528000.00000004.00000001.sdmp, winrar.exe, 00000009.00000002.822302365.00000000040E1000.00000004.00000001.sdmp, winrar.exe, 0000000D.00000002.808322166.0000000000402000.00000040.00000001.sdmp, winrar.exe, 0000000F.00000002.827897659.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: http://api.ipify.org/
Source: COVID-19 CDC Secon Outbreak Warning release.exe	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: COVID-19 CDC Secon Outbreak Warning release.exe	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: COVID-19 CDC Secon Outbreak Warning release.exe	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000000.00000002.730193991.0000000002E97000.00000004.00000001.sdmp, COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.924590953.0000000000402000.00000040.00000001.sdmp, winrar.exe, 00000005.00000002.807724606.0000000003528000.00000004.00000001.sdmp, winrar.exe, 00000009.00000002.822302365.00000000040E1000.00000004.00000001.sdmp, winrar.exe, 0000000D.00000002.808322166.0000000000402000.00000040.00000001.sdmp, winrar.exe, 0000000F.00000002.827897659.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: http://freegeoip.net/xml/
Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.925435864.000000000329C000.00000004.00000001.sdmp	String found in binary or memory: http://ip-api.com
Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000000.00000002.730193991.0000000002E97000.00000004.00000001.sdmp, COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.925435864.000000000329C000.00000004.00000001.sdmp, COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.924590953.0000000000402000.00000040.00000001.sdmp, winrar.exe, 00000005.00000002.807724606.0000000003528000.00000004.00000001.sdmp, winrar.exe, 00000009.00000002.822302365.00000000040E1000.00000004.00000001.sdmp, winrar.exe, 0000000D.00000002.808322166.0000000000402000.00000040.00000001.sdmp, winrar.exe, 0000000F.00000002.827897659.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: http://ip-api.com/json/
Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.925435864.000000000329C000.00000004.00000001.sdmp	String found in binary or memory: http://ip-api.com4Ck
Source: COVID-19 CDC Secon Outbreak Warning release.exe	String found in binary or memory: http://ocsp.thawte.com0
Source: COVID-19 CDC Secon Outbreak Warning release.exe	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: COVID-19 CDC Secon Outbreak Warning release.exe	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: COVID-19 CDC Secon Outbreak Warning release.exe	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: COVID-19 CDC Secon Outbreak Warning release.exe	String found in binary or memory: http://s.symcd.com06
Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.925473782.00000000032E3000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.925435864.000000000329C000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: COVID-19 CDC Secon Outbreak Warning release.exe	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: COVID-19 CDC Secon Outbreak Warning release.exe	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: COVID-19 CDC Secon Outbreak Warning release.exe	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: COVID-19 CDC Secon Outbreak Warning release.exe	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: COVID-19 CDC Secon Outbreak Warning release.exe	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: COVID-19 CDC Secon Outbreak Warning release.exe	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: COVID-19 CDC Secon Outbreak Warning release.exe	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: COVID-19 CDC Secon Outbreak Warning release.exe	String found in binary or memory: https://d.symcb.com/cps0%
Source: COVID-19 CDC Secon Outbreak Warning release.exe	String found in binary or memory: https://d.symcb.com/rpa0
Source: COVID-19 CDC Secon Outbreak Warning release.exe	String found in binary or memory: https://d.symcb.com/rpa0.
Source: COVID-19 CDC Secon Outbreak Warning release.exe	String found in binary or memory: https://www.globalsign.com/repository/0
Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000000.00000002.730193991.0000000002E97000.00000004.00000001.sdmp, COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.924590953.0000000000402000.00000040.00000001.sdmp, winrar.exe, 00000005.00000002.807724606.0000000003528000.00000004.00000001.sdmp, winrar.exe, 00000009.00000002.822302365.00000000040E1000.00000004.00000001.sdmp, winrar.exe, 0000000D.00000002.808322166.0000000000402000.00000040.00000001.sdmp, winrar.exe, 0000000F.00000002.827897659.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: http://api.ipify.org/
Source: COVID-19 CDC Secon Outbreak Warning release.exe	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: COVID-19 CDC Secon Outbreak Warning release.exe	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: COVID-19 CDC Secon Outbreak Warning release.exe	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000000.00000002.730193991.0000000002E97000.00000004.00000001.sdmp, COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.924590953.0000000000402000.00000040.00000001.sdmp, winrar.exe, 00000005.00000002.807724606.0000000003528000.00000004.00000001.sdmp, winrar.exe, 00000009.00000002.822302365.00000000040E1000.00000004.00000001.sdmp, winrar.exe, 0000000D.00000002.808322166.0000000000402000.00000040.00000001.sdmp, winrar.exe, 0000000F.00000002.827897659.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: http://freegeoip.net/xml/
Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.925435864.000000000329C000.00000004.00000001.sdmp	String found in binary or memory: http://ip-api.com
Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000000.00000002.730193991.0000000002E97000.00000004.00000001.sdmp, COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.925435864.000000000329C000.00000004.00000001.sdmp, COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.924590953.0000000000402000.00000040.00000001.sdmp, winrar.exe, 00000005.00000002.807724606.0000000003528000.00000004.00000001.sdmp, winrar.exe, 00000009.00000002.822302365.00000000040E1000.00000004.00000001.sdmp, winrar.exe, 0000000D.00000002.808322166.0000000000402000.00000040.00000001.sdmp, winrar.exe, 0000000F.00000002.827897659.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: http://ip-api.com/json/
Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.925435864.000000000329C000.00000004.00000001.sdmp	String found in binary or memory: http://ip-api.com4Ck
Source: COVID-19 CDC Secon Outbreak Warning release.exe	String found in binary or memory: http://ocsp.thawte.com0
Source: COVID-19 CDC Secon Outbreak Warning release.exe	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: COVID-19 CDC Secon Outbreak Warning release.exe	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: COVID-19 CDC Secon Outbreak Warning release.exe	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: COVID-19 CDC Secon Outbreak Warning release.exe	String found in binary or memory: http://s.symcd.com06
Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.925473782.00000000032E3000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.925435864.000000000329C000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: COVID-19 CDC Secon Outbreak Warning release.exe	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: COVID-19 CDC Secon Outbreak Warning release.exe	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: COVID-19 CDC Secon Outbreak Warning release.exe	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: COVID-19 CDC Secon Outbreak Warning release.exe	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: COVID-19 CDC Secon Outbreak Warning release.exe	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: COVID-19 CDC Secon Outbreak Warning release.exe	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: COVID-19 CDC Secon Outbreak Warning release.exe	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: COVID-19 CDC Secon Outbreak Warning release.exe	String found in binary or memory: https://d.symcb.com/cps0%
Source: COVID-19 CDC Secon Outbreak Warning release.exe	String found in binary or memory: https://d.symcb.com/rpa0
Source: COVID-19 CDC Secon Outbreak Warning release.exe	String found in binary or memory: https://d.symcb.com/rpa0.
Source: COVID-19 CDC Secon Outbreak Warning release.exe	String found in binary or memory: https://www.globalsign.com/repository/0

E-Banking Fraud:

Yara detected Quasar RAT

Source: Yara match	File source: 0000000F.00000002.827897659.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.822302365.00000000040E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.924590953.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.808322166.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.808237163.00000000042C5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.822958398.00000000041C5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.730551537.0000000003C35000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: winrar.exe PID: 4576, type: MEMORY
Source: Yara match	File source: Process Memory Space: winrar.exe PID: 5256, type: MEMORY
Source: Yara match	File source: Process Memory Space: COVID-19 CDC Secon Outbreak Warning release.exe PID: 5856, type: MEMORY
Source: Yara match	File source: Process Memory Space: winrar.exe PID: 5576, type: MEMORY
Source: Yara match	File source: Process Memory Space: COVID-19 CDC Secon Outbreak Warning release.exe PID: 7040, type: MEMORY
Source: Yara match	File source: Process Memory Space: winrar.exe PID: 6972, type: MEMORY
Source: Yara match	File source: 15.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Source: 0000000F.00000002.827897659.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000009.00000002.822302365.00000000040E1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000003.00000002.924590953.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 0000000D.00000002.808322166.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000005.00000002.808237163.00000000042C5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000009.00000002.822958398.00000000041C5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000000.00000002.730551537.0000000003C35000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 15.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Vermin Keylogger Author: Florian Roth
Source: 15.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 15.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 15.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 15.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 15.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Vermin Keylogger Author: Florian Roth
Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 13.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Vermin Keylogger Author: Florian Roth
Source: 13.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 13.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 13.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 13.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 13.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 0000000F.00000002.827897659.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000009.00000002.822302365.00000000040E1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000003.00000002.924590953.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 0000000D.00000002.808322166.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000005.00000002.808237163.00000000042C5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000009.00000002.822958398.00000000041C5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000000.00000002.730551537.0000000003C35000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 15.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Vermin Keylogger Author: Florian Roth
Source: 15.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 15.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 15.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 15.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 15.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Vermin Keylogger Author: Florian Roth
Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 13.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Vermin Keylogger Author: Florian Roth
Source: 13.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 13.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 13.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 13.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 13.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth

Detected potential crypto function

Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Code function: 0_2_02B11BE0	0_2_02B11BE0
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Code function: 0_2_02B14598	0_2_02B14598
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Code function: 0_2_02B10548	0_2_02B10548
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Code function: 0_2_05833450	0_2_05833450
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Code function: 0_2_05838580	0_2_05838580
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Code function: 0_2_05832DC8	0_2_05832DC8
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Code function: 0_2_05832DD8	0_2_05832DD8
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Code function: 0_2_05838570	0_2_05838570
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Code function: 0_2_05837423	0_2_05837423
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Code function: 0_2_05837430	0_2_05837430
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Code function: 0_2_02B11BE0	0_2_02B11BE0
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Code function: 0_2_02B14598	0_2_02B14598
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Code function: 0_2_02B10548	0_2_02B10548
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Code function: 0_2_05833450	0_2_05833450
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Code function: 0_2_05838580	0_2_05838580
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Code function: 0_2_05832DC8	0_2_05832DC8
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Code function: 0_2_05832DD8	0_2_05832DD8
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Code function: 0_2_05838570	0_2_05838570
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Code function: 0_2_05837423	0_2_05837423
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Code function: 0_2_05837430	0_2_05837430
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Code function: 3_2_030FF090	3_2_030FF090
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Code function: 3_2_030FF960	3_2_030FF960
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Code function: 3_2_030FED48	3_2_030FED48
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Code function: 3_2_058610B8	3_2_058610B8
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Code function: 3_2_06CA4368	3_2_06CA4368
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Code function: 3_2_06CA7140	3_2_06CA7140
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Code function: 3_2_06CA8C08	3_2_06CA8C08
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Code function: 3_2_07340FC3	3_2_07340FC3
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Code function: 3_2_07340040	3_2_07340040
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Code function: 5_2_0149FB50	5_2_0149FB50
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Code function: 5_2_0149F808	5_2_0149F808
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Code function: 5_2_057E0548	5_2_057E0548
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Code function: 5_2_057E1BE0	5_2_057E1BE0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Code function: 5_2_057E4A50	5_2_057E4A50
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Code function: 5_2_057E9F71	5_2_057E9F71
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Code function: 5_2_057E47D8	5_2_057E47D8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Code function: 5_2_057E47CB	5_2_057E47CB
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Code function: 5_2_057E9F80	5_2_057E9F80
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Code function: 9_2_0150FB50	9_2_0150FB50
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Code function: 9_2_015081E5	9_2_015081E5
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Code function: 9_2_0150F808	9_2_0150F808
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Code function: 9_2_016A1BE0	9_2_016A1BE0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Code function: 9_2_016A4A50	9_2_016A4A50
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Code function: 9_2_016A0548	9_2_016A0548
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Code function: 9_2_016A4A40	9_2_016A4A40
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Code function: 9_2_016A9F73	9_2_016A9F73
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Code function: 9_2_016A47C8	9_2_016A47C8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Code function: 9_2_016A47D8	9_2_016A47D8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Code function: 9_2_016A9F80	9_2_016A9F80
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Code function: 13_2_02D1F090	13_2_02D1F090
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Code function: 13_2_02D1F960	13_2_02D1F960
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Code function: 13_2_02D1ED48	13_2_02D1ED48
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Code function: 15_2_00F4F090	15_2_00F4F090
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Code function: 15_2_00F4F960	15_2_00F4F960
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Code function: 15_2_00F4ED48	15_2_00F4ED48

PE / OLE file has an invalid certificate

Source: COVID-19 CDC Secon Outbreak Warning release.exe	Static PE information: invalid certificate
Source: COVID-19 CDC Secon Outbreak Warning release.exe	Static PE information: invalid certificate

PE file contains strange resources

Source: COVID-19 CDC Secon Outbreak Warning release.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: COVID-19 CDC Secon Outbreak Warning release.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: winrar.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: winrar.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: COVID-19 CDC Secon Outbreak Warning release.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: COVID-19 CDC Secon Outbreak Warning release.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: winrar.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: winrar.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Yara signature match

Source: 0000000F.00000002.827897659.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000009.00000002.822302365.00000000040E1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000003.00000002.924590953.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000D.00000002.808322166.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000005.00000002.808237163.00000000042C5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000009.00000002.822958398.00000000041C5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.730551537.0000000003C35000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 15.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 15.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 13.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 13.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000F.00000002.827897659.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000009.00000002.822302365.00000000040E1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000003.00000002.924590953.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000D.00000002.808322166.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000005.00000002.808237163.00000000042C5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000009.00000002.822958398.00000000041C5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.730551537.0000000003C35000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 15.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 15.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 13.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 13.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/

Source: COVID-19 CDC Secon Outbreak Warning release.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: winrar.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: COVID-19 CDC Secon Outbreak Warning release.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: winrar.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: COVID-19 CDC Secon Outbreak Warning release.exe, u0001/u0008.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: winrar.exe.0.dr, u0001/u0008.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: COVID-19 CDC Secon Outbreak Warning release.exe, u0001/u0008.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: winrar.exe.0.dr, u0001/u0008.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, ufffd?u23de?u2b96???ue028??ufd45???ufffd??ue0ca?.cs	Base64 encoded string: 'PWj6lHXDOxrLfwXNzfnaLMjOfzO9+W+4JxWWiTvfenV8SQApGzJ0Di/b8fuXcZ0M5PrXoL7V9sk8b6uX8xhtZw==', 'm0LUgy1TBJLS/Rv0+i1hOxLPRvKMsf09np12UQ5OrwBPWWSUYbRf+y9WQJ8KY1h7++uGSo0tWuw0x8ypgzipLl1b12b1d2xLp6CNHiFEtAk=', 'NcFtjbDOcsw7Evd3coMC0y4koy/SRZGydhNmno81ZOWOvdfg7sv0Cj5ad2ROUfX4QMscAIjYJdjrrs41+qcQwg==', 'T5995aiahDmRotzNR+wPzkhM3KlC5s/O43KC/1X3Cxu2swVztTyi14Z01j5qsLhy+ZSCP+lJl3YSu4KaMkTl74E6v3MGTgcDoCAikm98Vzg=', 'jLorJj8inqFdgz/bM7KXpwKX+vdTgIpVKMMjF72veNdt62nzBlqRLeihc0RWxDu4tSOd4DuvQwCqGcdB8QTCyQ=='
Source: 13.2.winrar.exe.400000.0.unpack, ufffd?u23de?u2b96???ue028??ufd45???ufffd??ue0ca?.cs	Base64 encoded string: 'PWj6lHXDOxrLfwXNzfnaLMjOfzO9+W+4JxWWiTvfenV8SQApGzJ0Di/b8fuXcZ0M5PrXoL7V9sk8b6uX8xhtZw==', 'm0LUgy1TBJLS/Rv0+i1hOxLPRvKMsf09np12UQ5OrwBPWWSUYbRf+y9WQJ8KY1h7++uGSo0tWuw0x8ypgzipLl1b12b1d2xLp6CNHiFEtAk=', 'NcFtjbDOcsw7Evd3coMC0y4koy/SRZGydhNmno81ZOWOvdfg7sv0Cj5ad2ROUfX4QMscAIjYJdjrrs41+qcQwg==', 'T5995aiahDmRotzNR+wPzkhM3KlC5s/O43KC/1X3Cxu2swVztTyi14Z01j5qsLhy+ZSCP+lJl3YSu4KaMkTl74E6v3MGTgcDoCAikm98Vzg=', 'jLorJj8inqFdgz/bM7KXpwKX+vdTgIpVKMMjF72veNdt62nzBlqRLeihc0RWxDu4tSOd4DuvQwCqGcdB8QTCyQ=='
Source: 15.2.winrar.exe.400000.0.unpack, ufffd?u23de?u2b96???ue028??ufd45???ufffd??ue0ca?.cs	Base64 encoded string: 'PWj6lHXDOxrLfwXNzfnaLMjOfzO9+W+4JxWWiTvfenV8SQApGzJ0Di/b8fuXcZ0M5PrXoL7V9sk8b6uX8xhtZw==', 'm0LUgy1TBJLS/Rv0+i1hOxLPRvKMsf09np12UQ5OrwBPWWSUYbRf+y9WQJ8KY1h7++uGSo0tWuw0x8ypgzipLl1b12b1d2xLp6CNHiFEtAk=', 'NcFtjbDOcsw7Evd3coMC0y4koy/SRZGydhNmno81ZOWOvdfg7sv0Cj5ad2ROUfX4QMscAIjYJdjrrs41+qcQwg==', 'T5995aiahDmRotzNR+wPzkhM3KlC5s/O43KC/1X3Cxu2swVztTyi14Z01j5qsLhy+ZSCP+lJl3YSu4KaMkTl74E6v3MGTgcDoCAikm98Vzg=', 'jLorJj8inqFdgz/bM7KXpwKX+vdTgIpVKMMjF72veNdt62nzBlqRLeihc0RWxDu4tSOd4DuvQwCqGcdB8QTCyQ=='
Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, ufffd?u23de?u2b96???ue028??ufd45???ufffd??ue0ca?.cs	Base64 encoded string: 'PWj6lHXDOxrLfwXNzfnaLMjOfzO9+W+4JxWWiTvfenV8SQApGzJ0Di/b8fuXcZ0M5PrXoL7V9sk8b6uX8xhtZw==', 'm0LUgy1TBJLS/Rv0+i1hOxLPRvKMsf09np12UQ5OrwBPWWSUYbRf+y9WQJ8KY1h7++uGSo0tWuw0x8ypgzipLl1b12b1d2xLp6CNHiFEtAk=', 'NcFtjbDOcsw7Evd3coMC0y4koy/SRZGydhNmno81ZOWOvdfg7sv0Cj5ad2ROUfX4QMscAIjYJdjrrs41+qcQwg==', 'T5995aiahDmRotzNR+wPzkhM3KlC5s/O43KC/1X3Cxu2swVztTyi14Z01j5qsLhy+ZSCP+lJl3YSu4KaMkTl74E6v3MGTgcDoCAikm98Vzg=', 'jLorJj8inqFdgz/bM7KXpwKX+vdTgIpVKMMjF72veNdt62nzBlqRLeihc0RWxDu4tSOd4DuvQwCqGcdB8QTCyQ=='
Source: 13.2.winrar.exe.400000.0.unpack, ufffd?u23de?u2b96???ue028??ufd45???ufffd??ue0ca?.cs	Base64 encoded string: 'PWj6lHXDOxrLfwXNzfnaLMjOfzO9+W+4JxWWiTvfenV8SQApGzJ0Di/b8fuXcZ0M5PrXoL7V9sk8b6uX8xhtZw==', 'm0LUgy1TBJLS/Rv0+i1hOxLPRvKMsf09np12UQ5OrwBPWWSUYbRf+y9WQJ8KY1h7++uGSo0tWuw0x8ypgzipLl1b12b1d2xLp6CNHiFEtAk=', 'NcFtjbDOcsw7Evd3coMC0y4koy/SRZGydhNmno81ZOWOvdfg7sv0Cj5ad2ROUfX4QMscAIjYJdjrrs41+qcQwg==', 'T5995aiahDmRotzNR+wPzkhM3KlC5s/O43KC/1X3Cxu2swVztTyi14Z01j5qsLhy+ZSCP+lJl3YSu4KaMkTl74E6v3MGTgcDoCAikm98Vzg=', 'jLorJj8inqFdgz/bM7KXpwKX+vdTgIpVKMMjF72veNdt62nzBlqRLeihc0RWxDu4tSOd4DuvQwCqGcdB8QTCyQ=='
Source: 15.2.winrar.exe.400000.0.unpack, ufffd?u23de?u2b96???ue028??ufd45???ufffd??ue0ca?.cs	Base64 encoded string: 'PWj6lHXDOxrLfwXNzfnaLMjOfzO9+W+4JxWWiTvfenV8SQApGzJ0Di/b8fuXcZ0M5PrXoL7V9sk8b6uX8xhtZw==', 'm0LUgy1TBJLS/Rv0+i1hOxLPRvKMsf09np12UQ5OrwBPWWSUYbRf+y9WQJ8KY1h7++uGSo0tWuw0x8ypgzipLl1b12b1d2xLp6CNHiFEtAk=', 'NcFtjbDOcsw7Evd3coMC0y4koy/SRZGydhNmno81ZOWOvdfg7sv0Cj5ad2ROUfX4QMscAIjYJdjrrs41+qcQwg==', 'T5995aiahDmRotzNR+wPzkhM3KlC5s/O43KC/1X3Cxu2swVztTyi14Z01j5qsLhy+ZSCP+lJl3YSu4KaMkTl74E6v3MGTgcDoCAikm98Vzg=', 'jLorJj8inqFdgz/bM7KXpwKX+vdTgIpVKMMjF72veNdt62nzBlqRLeihc0RWxDu4tSOd4DuvQwCqGcdB8QTCyQ=='

Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, ???ue4ac??????u2370????ufd45?u2824uf246?.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, ???ue4ac??????u2370????ufd45?u2824uf246?.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 13.2.winrar.exe.400000.0.unpack, ???ue4ac??????u2370????ufd45?u2824uf246?.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 13.2.winrar.exe.400000.0.unpack, ???ue4ac??????u2370????ufd45?u2824uf246?.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 15.2.winrar.exe.400000.0.unpack, ???ue4ac??????u2370????ufd45?u2824uf246?.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 15.2.winrar.exe.400000.0.unpack, ???ue4ac??????u2370????ufd45?u2824uf246?.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, ???ue4ac??????u2370????ufd45?u2824uf246?.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, ???ue4ac??????u2370????ufd45?u2824uf246?.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 13.2.winrar.exe.400000.0.unpack, ???ue4ac??????u2370????ufd45?u2824uf246?.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 13.2.winrar.exe.400000.0.unpack, ???ue4ac??????u2370????ufd45?u2824uf246?.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 15.2.winrar.exe.400000.0.unpack, ???ue4ac??????u2370????ufd45?u2824uf246?.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 15.2.winrar.exe.400000.0.unpack, ???ue4ac??????u2370????ufd45?u2824uf246?.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)

Source: classification engine

Classification label: mal100.troj.evad.winEXE@11/4@2/2

Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar			Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar			Jump to behavior

Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Mutant created: \Sessions\1\BaseNamedObjects\QSR_MUTEX_aEyHRwA2EwWBI7cCGO
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Mutant created: \Sessions\1\BaseNamedObjects\QSR_MUTEX_aEyHRwA2EwWBI7cCGO

Source: COVID-19 CDC Secon Outbreak Warning release.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: COVID-19 CDC Secon Outbreak Warning release.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers			Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers			Jump to behavior

Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: COVID-19 CDC Secon Outbreak Warning release.exe	Virustotal: Detection: 52%
Source: COVID-19 CDC Secon Outbreak Warning release.exe	ReversingLabs: Detection: 58%
Source: COVID-19 CDC Secon Outbreak Warning release.exe	Virustotal: Detection: 52%
Source: COVID-19 CDC Secon Outbreak Warning release.exe	ReversingLabs: Detection: 58%

Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	File read: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe			Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	File read: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe			Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe 'C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe'
Source: unknown	Process created: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process created: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Jump to behavior
Source: unknown	Process created: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe 'C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe'
Source: unknown	Process created: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process created: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Jump to behavior

Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32			Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32			Jump to behavior

Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll			Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll			Jump to behavior

Source: COVID-19 CDC Secon Outbreak Warning release.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: COVID-19 CDC Secon Outbreak Warning release.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: COVID-19 CDC Secon Outbreak Warning release.exe	Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: COVID-19 CDC Secon Outbreak Warning release.exe	Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Code function: 3_2_0586C590 pushfd ; ret	3_2_0586C591
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Code function: 3_2_0586A622 push es; ret	3_2_0586A630
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Code function: 3_2_0586B141 push es; ret	3_2_0586B150
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Code function: 3_2_0586AD41 push es; ret	3_2_0586AD50
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Code function: 3_2_0586B980 push es; ret	3_2_0586B990
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Code function: 3_2_06B820A8 push es; iretd	3_2_06B82154
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Code function: 3_2_06CAD55E push es; ret	3_2_06CAD560
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Code function: 3_2_06CAA923 push esp; retf	3_2_06CAA9A5
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Code function: 3_2_0586C590 pushfd ; ret	3_2_0586C591
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Code function: 3_2_0586A622 push es; ret	3_2_0586A630
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Code function: 3_2_0586B141 push es; ret	3_2_0586B150
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Code function: 3_2_0586AD41 push es; ret	3_2_0586AD50
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Code function: 3_2_0586B980 push es; ret	3_2_0586B990
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Code function: 3_2_06B820A8 push es; iretd	3_2_06B82154
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Code function: 3_2_06CAD55E push es; ret	3_2_06CAD560
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Code function: 3_2_06CAA923 push esp; retf	3_2_06CAA9A5
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Code function: 9_2_016AE342 push 00000001h; retf	9_2_016AE350
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Code function: 9_2_016AE33E push 00000001h; iretd	9_2_016AE340

Source: initial sample	Static PE information: section name: .text entropy: 7.94855371176
Source: initial sample	Static PE information: section name: .text entropy: 7.94855371176
Source: initial sample	Static PE information: section name: .text entropy: 7.94855371176
Source: initial sample	Static PE information: section name: .text entropy: 7.94855371176

Persistence and Installation Behavior:

Creates processes with suspicious names

Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	File created: \covid-19 cdc secon outbreak warning release.exe			Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	File created: \covid-19 cdc secon outbreak warning release.exe			Jump to behavior

Drops PE files

Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe			Jump to dropped file
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe			Jump to dropped file

Boot Survival:

Stores files to the Windows start menu directory

Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe\:Zone.Identifier:$DATA	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe\:Zone.Identifier:$DATA	Jump to behavior

Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run winrar	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run winrar	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run winrar	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run winrar	Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	File opened: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe:Zone.Identifier read attributes \| delete			Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	File opened: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe:Zone.Identifier read attributes \| delete			Jump to behavior

Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BaseBoard
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BaseBoard
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BIOS

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000000.00000002.729223721.0000000002B51000.00000004.00000001.sdmp, winrar.exe, 00000005.00000002.807697076.0000000003515000.00000004.00000001.sdmp, winrar.exe, 00000009.00000002.821205550.0000000003415000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000000.00000002.730445830.0000000003B51000.00000004.00000001.sdmp, winrar.exe, 00000005.00000002.808092469.00000000041E1000.00000004.00000001.sdmp, winrar.exe, 00000009.00000002.824536467.0000000005520000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLLHEAD
Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000000.00000002.729223721.0000000002B51000.00000004.00000001.sdmp, winrar.exe, 00000005.00000002.807697076.0000000003515000.00000004.00000001.sdmp, winrar.exe, 00000009.00000002.821205550.0000000003415000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000000.00000002.730445830.0000000003B51000.00000004.00000001.sdmp, winrar.exe, 00000005.00000002.808092469.00000000041E1000.00000004.00000001.sdmp, winrar.exe, 00000009.00000002.824536467.0000000005520000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLLHEAD

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Window / User API: threadDelayed 366			Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Window / User API: threadDelayed 366			Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe TID: 4780	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe TID: 1680	Thread sleep count: 366 > 30	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe TID: 7028	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe TID: 1680	Thread sleep count: 347 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe TID: 7056	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe TID: 3660	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe TID: 5320	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe TID: 4664	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe TID: 4780	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe TID: 1680	Thread sleep count: 366 > 30	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe TID: 7028	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe TID: 1680	Thread sleep count: 347 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe TID: 7056	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe TID: 3660	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe TID: 5320	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe TID: 4664	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior

Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.927941569.0000000006640000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: winrar.exe, 00000009.00000002.821205550.0000000003415000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.927941569.0000000006640000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.927941569.0000000006640000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.927941569.0000000006640000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.927941569.0000000006640000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: winrar.exe, 00000009.00000002.821205550.0000000003415000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.927941569.0000000006640000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.927941569.0000000006640000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.927941569.0000000006640000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information queried: ProcessInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information queried: ProcessInformation			Jump to behavior

Anti Debugging:

Enables debug privileges

Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Memory allocated: page read and write \| page guard			Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Memory allocated: page read and write \| page guard			Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

.NET source code references suspicious native API functions

Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, ??u08bd????ue13eu26f9?ue3e2???uedca?uef61???.cs	Reference to suspicious API methods: ('????????????????????', 'LoadLibrary@kernel32.dll'), ('????????????????????', 'GetProcAddress@kernel32.dll')
Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, ??uf6f5???ue4b2?????????????.cs	Reference to suspicious API methods: ('????????????????????', 'MapVirtualKeyEx@user32.dll')
Source: 13.2.winrar.exe.400000.0.unpack, ??u08bd????ue13eu26f9?ue3e2???uedca?uef61???.cs	Reference to suspicious API methods: ('????????????????????', 'LoadLibrary@kernel32.dll'), ('????????????????????', 'GetProcAddress@kernel32.dll')
Source: 13.2.winrar.exe.400000.0.unpack, ??uf6f5???ue4b2?????????????.cs	Reference to suspicious API methods: ('????????????????????', 'MapVirtualKeyEx@user32.dll')
Source: 15.2.winrar.exe.400000.0.unpack, ??u08bd????ue13eu26f9?ue3e2???uedca?uef61???.cs	Reference to suspicious API methods: ('????????????????????', 'LoadLibrary@kernel32.dll'), ('????????????????????', 'GetProcAddress@kernel32.dll')
Source: 15.2.winrar.exe.400000.0.unpack, ??uf6f5???ue4b2?????????????.cs	Reference to suspicious API methods: ('????????????????????', 'MapVirtualKeyEx@user32.dll')
Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, ??u08bd????ue13eu26f9?ue3e2???uedca?uef61???.cs	Reference to suspicious API methods: ('????????????????????', 'LoadLibrary@kernel32.dll'), ('????????????????????', 'GetProcAddress@kernel32.dll')
Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, ??uf6f5???ue4b2?????????????.cs	Reference to suspicious API methods: ('????????????????????', 'MapVirtualKeyEx@user32.dll')
Source: 13.2.winrar.exe.400000.0.unpack, ??u08bd????ue13eu26f9?ue3e2???uedca?uef61???.cs	Reference to suspicious API methods: ('????????????????????', 'LoadLibrary@kernel32.dll'), ('????????????????????', 'GetProcAddress@kernel32.dll')
Source: 13.2.winrar.exe.400000.0.unpack, ??uf6f5???ue4b2?????????????.cs	Reference to suspicious API methods: ('????????????????????', 'MapVirtualKeyEx@user32.dll')
Source: 15.2.winrar.exe.400000.0.unpack, ??u08bd????ue13eu26f9?ue3e2???uedca?uef61???.cs	Reference to suspicious API methods: ('????????????????????', 'LoadLibrary@kernel32.dll'), ('????????????????????', 'GetProcAddress@kernel32.dll')
Source: 15.2.winrar.exe.400000.0.unpack, ??uf6f5???ue4b2?????????????.cs	Reference to suspicious API methods: ('????????????????????', 'MapVirtualKeyEx@user32.dll')

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Memory written: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Memory written: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Memory written: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Memory written: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Memory written: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Memory written: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe base: 400000 value starts with: 4D5A	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process created: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process created: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Jump to behavior

Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.925192004.0000000001B90000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.925192004.0000000001B90000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.925192004.0000000001B90000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.925192004.0000000001B90000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.925192004.0000000001B90000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.925192004.0000000001B90000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.925192004.0000000001B90000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.925192004.0000000001B90000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Queries volume information: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Queries volume information: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Queries volume information: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Queries volume information: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Code function: 0_2_0583CF60 GetUserNameA,		0_2_0583CF60
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Code function: 0_2_0583CF60 GetUserNameA,		0_2_0583CF60

Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid			Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid			Jump to behavior

Stealing of Sensitive Information:

Yara detected Quasar RAT

Source: Yara match	File source: 0000000F.00000002.827897659.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.822302365.00000000040E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.924590953.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.808322166.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.808237163.00000000042C5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.822958398.00000000041C5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.730551537.0000000003C35000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: winrar.exe PID: 4576, type: MEMORY
Source: Yara match	File source: Process Memory Space: winrar.exe PID: 5256, type: MEMORY
Source: Yara match	File source: Process Memory Space: COVID-19 CDC Secon Outbreak Warning release.exe PID: 5856, type: MEMORY
Source: Yara match	File source: Process Memory Space: winrar.exe PID: 5576, type: MEMORY
Source: Yara match	File source: Process Memory Space: COVID-19 CDC Secon Outbreak Warning release.exe PID: 7040, type: MEMORY
Source: Yara match	File source: Process Memory Space: winrar.exe PID: 6972, type: MEMORY
Source: Yara match	File source: 15.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected Quasar RAT

Source: Yara match	File source: 0000000F.00000002.827897659.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.822302365.00000000040E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.924590953.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.808322166.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.808237163.00000000042C5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.822958398.00000000041C5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.730551537.0000000003C35000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: winrar.exe PID: 4576, type: MEMORY
Source: Yara match	File source: Process Memory Space: winrar.exe PID: 5256, type: MEMORY
Source: Yara match	File source: Process Memory Space: COVID-19 CDC Secon Outbreak Warning release.exe PID: 5856, type: MEMORY
Source: Yara match	File source: Process Memory Space: winrar.exe PID: 5576, type: MEMORY
Source: Yara match	File source: Process Memory Space: COVID-19 CDC Secon Outbreak Warning release.exe PID: 7040, type: MEMORY
Source: Yara match	File source: Process Memory Space: winrar.exe PID: 6972, type: MEMORY
Source: Yara match	File source: 15.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
208.95.112.1	unknown	United States		53334	TUT-ASUS	false
185.244.26.221	unknown	Netherlands		47158	VAMU-ASIP-TRANSITVAMURU	false

Contacted Domains

Name	IP	Active
ip-api.com	208.95.112.1	true
devils.shacknet.us	185.244.26.221	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ip-api.com/json/	false		high

AV Detection:

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Virustotal: Detection: 52%	Perma Link
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	ReversingLabs: Detection: 58%
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Virustotal: Detection: 52%	Perma Link
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	ReversingLabs: Detection: 58%

Multi AV Scanner detection for submitted file

Source: COVID-19 CDC Secon Outbreak Warning release.exe	Virustotal: Detection: 52%	Perma Link
Source: COVID-19 CDC Secon Outbreak Warning release.exe	ReversingLabs: Detection: 58%
Source: COVID-19 CDC Secon Outbreak Warning release.exe	Virustotal: Detection: 52%	Perma Link
Source: COVID-19 CDC Secon Outbreak Warning release.exe	ReversingLabs: Detection: 58%

Yara detected Quasar RAT

Source: Yara match	File source: 0000000F.00000002.827897659.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.822302365.00000000040E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.924590953.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.808322166.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.808237163.00000000042C5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.822958398.00000000041C5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.730551537.0000000003C35000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: winrar.exe PID: 4576, type: MEMORY
Source: Yara match	File source: Process Memory Space: winrar.exe PID: 5256, type: MEMORY
Source: Yara match	File source: Process Memory Space: COVID-19 CDC Secon Outbreak Warning release.exe PID: 5856, type: MEMORY
Source: Yara match	File source: Process Memory Space: winrar.exe PID: 5576, type: MEMORY
Source: Yara match	File source: Process Memory Space: COVID-19 CDC Secon Outbreak Warning release.exe PID: 7040, type: MEMORY
Source: Yara match	File source: Process Memory Space: winrar.exe PID: 6972, type: MEMORY
Source: Yara match	File source: 15.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: COVID-19 CDC Secon Outbreak Warning release.exe	Joe Sandbox ML: detected
Source: COVID-19 CDC Secon Outbreak Warning release.exe	Joe Sandbox ML: detected

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior

Networking:

May check the online IP address of the machine

Source: unknown	DNS query: name: ip-api.com
Source: unknown	DNS query: name: ip-api.com

Detected TCP or UDP traffic on non-standard ports

Source: global traffic	TCP traffic: 192.168.2.4:49748 -> 185.244.26.221:4782
Source: global traffic	TCP traffic: 192.168.2.4:49748 -> 185.244.26.221:4782

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox View	IP Address: 208.95.112.1 208.95.112.1

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /json/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /json/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0Host: ip-api.comConnection: Keep-Alive

Source: global traffic	HTTP traffic detected: GET /json/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /json/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0Host: ip-api.comConnection: Keep-Alive

Source: unknown	DNS traffic detected: queries for: ip-api.com
Source: unknown	DNS traffic detected: queries for: ip-api.com

Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000000.00000002.730193991.0000000002E97000.00000004.00000001.sdmp, COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.924590953.0000000000402000.00000040.00000001.sdmp, winrar.exe, 00000005.00000002.807724606.0000000003528000.00000004.00000001.sdmp, winrar.exe, 00000009.00000002.822302365.00000000040E1000.00000004.00000001.sdmp, winrar.exe, 0000000D.00000002.808322166.0000000000402000.00000040.00000001.sdmp, winrar.exe, 0000000F.00000002.827897659.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: http://api.ipify.org/
Source: COVID-19 CDC Secon Outbreak Warning release.exe	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: COVID-19 CDC Secon Outbreak Warning release.exe	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: COVID-19 CDC Secon Outbreak Warning release.exe	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000000.00000002.730193991.0000000002E97000.00000004.00000001.sdmp, COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.924590953.0000000000402000.00000040.00000001.sdmp, winrar.exe, 00000005.00000002.807724606.0000000003528000.00000004.00000001.sdmp, winrar.exe, 00000009.00000002.822302365.00000000040E1000.00000004.00000001.sdmp, winrar.exe, 0000000D.00000002.808322166.0000000000402000.00000040.00000001.sdmp, winrar.exe, 0000000F.00000002.827897659.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: http://freegeoip.net/xml/
Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.925435864.000000000329C000.00000004.00000001.sdmp	String found in binary or memory: http://ip-api.com
Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000000.00000002.730193991.0000000002E97000.00000004.00000001.sdmp, COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.925435864.000000000329C000.00000004.00000001.sdmp, COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.924590953.0000000000402000.00000040.00000001.sdmp, winrar.exe, 00000005.00000002.807724606.0000000003528000.00000004.00000001.sdmp, winrar.exe, 00000009.00000002.822302365.00000000040E1000.00000004.00000001.sdmp, winrar.exe, 0000000D.00000002.808322166.0000000000402000.00000040.00000001.sdmp, winrar.exe, 0000000F.00000002.827897659.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: http://ip-api.com/json/
Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.925435864.000000000329C000.00000004.00000001.sdmp	String found in binary or memory: http://ip-api.com4Ck
Source: COVID-19 CDC Secon Outbreak Warning release.exe	String found in binary or memory: http://ocsp.thawte.com0
Source: COVID-19 CDC Secon Outbreak Warning release.exe	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: COVID-19 CDC Secon Outbreak Warning release.exe	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: COVID-19 CDC Secon Outbreak Warning release.exe	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: COVID-19 CDC Secon Outbreak Warning release.exe	String found in binary or memory: http://s.symcd.com06
Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.925473782.00000000032E3000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.925435864.000000000329C000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: COVID-19 CDC Secon Outbreak Warning release.exe	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: COVID-19 CDC Secon Outbreak Warning release.exe	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: COVID-19 CDC Secon Outbreak Warning release.exe	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: COVID-19 CDC Secon Outbreak Warning release.exe	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: COVID-19 CDC Secon Outbreak Warning release.exe	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: COVID-19 CDC Secon Outbreak Warning release.exe	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: COVID-19 CDC Secon Outbreak Warning release.exe	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: COVID-19 CDC Secon Outbreak Warning release.exe	String found in binary or memory: https://d.symcb.com/cps0%
Source: COVID-19 CDC Secon Outbreak Warning release.exe	String found in binary or memory: https://d.symcb.com/rpa0
Source: COVID-19 CDC Secon Outbreak Warning release.exe	String found in binary or memory: https://d.symcb.com/rpa0.
Source: COVID-19 CDC Secon Outbreak Warning release.exe	String found in binary or memory: https://www.globalsign.com/repository/0
Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000000.00000002.730193991.0000000002E97000.00000004.00000001.sdmp, COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.924590953.0000000000402000.00000040.00000001.sdmp, winrar.exe, 00000005.00000002.807724606.0000000003528000.00000004.00000001.sdmp, winrar.exe, 00000009.00000002.822302365.00000000040E1000.00000004.00000001.sdmp, winrar.exe, 0000000D.00000002.808322166.0000000000402000.00000040.00000001.sdmp, winrar.exe, 0000000F.00000002.827897659.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: http://api.ipify.org/
Source: COVID-19 CDC Secon Outbreak Warning release.exe	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: COVID-19 CDC Secon Outbreak Warning release.exe	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: COVID-19 CDC Secon Outbreak Warning release.exe	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000000.00000002.730193991.0000000002E97000.00000004.00000001.sdmp, COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.924590953.0000000000402000.00000040.00000001.sdmp, winrar.exe, 00000005.00000002.807724606.0000000003528000.00000004.00000001.sdmp, winrar.exe, 00000009.00000002.822302365.00000000040E1000.00000004.00000001.sdmp, winrar.exe, 0000000D.00000002.808322166.0000000000402000.00000040.00000001.sdmp, winrar.exe, 0000000F.00000002.827897659.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: http://freegeoip.net/xml/
Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.925435864.000000000329C000.00000004.00000001.sdmp	String found in binary or memory: http://ip-api.com
Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000000.00000002.730193991.0000000002E97000.00000004.00000001.sdmp, COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.925435864.000000000329C000.00000004.00000001.sdmp, COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.924590953.0000000000402000.00000040.00000001.sdmp, winrar.exe, 00000005.00000002.807724606.0000000003528000.00000004.00000001.sdmp, winrar.exe, 00000009.00000002.822302365.00000000040E1000.00000004.00000001.sdmp, winrar.exe, 0000000D.00000002.808322166.0000000000402000.00000040.00000001.sdmp, winrar.exe, 0000000F.00000002.827897659.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: http://ip-api.com/json/
Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.925435864.000000000329C000.00000004.00000001.sdmp	String found in binary or memory: http://ip-api.com4Ck
Source: COVID-19 CDC Secon Outbreak Warning release.exe	String found in binary or memory: http://ocsp.thawte.com0
Source: COVID-19 CDC Secon Outbreak Warning release.exe	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: COVID-19 CDC Secon Outbreak Warning release.exe	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: COVID-19 CDC Secon Outbreak Warning release.exe	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: COVID-19 CDC Secon Outbreak Warning release.exe	String found in binary or memory: http://s.symcd.com06
Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.925473782.00000000032E3000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.925435864.000000000329C000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: COVID-19 CDC Secon Outbreak Warning release.exe	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: COVID-19 CDC Secon Outbreak Warning release.exe	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: COVID-19 CDC Secon Outbreak Warning release.exe	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: COVID-19 CDC Secon Outbreak Warning release.exe	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: COVID-19 CDC Secon Outbreak Warning release.exe	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: COVID-19 CDC Secon Outbreak Warning release.exe	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: COVID-19 CDC Secon Outbreak Warning release.exe	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: COVID-19 CDC Secon Outbreak Warning release.exe	String found in binary or memory: https://d.symcb.com/cps0%
Source: COVID-19 CDC Secon Outbreak Warning release.exe	String found in binary or memory: https://d.symcb.com/rpa0
Source: COVID-19 CDC Secon Outbreak Warning release.exe	String found in binary or memory: https://d.symcb.com/rpa0.
Source: COVID-19 CDC Secon Outbreak Warning release.exe	String found in binary or memory: https://www.globalsign.com/repository/0

E-Banking Fraud:

Yara detected Quasar RAT

Source: Yara match	File source: 0000000F.00000002.827897659.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.822302365.00000000040E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.924590953.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.808322166.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.808237163.00000000042C5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.822958398.00000000041C5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.730551537.0000000003C35000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: winrar.exe PID: 4576, type: MEMORY
Source: Yara match	File source: Process Memory Space: winrar.exe PID: 5256, type: MEMORY
Source: Yara match	File source: Process Memory Space: COVID-19 CDC Secon Outbreak Warning release.exe PID: 5856, type: MEMORY
Source: Yara match	File source: Process Memory Space: winrar.exe PID: 5576, type: MEMORY
Source: Yara match	File source: Process Memory Space: COVID-19 CDC Secon Outbreak Warning release.exe PID: 7040, type: MEMORY
Source: Yara match	File source: Process Memory Space: winrar.exe PID: 6972, type: MEMORY
Source: Yara match	File source: 15.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Source: 0000000F.00000002.827897659.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000009.00000002.822302365.00000000040E1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000003.00000002.924590953.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 0000000D.00000002.808322166.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000005.00000002.808237163.00000000042C5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000009.00000002.822958398.00000000041C5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000000.00000002.730551537.0000000003C35000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 15.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Vermin Keylogger Author: Florian Roth
Source: 15.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 15.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 15.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 15.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 15.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Vermin Keylogger Author: Florian Roth
Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 13.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Vermin Keylogger Author: Florian Roth
Source: 13.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 13.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 13.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 13.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 13.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 0000000F.00000002.827897659.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000009.00000002.822302365.00000000040E1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000003.00000002.924590953.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 0000000D.00000002.808322166.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000005.00000002.808237163.00000000042C5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000009.00000002.822958398.00000000041C5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000000.00000002.730551537.0000000003C35000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 15.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Vermin Keylogger Author: Florian Roth
Source: 15.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 15.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 15.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 15.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 15.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Vermin Keylogger Author: Florian Roth
Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 13.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Vermin Keylogger Author: Florian Roth
Source: 13.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 13.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 13.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 13.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 13.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth

Detected potential crypto function

Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Code function: 0_2_02B11BE0	0_2_02B11BE0
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Code function: 0_2_02B14598	0_2_02B14598
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Code function: 0_2_02B10548	0_2_02B10548
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Code function: 0_2_05833450	0_2_05833450
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Code function: 0_2_05838580	0_2_05838580
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Code function: 0_2_05832DC8	0_2_05832DC8
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Code function: 0_2_05832DD8	0_2_05832DD8
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Code function: 0_2_05838570	0_2_05838570
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Code function: 0_2_05837423	0_2_05837423
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Code function: 0_2_05837430	0_2_05837430
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Code function: 0_2_02B11BE0	0_2_02B11BE0
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Code function: 0_2_02B14598	0_2_02B14598
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Code function: 0_2_02B10548	0_2_02B10548
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Code function: 0_2_05833450	0_2_05833450
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Code function: 0_2_05838580	0_2_05838580
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Code function: 0_2_05832DC8	0_2_05832DC8
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Code function: 0_2_05832DD8	0_2_05832DD8
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Code function: 0_2_05838570	0_2_05838570
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Code function: 0_2_05837423	0_2_05837423
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Code function: 0_2_05837430	0_2_05837430
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Code function: 3_2_030FF090	3_2_030FF090
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Code function: 3_2_030FF960	3_2_030FF960
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Code function: 3_2_030FED48	3_2_030FED48
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Code function: 3_2_058610B8	3_2_058610B8
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Code function: 3_2_06CA4368	3_2_06CA4368
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Code function: 3_2_06CA7140	3_2_06CA7140
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Code function: 3_2_06CA8C08	3_2_06CA8C08
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Code function: 3_2_07340FC3	3_2_07340FC3
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Code function: 3_2_07340040	3_2_07340040
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Code function: 5_2_0149FB50	5_2_0149FB50
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Code function: 5_2_0149F808	5_2_0149F808
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Code function: 5_2_057E0548	5_2_057E0548
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Code function: 5_2_057E1BE0	5_2_057E1BE0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Code function: 5_2_057E4A50	5_2_057E4A50
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Code function: 5_2_057E9F71	5_2_057E9F71
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Code function: 5_2_057E47D8	5_2_057E47D8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Code function: 5_2_057E47CB	5_2_057E47CB
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Code function: 5_2_057E9F80	5_2_057E9F80
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Code function: 9_2_0150FB50	9_2_0150FB50
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Code function: 9_2_015081E5	9_2_015081E5
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Code function: 9_2_0150F808	9_2_0150F808
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Code function: 9_2_016A1BE0	9_2_016A1BE0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Code function: 9_2_016A4A50	9_2_016A4A50
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Code function: 9_2_016A0548	9_2_016A0548
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Code function: 9_2_016A4A40	9_2_016A4A40
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Code function: 9_2_016A9F73	9_2_016A9F73
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Code function: 9_2_016A47C8	9_2_016A47C8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Code function: 9_2_016A47D8	9_2_016A47D8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Code function: 9_2_016A9F80	9_2_016A9F80
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Code function: 13_2_02D1F090	13_2_02D1F090
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Code function: 13_2_02D1F960	13_2_02D1F960
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Code function: 13_2_02D1ED48	13_2_02D1ED48
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Code function: 15_2_00F4F090	15_2_00F4F090
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Code function: 15_2_00F4F960	15_2_00F4F960
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Code function: 15_2_00F4ED48	15_2_00F4ED48

PE / OLE file has an invalid certificate

Source: COVID-19 CDC Secon Outbreak Warning release.exe	Static PE information: invalid certificate
Source: COVID-19 CDC Secon Outbreak Warning release.exe	Static PE information: invalid certificate

PE file contains strange resources

Source: COVID-19 CDC Secon Outbreak Warning release.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: COVID-19 CDC Secon Outbreak Warning release.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: winrar.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: winrar.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: COVID-19 CDC Secon Outbreak Warning release.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: COVID-19 CDC Secon Outbreak Warning release.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: winrar.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: winrar.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Yara signature match

Source: 0000000F.00000002.827897659.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000009.00000002.822302365.00000000040E1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000003.00000002.924590953.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000D.00000002.808322166.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000005.00000002.808237163.00000000042C5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000009.00000002.822958398.00000000041C5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.730551537.0000000003C35000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 15.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 15.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 13.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 13.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000F.00000002.827897659.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000009.00000002.822302365.00000000040E1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000003.00000002.924590953.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000D.00000002.808322166.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000005.00000002.808237163.00000000042C5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000009.00000002.822958398.00000000041C5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.730551537.0000000003C35000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 15.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 15.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 13.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 13.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/

Source: COVID-19 CDC Secon Outbreak Warning release.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: winrar.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: COVID-19 CDC Secon Outbreak Warning release.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: winrar.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: COVID-19 CDC Secon Outbreak Warning release.exe, u0001/u0008.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: winrar.exe.0.dr, u0001/u0008.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: COVID-19 CDC Secon Outbreak Warning release.exe, u0001/u0008.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: winrar.exe.0.dr, u0001/u0008.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, ufffd?u23de?u2b96???ue028??ufd45???ufffd??ue0ca?.cs	Base64 encoded string: 'PWj6lHXDOxrLfwXNzfnaLMjOfzO9+W+4JxWWiTvfenV8SQApGzJ0Di/b8fuXcZ0M5PrXoL7V9sk8b6uX8xhtZw==', 'm0LUgy1TBJLS/Rv0+i1hOxLPRvKMsf09np12UQ5OrwBPWWSUYbRf+y9WQJ8KY1h7++uGSo0tWuw0x8ypgzipLl1b12b1d2xLp6CNHiFEtAk=', 'NcFtjbDOcsw7Evd3coMC0y4koy/SRZGydhNmno81ZOWOvdfg7sv0Cj5ad2ROUfX4QMscAIjYJdjrrs41+qcQwg==', 'T5995aiahDmRotzNR+wPzkhM3KlC5s/O43KC/1X3Cxu2swVztTyi14Z01j5qsLhy+ZSCP+lJl3YSu4KaMkTl74E6v3MGTgcDoCAikm98Vzg=', 'jLorJj8inqFdgz/bM7KXpwKX+vdTgIpVKMMjF72veNdt62nzBlqRLeihc0RWxDu4tSOd4DuvQwCqGcdB8QTCyQ=='
Source: 13.2.winrar.exe.400000.0.unpack, ufffd?u23de?u2b96???ue028??ufd45???ufffd??ue0ca?.cs	Base64 encoded string: 'PWj6lHXDOxrLfwXNzfnaLMjOfzO9+W+4JxWWiTvfenV8SQApGzJ0Di/b8fuXcZ0M5PrXoL7V9sk8b6uX8xhtZw==', 'm0LUgy1TBJLS/Rv0+i1hOxLPRvKMsf09np12UQ5OrwBPWWSUYbRf+y9WQJ8KY1h7++uGSo0tWuw0x8ypgzipLl1b12b1d2xLp6CNHiFEtAk=', 'NcFtjbDOcsw7Evd3coMC0y4koy/SRZGydhNmno81ZOWOvdfg7sv0Cj5ad2ROUfX4QMscAIjYJdjrrs41+qcQwg==', 'T5995aiahDmRotzNR+wPzkhM3KlC5s/O43KC/1X3Cxu2swVztTyi14Z01j5qsLhy+ZSCP+lJl3YSu4KaMkTl74E6v3MGTgcDoCAikm98Vzg=', 'jLorJj8inqFdgz/bM7KXpwKX+vdTgIpVKMMjF72veNdt62nzBlqRLeihc0RWxDu4tSOd4DuvQwCqGcdB8QTCyQ=='
Source: 15.2.winrar.exe.400000.0.unpack, ufffd?u23de?u2b96???ue028??ufd45???ufffd??ue0ca?.cs	Base64 encoded string: 'PWj6lHXDOxrLfwXNzfnaLMjOfzO9+W+4JxWWiTvfenV8SQApGzJ0Di/b8fuXcZ0M5PrXoL7V9sk8b6uX8xhtZw==', 'm0LUgy1TBJLS/Rv0+i1hOxLPRvKMsf09np12UQ5OrwBPWWSUYbRf+y9WQJ8KY1h7++uGSo0tWuw0x8ypgzipLl1b12b1d2xLp6CNHiFEtAk=', 'NcFtjbDOcsw7Evd3coMC0y4koy/SRZGydhNmno81ZOWOvdfg7sv0Cj5ad2ROUfX4QMscAIjYJdjrrs41+qcQwg==', 'T5995aiahDmRotzNR+wPzkhM3KlC5s/O43KC/1X3Cxu2swVztTyi14Z01j5qsLhy+ZSCP+lJl3YSu4KaMkTl74E6v3MGTgcDoCAikm98Vzg=', 'jLorJj8inqFdgz/bM7KXpwKX+vdTgIpVKMMjF72veNdt62nzBlqRLeihc0RWxDu4tSOd4DuvQwCqGcdB8QTCyQ=='
Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, ufffd?u23de?u2b96???ue028??ufd45???ufffd??ue0ca?.cs	Base64 encoded string: 'PWj6lHXDOxrLfwXNzfnaLMjOfzO9+W+4JxWWiTvfenV8SQApGzJ0Di/b8fuXcZ0M5PrXoL7V9sk8b6uX8xhtZw==', 'm0LUgy1TBJLS/Rv0+i1hOxLPRvKMsf09np12UQ5OrwBPWWSUYbRf+y9WQJ8KY1h7++uGSo0tWuw0x8ypgzipLl1b12b1d2xLp6CNHiFEtAk=', 'NcFtjbDOcsw7Evd3coMC0y4koy/SRZGydhNmno81ZOWOvdfg7sv0Cj5ad2ROUfX4QMscAIjYJdjrrs41+qcQwg==', 'T5995aiahDmRotzNR+wPzkhM3KlC5s/O43KC/1X3Cxu2swVztTyi14Z01j5qsLhy+ZSCP+lJl3YSu4KaMkTl74E6v3MGTgcDoCAikm98Vzg=', 'jLorJj8inqFdgz/bM7KXpwKX+vdTgIpVKMMjF72veNdt62nzBlqRLeihc0RWxDu4tSOd4DuvQwCqGcdB8QTCyQ=='
Source: 13.2.winrar.exe.400000.0.unpack, ufffd?u23de?u2b96???ue028??ufd45???ufffd??ue0ca?.cs	Base64 encoded string: 'PWj6lHXDOxrLfwXNzfnaLMjOfzO9+W+4JxWWiTvfenV8SQApGzJ0Di/b8fuXcZ0M5PrXoL7V9sk8b6uX8xhtZw==', 'm0LUgy1TBJLS/Rv0+i1hOxLPRvKMsf09np12UQ5OrwBPWWSUYbRf+y9WQJ8KY1h7++uGSo0tWuw0x8ypgzipLl1b12b1d2xLp6CNHiFEtAk=', 'NcFtjbDOcsw7Evd3coMC0y4koy/SRZGydhNmno81ZOWOvdfg7sv0Cj5ad2ROUfX4QMscAIjYJdjrrs41+qcQwg==', 'T5995aiahDmRotzNR+wPzkhM3KlC5s/O43KC/1X3Cxu2swVztTyi14Z01j5qsLhy+ZSCP+lJl3YSu4KaMkTl74E6v3MGTgcDoCAikm98Vzg=', 'jLorJj8inqFdgz/bM7KXpwKX+vdTgIpVKMMjF72veNdt62nzBlqRLeihc0RWxDu4tSOd4DuvQwCqGcdB8QTCyQ=='
Source: 15.2.winrar.exe.400000.0.unpack, ufffd?u23de?u2b96???ue028??ufd45???ufffd??ue0ca?.cs	Base64 encoded string: 'PWj6lHXDOxrLfwXNzfnaLMjOfzO9+W+4JxWWiTvfenV8SQApGzJ0Di/b8fuXcZ0M5PrXoL7V9sk8b6uX8xhtZw==', 'm0LUgy1TBJLS/Rv0+i1hOxLPRvKMsf09np12UQ5OrwBPWWSUYbRf+y9WQJ8KY1h7++uGSo0tWuw0x8ypgzipLl1b12b1d2xLp6CNHiFEtAk=', 'NcFtjbDOcsw7Evd3coMC0y4koy/SRZGydhNmno81ZOWOvdfg7sv0Cj5ad2ROUfX4QMscAIjYJdjrrs41+qcQwg==', 'T5995aiahDmRotzNR+wPzkhM3KlC5s/O43KC/1X3Cxu2swVztTyi14Z01j5qsLhy+ZSCP+lJl3YSu4KaMkTl74E6v3MGTgcDoCAikm98Vzg=', 'jLorJj8inqFdgz/bM7KXpwKX+vdTgIpVKMMjF72veNdt62nzBlqRLeihc0RWxDu4tSOd4DuvQwCqGcdB8QTCyQ=='

Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, ???ue4ac??????u2370????ufd45?u2824uf246?.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, ???ue4ac??????u2370????ufd45?u2824uf246?.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 13.2.winrar.exe.400000.0.unpack, ???ue4ac??????u2370????ufd45?u2824uf246?.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 13.2.winrar.exe.400000.0.unpack, ???ue4ac??????u2370????ufd45?u2824uf246?.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 15.2.winrar.exe.400000.0.unpack, ???ue4ac??????u2370????ufd45?u2824uf246?.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 15.2.winrar.exe.400000.0.unpack, ???ue4ac??????u2370????ufd45?u2824uf246?.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, ???ue4ac??????u2370????ufd45?u2824uf246?.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, ???ue4ac??????u2370????ufd45?u2824uf246?.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 13.2.winrar.exe.400000.0.unpack, ???ue4ac??????u2370????ufd45?u2824uf246?.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 13.2.winrar.exe.400000.0.unpack, ???ue4ac??????u2370????ufd45?u2824uf246?.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 15.2.winrar.exe.400000.0.unpack, ???ue4ac??????u2370????ufd45?u2824uf246?.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 15.2.winrar.exe.400000.0.unpack, ???ue4ac??????u2370????ufd45?u2824uf246?.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)

Source: classification engine

Classification label: mal100.troj.evad.winEXE@11/4@2/2

Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar			Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar			Jump to behavior

Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Mutant created: \Sessions\1\BaseNamedObjects\QSR_MUTEX_aEyHRwA2EwWBI7cCGO
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Mutant created: \Sessions\1\BaseNamedObjects\QSR_MUTEX_aEyHRwA2EwWBI7cCGO

Source: COVID-19 CDC Secon Outbreak Warning release.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: COVID-19 CDC Secon Outbreak Warning release.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers			Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers			Jump to behavior

Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: COVID-19 CDC Secon Outbreak Warning release.exe	Virustotal: Detection: 52%
Source: COVID-19 CDC Secon Outbreak Warning release.exe	ReversingLabs: Detection: 58%
Source: COVID-19 CDC Secon Outbreak Warning release.exe	Virustotal: Detection: 52%
Source: COVID-19 CDC Secon Outbreak Warning release.exe	ReversingLabs: Detection: 58%

Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	File read: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe			Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	File read: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe			Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe 'C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe'
Source: unknown	Process created: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process created: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Jump to behavior
Source: unknown	Process created: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe 'C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe'
Source: unknown	Process created: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process created: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Jump to behavior

Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32			Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32			Jump to behavior

Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll			Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll			Jump to behavior

Source: COVID-19 CDC Secon Outbreak Warning release.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: COVID-19 CDC Secon Outbreak Warning release.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: COVID-19 CDC Secon Outbreak Warning release.exe	Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: COVID-19 CDC Secon Outbreak Warning release.exe	Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Code function: 3_2_0586C590 pushfd ; ret	3_2_0586C591
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Code function: 3_2_0586A622 push es; ret	3_2_0586A630
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Code function: 3_2_0586B141 push es; ret	3_2_0586B150
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Code function: 3_2_0586AD41 push es; ret	3_2_0586AD50
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Code function: 3_2_0586B980 push es; ret	3_2_0586B990
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Code function: 3_2_06B820A8 push es; iretd	3_2_06B82154
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Code function: 3_2_06CAD55E push es; ret	3_2_06CAD560
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Code function: 3_2_06CAA923 push esp; retf	3_2_06CAA9A5
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Code function: 3_2_0586C590 pushfd ; ret	3_2_0586C591
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Code function: 3_2_0586A622 push es; ret	3_2_0586A630
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Code function: 3_2_0586B141 push es; ret	3_2_0586B150
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Code function: 3_2_0586AD41 push es; ret	3_2_0586AD50
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Code function: 3_2_0586B980 push es; ret	3_2_0586B990
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Code function: 3_2_06B820A8 push es; iretd	3_2_06B82154
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Code function: 3_2_06CAD55E push es; ret	3_2_06CAD560
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Code function: 3_2_06CAA923 push esp; retf	3_2_06CAA9A5
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Code function: 9_2_016AE342 push 00000001h; retf	9_2_016AE350
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Code function: 9_2_016AE33E push 00000001h; iretd	9_2_016AE340

Source: initial sample	Static PE information: section name: .text entropy: 7.94855371176
Source: initial sample	Static PE information: section name: .text entropy: 7.94855371176
Source: initial sample	Static PE information: section name: .text entropy: 7.94855371176
Source: initial sample	Static PE information: section name: .text entropy: 7.94855371176

Persistence and Installation Behavior:

Creates processes with suspicious names

Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	File created: \covid-19 cdc secon outbreak warning release.exe			Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	File created: \covid-19 cdc secon outbreak warning release.exe			Jump to behavior

Drops PE files

Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe			Jump to dropped file
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe			Jump to dropped file

Boot Survival:

Stores files to the Windows start menu directory

Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe\:Zone.Identifier:$DATA	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe\:Zone.Identifier:$DATA	Jump to behavior

Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run winrar	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run winrar	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run winrar	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run winrar	Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	File opened: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe:Zone.Identifier read attributes \| delete			Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	File opened: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe:Zone.Identifier read attributes \| delete			Jump to behavior

Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BaseBoard
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BaseBoard
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BIOS

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000000.00000002.729223721.0000000002B51000.00000004.00000001.sdmp, winrar.exe, 00000005.00000002.807697076.0000000003515000.00000004.00000001.sdmp, winrar.exe, 00000009.00000002.821205550.0000000003415000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000000.00000002.730445830.0000000003B51000.00000004.00000001.sdmp, winrar.exe, 00000005.00000002.808092469.00000000041E1000.00000004.00000001.sdmp, winrar.exe, 00000009.00000002.824536467.0000000005520000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLLHEAD
Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000000.00000002.729223721.0000000002B51000.00000004.00000001.sdmp, winrar.exe, 00000005.00000002.807697076.0000000003515000.00000004.00000001.sdmp, winrar.exe, 00000009.00000002.821205550.0000000003415000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000000.00000002.730445830.0000000003B51000.00000004.00000001.sdmp, winrar.exe, 00000005.00000002.808092469.00000000041E1000.00000004.00000001.sdmp, winrar.exe, 00000009.00000002.824536467.0000000005520000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLLHEAD

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Window / User API: threadDelayed 366			Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Window / User API: threadDelayed 366			Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe TID: 4780	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe TID: 1680	Thread sleep count: 366 > 30	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe TID: 7028	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe TID: 1680	Thread sleep count: 347 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe TID: 7056	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe TID: 3660	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe TID: 5320	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe TID: 4664	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe TID: 4780	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe TID: 1680	Thread sleep count: 366 > 30	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe TID: 7028	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe TID: 1680	Thread sleep count: 347 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe TID: 7056	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe TID: 3660	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe TID: 5320	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe TID: 4664	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior

Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.927941569.0000000006640000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: winrar.exe, 00000009.00000002.821205550.0000000003415000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.927941569.0000000006640000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.927941569.0000000006640000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.927941569.0000000006640000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.927941569.0000000006640000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: winrar.exe, 00000009.00000002.821205550.0000000003415000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.927941569.0000000006640000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.927941569.0000000006640000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.927941569.0000000006640000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information queried: ProcessInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process information queried: ProcessInformation			Jump to behavior

Anti Debugging:

Enables debug privileges

Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Memory allocated: page read and write \| page guard			Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Memory allocated: page read and write \| page guard			Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

.NET source code references suspicious native API functions

Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, ??u08bd????ue13eu26f9?ue3e2???uedca?uef61???.cs	Reference to suspicious API methods: ('????????????????????', 'LoadLibrary@kernel32.dll'), ('????????????????????', 'GetProcAddress@kernel32.dll')
Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, ??uf6f5???ue4b2?????????????.cs	Reference to suspicious API methods: ('????????????????????', 'MapVirtualKeyEx@user32.dll')
Source: 13.2.winrar.exe.400000.0.unpack, ??u08bd????ue13eu26f9?ue3e2???uedca?uef61???.cs	Reference to suspicious API methods: ('????????????????????', 'LoadLibrary@kernel32.dll'), ('????????????????????', 'GetProcAddress@kernel32.dll')
Source: 13.2.winrar.exe.400000.0.unpack, ??uf6f5???ue4b2?????????????.cs	Reference to suspicious API methods: ('????????????????????', 'MapVirtualKeyEx@user32.dll')
Source: 15.2.winrar.exe.400000.0.unpack, ??u08bd????ue13eu26f9?ue3e2???uedca?uef61???.cs	Reference to suspicious API methods: ('????????????????????', 'LoadLibrary@kernel32.dll'), ('????????????????????', 'GetProcAddress@kernel32.dll')
Source: 15.2.winrar.exe.400000.0.unpack, ??uf6f5???ue4b2?????????????.cs	Reference to suspicious API methods: ('????????????????????', 'MapVirtualKeyEx@user32.dll')
Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, ??u08bd????ue13eu26f9?ue3e2???uedca?uef61???.cs	Reference to suspicious API methods: ('????????????????????', 'LoadLibrary@kernel32.dll'), ('????????????????????', 'GetProcAddress@kernel32.dll')
Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, ??uf6f5???ue4b2?????????????.cs	Reference to suspicious API methods: ('????????????????????', 'MapVirtualKeyEx@user32.dll')
Source: 13.2.winrar.exe.400000.0.unpack, ??u08bd????ue13eu26f9?ue3e2???uedca?uef61???.cs	Reference to suspicious API methods: ('????????????????????', 'LoadLibrary@kernel32.dll'), ('????????????????????', 'GetProcAddress@kernel32.dll')
Source: 13.2.winrar.exe.400000.0.unpack, ??uf6f5???ue4b2?????????????.cs	Reference to suspicious API methods: ('????????????????????', 'MapVirtualKeyEx@user32.dll')
Source: 15.2.winrar.exe.400000.0.unpack, ??u08bd????ue13eu26f9?ue3e2???uedca?uef61???.cs	Reference to suspicious API methods: ('????????????????????', 'LoadLibrary@kernel32.dll'), ('????????????????????', 'GetProcAddress@kernel32.dll')
Source: 15.2.winrar.exe.400000.0.unpack, ??uf6f5???ue4b2?????????????.cs	Reference to suspicious API methods: ('????????????????????', 'MapVirtualKeyEx@user32.dll')

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Memory written: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Memory written: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Memory written: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Memory written: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Memory written: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Memory written: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe base: 400000 value starts with: 4D5A	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process created: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Process created: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Jump to behavior

Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.925192004.0000000001B90000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.925192004.0000000001B90000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.925192004.0000000001B90000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.925192004.0000000001B90000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.925192004.0000000001B90000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.925192004.0000000001B90000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.925192004.0000000001B90000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.925192004.0000000001B90000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Queries volume information: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Queries volume information: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Queries volume information: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Queries volume information: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Code function: 0_2_0583CF60 GetUserNameA,		0_2_0583CF60
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Code function: 0_2_0583CF60 GetUserNameA,		0_2_0583CF60

Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid			Jump to behavior
Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid			Jump to behavior

Stealing of Sensitive Information:

Yara detected Quasar RAT

Source: Yara match	File source: 0000000F.00000002.827897659.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.822302365.00000000040E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.924590953.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.808322166.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.808237163.00000000042C5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.822958398.00000000041C5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.730551537.0000000003C35000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: winrar.exe PID: 4576, type: MEMORY
Source: Yara match	File source: Process Memory Space: winrar.exe PID: 5256, type: MEMORY
Source: Yara match	File source: Process Memory Space: COVID-19 CDC Secon Outbreak Warning release.exe PID: 5856, type: MEMORY
Source: Yara match	File source: Process Memory Space: winrar.exe PID: 5576, type: MEMORY
Source: Yara match	File source: Process Memory Space: COVID-19 CDC Secon Outbreak Warning release.exe PID: 7040, type: MEMORY
Source: Yara match	File source: Process Memory Space: winrar.exe PID: 6972, type: MEMORY
Source: Yara match	File source: 15.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected Quasar RAT

Source: Yara match	File source: 0000000F.00000002.827897659.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.822302365.00000000040E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.924590953.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.808322166.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.808237163.00000000042C5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.822958398.00000000041C5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.730551537.0000000003C35000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: winrar.exe PID: 4576, type: MEMORY
Source: Yara match	File source: Process Memory Space: winrar.exe PID: 5256, type: MEMORY
Source: Yara match	File source: Process Memory Space: COVID-19 CDC Secon Outbreak Warning release.exe PID: 5856, type: MEMORY
Source: Yara match	File source: Process Memory Space: winrar.exe PID: 5576, type: MEMORY
Source: Yara match	File source: Process Memory Space: COVID-19 CDC Secon Outbreak Warning release.exe PID: 7040, type: MEMORY
Source: Yara match	File source: Process Memory Space: winrar.exe PID: 6972, type: MEMORY
Source: Yara match	File source: 15.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE

Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000000.00000002.733655475.0000000004F90000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs COVID-19 CDC Secon Outbreak Warning release.exe
Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000000.00000002.730445830.0000000003B51000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameEszbxlm.dll4 vs COVID-19 CDC Secon Outbreak Warning release.exe
Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000000.00000000.658274471.0000000000778000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameXjrkkafy5.exe0 vs COVID-19 CDC Secon Outbreak Warning release.exe
Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000000.00000002.730193991.0000000002E97000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameClassLibrary3.dll< vs COVID-19 CDC Secon Outbreak Warning release.exe
Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000000.00000002.730193991.0000000002E97000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameClient.exe" vs COVID-19 CDC Secon Outbreak Warning release.exe
Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.924756957.00000000011A8000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs COVID-19 CDC Secon Outbreak Warning release.exe
Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000000.722478373.0000000001008000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameXjrkkafy5.exe0 vs COVID-19 CDC Secon Outbreak Warning release.exe
Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.927941569.0000000006640000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs COVID-19 CDC Secon Outbreak Warning release.exe
Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.924643263.000000000045A000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameClient.exe" vs COVID-19 CDC Secon Outbreak Warning release.exe
Source: COVID-19 CDC Secon Outbreak Warning release.exe	Binary or memory string: OriginalFilenameXjrkkafy5.exe0 vs COVID-19 CDC Secon Outbreak Warning release.exe
Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000000.00000002.733655475.0000000004F90000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs COVID-19 CDC Secon Outbreak Warning release.exe
Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000000.00000002.730445830.0000000003B51000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameEszbxlm.dll4 vs COVID-19 CDC Secon Outbreak Warning release.exe
Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000000.00000000.658274471.0000000000778000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameXjrkkafy5.exe0 vs COVID-19 CDC Secon Outbreak Warning release.exe
Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000000.00000002.730193991.0000000002E97000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameClassLibrary3.dll< vs COVID-19 CDC Secon Outbreak Warning release.exe
Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000000.00000002.730193991.0000000002E97000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameClient.exe" vs COVID-19 CDC Secon Outbreak Warning release.exe
Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.924756957.00000000011A8000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs COVID-19 CDC Secon Outbreak Warning release.exe
Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000000.722478373.0000000001008000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameXjrkkafy5.exe0 vs COVID-19 CDC Secon Outbreak Warning release.exe
Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.927941569.0000000006640000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs COVID-19 CDC Secon Outbreak Warning release.exe
Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.924643263.000000000045A000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameClient.exe" vs COVID-19 CDC Secon Outbreak Warning release.exe
Source: COVID-19 CDC Secon Outbreak Warning release.exe	Binary or memory string: OriginalFilenameXjrkkafy5.exe0 vs COVID-19 CDC Secon Outbreak Warning release.exe

ID:	319976
Product:	CloudBasic
Start time:	22:01:38
Start date:	18.11.2020
Sample:	COVID-19 CDC Secon Outbreak Warning release.scr
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	db0d632b83738dfc64013b9b5b7c339e
SHA1:	2f9269bfc05473a6dce71c56d25b37d8b5490bcd
SHA256:	6fb60c80bdc9cd558a384b468dc8b8467fb2e02764728e6a0ebc28ca865f31f6
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\COVID-19 CDC Secon Outbreak Warning release.exe.log	ASCII text, with CRLF line terminators	BB6624785B5CCCA1B27C160A2F19C179	51C3A976DB55F4E09009C1E7663643A2205FBEA5	CF05D58CFF71D857664AAB4D49D3ABABFD0D59A65303B0FA5B1996C1CD3E66DA
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\winrar.exe.log	ASCII text, with CRLF line terminators	BB6624785B5CCCA1B27C160A2F19C179	51C3A976DB55F4E09009C1E7663643A2205FBEA5	CF05D58CFF71D857664AAB4D49D3ABABFD0D59A65303B0FA5B1996C1CD3E66DA
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	DB0D632B83738DFC64013B9B5B7C339E	2F9269BFC05473A6DCE71C56D25B37D8B5490BCD	6FB60C80BDC9CD558A384B468DC8B8467FB2E02764728E6A0EBC28CA865F31F6
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309

Analysis Report COVID-19 CDC Secon Outbreak Warning release.scr

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Spreading:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs