Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report COVID-19 CDC Secon Outbreak Warning release.scr

Overview

General Information

Sample Name:COVID-19 CDC Secon Outbreak Warning release.scr (renamed file extension from scr to exe)
Analysis ID:319976
MD5:db0d632b83738dfc64013b9b5b7c339e
SHA1:2f9269bfc05473a6dce71c56d25b37d8b5490bcd
SHA256:6fb60c80bdc9cd558a384b468dc8b8467fb2e02764728e6a0ebc28ca865f31f6
Tags:QuasarRATscr

Most interesting Screenshot:

Detection

Quasar
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Quasar RAT
.NET source code references suspicious native API functions
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates processes with suspicious names
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains strange resources
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • winrar.exe (PID: 6972 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe' MD5: DB0D632B83738DFC64013B9B5B7C339E)
    • winrar.exe (PID: 5256 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe MD5: DB0D632B83738DFC64013B9B5B7C339E)
  • winrar.exe (PID: 4576 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe' MD5: DB0D632B83738DFC64013B9B5B7C339E)
    • winrar.exe (PID: 5572 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe MD5: DB0D632B83738DFC64013B9B5B7C339E)
    • winrar.exe (PID: 5576 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe MD5: DB0D632B83738DFC64013B9B5B7C339E)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000F.00000002.827897659.0000000000402000.00000040.00000001.sdmpQuasar_RAT_1Detects Quasar RATFlorian Roth
  • 0x3df27:$s1: DoUploadAndExecute
  • 0x3e16b:$s2: DoDownloadAndExecute
  • 0x3dcec:$s3: DoShellExecute
  • 0x3e123:$s4: set_Processname
  • 0x5824:$op1: 04 1E FE 02 04 16 FE 01 60
  • 0x5748:$op2: 00 17 03 1F 20 17 19 15 28
  • 0x61ae:$op3: 00 04 03 69 91 1B 40
  • 0x69fe:$op3: 00 04 03 69 91 1B 40
0000000F.00000002.827897659.0000000000402000.00000040.00000001.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
    00000009.00000002.822302365.00000000040E1000.00000004.00000001.sdmpQuasar_RAT_1Detects Quasar RATFlorian Roth
    • 0x42657:$s1: DoUploadAndExecute
    • 0x99477:$s1: DoUploadAndExecute
    • 0x4289b:$s2: DoDownloadAndExecute
    • 0x996bb:$s2: DoDownloadAndExecute
    • 0x4241c:$s3: DoShellExecute
    • 0x9923c:$s3: DoShellExecute
    • 0x42853:$s4: set_Processname
    • 0x99673:$s4: set_Processname
    • 0x9f54:$op1: 04 1E FE 02 04 16 FE 01 60
    • 0x60d74:$op1: 04 1E FE 02 04 16 FE 01 60
    • 0x9e78:$op2: 00 17 03 1F 20 17 19 15 28
    • 0x60c98:$op2: 00 17 03 1F 20 17 19 15 28
    • 0xa8de:$op3: 00 04 03 69 91 1B 40
    • 0xb12e:$op3: 00 04 03 69 91 1B 40
    • 0x616fe:$op3: 00 04 03 69 91 1B 40
    • 0x61f4e:$op3: 00 04 03 69 91 1B 40
    00000009.00000002.822302365.00000000040E1000.00000004.00000001.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
      00000003.00000002.924590953.0000000000402000.00000040.00000001.sdmpQuasar_RAT_1Detects Quasar RATFlorian Roth
      • 0x3df27:$s1: DoUploadAndExecute
      • 0x3e16b:$s2: DoDownloadAndExecute
      • 0x3dcec:$s3: DoShellExecute
      • 0x3e123:$s4: set_Processname
      • 0x5824:$op1: 04 1E FE 02 04 16 FE 01 60
      • 0x5748:$op2: 00 17 03 1F 20 17 19 15 28
      • 0x61ae:$op3: 00 04 03 69 91 1B 40
      • 0x69fe:$op3: 00 04 03 69 91 1B 40
      Click to see the 15 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      15.2.winrar.exe.400000.0.unpackVermin_Keylogger_Jan18_1Detects Vermin KeyloggerFlorian Roth
      • 0x3ec0a:$x3: GetKeyloggerLogsResponse
      • 0x3de62:$x4: GetKeyloggerLogs
      • 0x3e13a:$s1: <RunHidden>k__BackingField
      • 0x3edd2:$s2: set_SystemInfos
      • 0x3e163:$s3: set_RunHidden
      • 0x3dc96:$s4: set_RemotePath
      • 0x56628:$s6: Client.exe
      • 0x566bc:$s6: Client.exe
      • 0x32029:$s7: xClient.Core.ReverseProxy.Packets
      15.2.winrar.exe.400000.0.unpackxRAT_1Detects Patchwork malwareFlorian Roth
      • 0x305c0:$x4: xClient.Properties.Resources.resources
      • 0x30481:$s4: Client.exe
      • 0x3e163:$s7: set_RunHidden
      15.2.winrar.exe.400000.0.unpackQuasar_RAT_1Detects Quasar RATFlorian Roth
      • 0x3e127:$s1: DoUploadAndExecute
      • 0x3e36b:$s2: DoDownloadAndExecute
      • 0x3deec:$s3: DoShellExecute
      • 0x3e323:$s4: set_Processname
      • 0x5a24:$op1: 04 1E FE 02 04 16 FE 01 60
      • 0x5948:$op2: 00 17 03 1F 20 17 19 15 28
      • 0x63ae:$op3: 00 04 03 69 91 1B 40
      • 0x6bfe:$op3: 00 04 03 69 91 1B 40
      15.2.winrar.exe.400000.0.unpackQuasar_RAT_2Detects Quasar RATFlorian Roth
      • 0x3ec0a:$x1: GetKeyloggerLogsResponse
      • 0x3ee4a:$s1: DoShellExecuteResponse
      • 0x3e7b9:$s2: GetPasswordsResponse
      • 0x3ed1d:$s3: GetStartupItemsResponse
      • 0x3e13b:$s5: RunHidden
      • 0x3e159:$s5: RunHidden
      • 0x3e167:$s5: RunHidden
      • 0x3e17b:$s5: RunHidden
      15.2.winrar.exe.400000.0.unpackMAL_QuasarRAT_May19_1Detects QuasarRAT malwareFlorian Roth
      • 0x4f649:$xc1: 41 00 64 00 6D 00 69 00 6E 00 00 11 73 00 63 00 68 00 74 00 61 00 73 00 6B 00 73 00 00 1B 2F 00 ...
      • 0x4f87f:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C ...
      Click to see the 16 entries

      Sigma Overview

      No Sigma rule has matched

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Multi AV Scanner detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeVirustotal: Detection: 52%Perma Link
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeReversingLabs: Detection: 58%
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeVirustotal: Detection: 52%Perma Link
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeReversingLabs: Detection: 58%
      Multi AV Scanner detection for submitted fileShow sources
      Source: COVID-19 CDC Secon Outbreak Warning release.exeVirustotal: Detection: 52%Perma Link
      Source: COVID-19 CDC Secon Outbreak Warning release.exeReversingLabs: Detection: 58%
      Source: COVID-19 CDC Secon Outbreak Warning release.exeVirustotal: Detection: 52%Perma Link
      Source: COVID-19 CDC Secon Outbreak Warning release.exeReversingLabs: Detection: 58%
      Yara detected Quasar RATShow sources
      Source: Yara matchFile source: 0000000F.00000002.827897659.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.822302365.00000000040E1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.924590953.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000002.808322166.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000002.808237163.00000000042C5000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.822958398.00000000041C5000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.730551537.0000000003C35000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: winrar.exe PID: 4576, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: winrar.exe PID: 5256, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: COVID-19 CDC Secon Outbreak Warning release.exe PID: 5856, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: winrar.exe PID: 5576, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: COVID-19 CDC Secon Outbreak Warning release.exe PID: 7040, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: winrar.exe PID: 6972, type: MEMORY
      Source: Yara matchFile source: 15.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE
      Machine Learning detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeJoe Sandbox ML: detected
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeJoe Sandbox ML: detected
      Machine Learning detection for sampleShow sources
      Source: COVID-19 CDC Secon Outbreak Warning release.exeJoe Sandbox ML: detected
      Source: COVID-19 CDC Secon Outbreak Warning release.exeJoe Sandbox ML: detected
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeFile opened: C:\Users\user\AppData\
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeFile opened: C:\Users\user\
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeFile opened: C:\Users\user\AppData\
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeFile opened: C:\Users\user\
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\

      Networking:

      barindex
      May check the online IP address of the machineShow sources
      Source: unknownDNS query: name: ip-api.com
      Source: unknownDNS query: name: ip-api.com
      Source: global trafficTCP traffic: 192.168.2.4:49748 -> 185.244.26.221:4782
      Source: global trafficTCP traffic: 192.168.2.4:49748 -> 185.244.26.221:4782
      Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
      Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
      Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0Host: ip-api.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0Host: ip-api.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0Host: ip-api.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0Host: ip-api.comConnection: Keep-Alive
      Source: unknownDNS traffic detected: queries for: ip-api.com
      Source: unknownDNS traffic detected: queries for: ip-api.com
      Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000000.00000002.730193991.0000000002E97000.00000004.00000001.sdmp, COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.924590953.0000000000402000.00000040.00000001.sdmp, winrar.exe, 00000005.00000002.807724606.0000000003528000.00000004.00000001.sdmp, winrar.exe, 00000009.00000002.822302365.00000000040E1000.00000004.00000001.sdmp, winrar.exe, 0000000D.00000002.808322166.0000000000402000.00000040.00000001.sdmp, winrar.exe, 0000000F.00000002.827897659.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://api.ipify.org/
      Source: COVID-19 CDC Secon Outbreak Warning release.exeString found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
      Source: COVID-19 CDC Secon Outbreak Warning release.exeString found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
      Source: COVID-19 CDC Secon Outbreak Warning release.exeString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
      Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000000.00000002.730193991.0000000002E97000.00000004.00000001.sdmp, COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.924590953.0000000000402000.00000040.00000001.sdmp, winrar.exe, 00000005.00000002.807724606.0000000003528000.00000004.00000001.sdmp, winrar.exe, 00000009.00000002.822302365.00000000040E1000.00000004.00000001.sdmp, winrar.exe, 0000000D.00000002.808322166.0000000000402000.00000040.00000001.sdmp, winrar.exe, 0000000F.00000002.827897659.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://freegeoip.net/xml/
      Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.925435864.000000000329C000.00000004.00000001.sdmpString found in binary or memory: http://ip-api.com
      Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000000.00000002.730193991.0000000002E97000.00000004.00000001.sdmp, COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.925435864.000000000329C000.00000004.00000001.sdmp, COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.924590953.0000000000402000.00000040.00000001.sdmp, winrar.exe, 00000005.00000002.807724606.0000000003528000.00000004.00000001.sdmp, winrar.exe, 00000009.00000002.822302365.00000000040E1000.00000004.00000001.sdmp, winrar.exe, 0000000D.00000002.808322166.0000000000402000.00000040.00000001.sdmp, winrar.exe, 0000000F.00000002.827897659.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://ip-api.com/json/
      Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.925435864.000000000329C000.00000004.00000001.sdmpString found in binary or memory: http://ip-api.com4Ck
      Source: COVID-19 CDC Secon Outbreak Warning release.exeString found in binary or memory: http://ocsp.thawte.com0
      Source: COVID-19 CDC Secon Outbreak Warning release.exeString found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
      Source: COVID-19 CDC Secon Outbreak Warning release.exeString found in binary or memory: http://ocsp2.globalsign.com/rootr306
      Source: COVID-19 CDC Secon Outbreak Warning release.exeString found in binary or memory: http://s.symcb.com/universal-root.crl0
      Source: COVID-19 CDC Secon Outbreak Warning release.exeString found in binary or memory: http://s.symcd.com06
      Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.925473782.00000000032E3000.00000004.00000001.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/
      Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.925435864.000000000329C000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: COVID-19 CDC Secon Outbreak Warning release.exeString found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
      Source: COVID-19 CDC Secon Outbreak Warning release.exeString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
      Source: COVID-19 CDC Secon Outbreak Warning release.exeString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
      Source: COVID-19 CDC Secon Outbreak Warning release.exeString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
      Source: COVID-19 CDC Secon Outbreak Warning release.exeString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
      Source: COVID-19 CDC Secon Outbreak Warning release.exeString found in binary or memory: http://ts-ocsp.ws.symantec.com07
      Source: COVID-19 CDC Secon Outbreak Warning release.exeString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
      Source: COVID-19 CDC Secon Outbreak Warning release.exeString found in binary or memory: https://d.symcb.com/cps0%
      Source: COVID-19 CDC Secon Outbreak Warning release.exeString found in binary or memory: https://d.symcb.com/rpa0
      Source: COVID-19 CDC Secon Outbreak Warning release.exeString found in binary or memory: https://d.symcb.com/rpa0.
      Source: COVID-19 CDC Secon Outbreak Warning release.exeString found in binary or memory: https://www.globalsign.com/repository/0
      Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000000.00000002.730193991.0000000002E97000.00000004.00000001.sdmp, COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.924590953.0000000000402000.00000040.00000001.sdmp, winrar.exe, 00000005.00000002.807724606.0000000003528000.00000004.00000001.sdmp, winrar.exe, 00000009.00000002.822302365.00000000040E1000.00000004.00000001.sdmp, winrar.exe, 0000000D.00000002.808322166.0000000000402000.00000040.00000001.sdmp, winrar.exe, 0000000F.00000002.827897659.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://api.ipify.org/
      Source: COVID-19 CDC Secon Outbreak Warning release.exeString found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
      Source: COVID-19 CDC Secon Outbreak Warning release.exeString found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
      Source: COVID-19 CDC Secon Outbreak Warning release.exeString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
      Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000000.00000002.730193991.0000000002E97000.00000004.00000001.sdmp, COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.924590953.0000000000402000.00000040.00000001.sdmp, winrar.exe, 00000005.00000002.807724606.0000000003528000.00000004.00000001.sdmp, winrar.exe, 00000009.00000002.822302365.00000000040E1000.00000004.00000001.sdmp, winrar.exe, 0000000D.00000002.808322166.0000000000402000.00000040.00000001.sdmp, winrar.exe, 0000000F.00000002.827897659.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://freegeoip.net/xml/
      Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.925435864.000000000329C000.00000004.00000001.sdmpString found in binary or memory: http://ip-api.com
      Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000000.00000002.730193991.0000000002E97000.00000004.00000001.sdmp, COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.925435864.000000000329C000.00000004.00000001.sdmp, COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.924590953.0000000000402000.00000040.00000001.sdmp, winrar.exe, 00000005.00000002.807724606.0000000003528000.00000004.00000001.sdmp, winrar.exe, 00000009.00000002.822302365.00000000040E1000.00000004.00000001.sdmp, winrar.exe, 0000000D.00000002.808322166.0000000000402000.00000040.00000001.sdmp, winrar.exe, 0000000F.00000002.827897659.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://ip-api.com/json/
      Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.925435864.000000000329C000.00000004.00000001.sdmpString found in binary or memory: http://ip-api.com4Ck
      Source: COVID-19 CDC Secon Outbreak Warning release.exeString found in binary or memory: http://ocsp.thawte.com0
      Source: COVID-19 CDC Secon Outbreak Warning release.exeString found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
      Source: COVID-19 CDC Secon Outbreak Warning release.exeString found in binary or memory: http://ocsp2.globalsign.com/rootr306
      Source: COVID-19 CDC Secon Outbreak Warning release.exeString found in binary or memory: http://s.symcb.com/universal-root.crl0
      Source: COVID-19 CDC Secon Outbreak Warning release.exeString found in binary or memory: http://s.symcd.com06
      Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.925473782.00000000032E3000.00000004.00000001.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/
      Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.925435864.000000000329C000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: COVID-19 CDC Secon Outbreak Warning release.exeString found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
      Source: COVID-19 CDC Secon Outbreak Warning release.exeString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
      Source: COVID-19 CDC Secon Outbreak Warning release.exeString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
      Source: COVID-19 CDC Secon Outbreak Warning release.exeString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
      Source: COVID-19 CDC Secon Outbreak Warning release.exeString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
      Source: COVID-19 CDC Secon Outbreak Warning release.exeString found in binary or memory: http://ts-ocsp.ws.symantec.com07
      Source: COVID-19 CDC Secon Outbreak Warning release.exeString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
      Source: COVID-19 CDC Secon Outbreak Warning release.exeString found in binary or memory: https://d.symcb.com/cps0%
      Source: COVID-19 CDC Secon Outbreak Warning release.exeString found in binary or memory: https://d.symcb.com/rpa0
      Source: COVID-19 CDC Secon Outbreak Warning release.exeString found in binary or memory: https://d.symcb.com/rpa0.
      Source: COVID-19 CDC Secon Outbreak Warning release.exeString found in binary or memory: https://www.globalsign.com/repository/0

      E-Banking Fraud:

      barindex
      Yara detected Quasar RATShow sources
      Source: Yara matchFile source: 0000000F.00000002.827897659.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.822302365.00000000040E1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.924590953.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000002.808322166.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000002.808237163.00000000042C5000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.822958398.00000000041C5000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.730551537.0000000003C35000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: winrar.exe PID: 4576, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: winrar.exe PID: 5256, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: COVID-19 CDC Secon Outbreak Warning release.exe PID: 5856, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: winrar.exe PID: 5576, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: COVID-19 CDC Secon Outbreak Warning release.exe PID: 7040, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: winrar.exe PID: 6972, type: MEMORY
      Source: Yara matchFile source: 15.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 0000000F.00000002.827897659.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 00000009.00000002.822302365.00000000040E1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 00000003.00000002.924590953.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 0000000D.00000002.808322166.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 00000005.00000002.808237163.00000000042C5000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 00000009.00000002.822958398.00000000041C5000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 00000000.00000002.730551537.0000000003C35000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 15.2.winrar.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Vermin Keylogger Author: Florian Roth
      Source: 15.2.winrar.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Patchwork malware Author: Florian Roth
      Source: 15.2.winrar.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 15.2.winrar.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 15.2.winrar.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
      Source: 15.2.winrar.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
      Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Vermin Keylogger Author: Florian Roth
      Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Patchwork malware Author: Florian Roth
      Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
      Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
      Source: 13.2.winrar.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Vermin Keylogger Author: Florian Roth
      Source: 13.2.winrar.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Patchwork malware Author: Florian Roth
      Source: 13.2.winrar.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 13.2.winrar.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 13.2.winrar.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
      Source: 13.2.winrar.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
      Source: 0000000F.00000002.827897659.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 00000009.00000002.822302365.00000000040E1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 00000003.00000002.924590953.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 0000000D.00000002.808322166.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 00000005.00000002.808237163.00000000042C5000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 00000009.00000002.822958398.00000000041C5000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 00000000.00000002.730551537.0000000003C35000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 15.2.winrar.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Vermin Keylogger Author: Florian Roth
      Source: 15.2.winrar.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Patchwork malware Author: Florian Roth
      Source: 15.2.winrar.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 15.2.winrar.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 15.2.winrar.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
      Source: 15.2.winrar.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
      Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Vermin Keylogger Author: Florian Roth
      Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Patchwork malware Author: Florian Roth
      Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
      Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
      Source: 13.2.winrar.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Vermin Keylogger Author: Florian Roth
      Source: 13.2.winrar.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Patchwork malware Author: Florian Roth
      Source: 13.2.winrar.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 13.2.winrar.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 13.2.winrar.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
      Source: 13.2.winrar.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeCode function: 0_2_02B11BE0
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeCode function: 0_2_02B14598
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeCode function: 0_2_02B10548
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeCode function: 0_2_05833450
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeCode function: 0_2_05838580
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeCode function: 0_2_05832DC8
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeCode function: 0_2_05832DD8
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeCode function: 0_2_05838570
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeCode function: 0_2_05837423
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeCode function: 0_2_05837430
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeCode function: 0_2_02B11BE0
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeCode function: 0_2_02B14598
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeCode function: 0_2_02B10548
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeCode function: 0_2_05833450
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeCode function: 0_2_05838580
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeCode function: 0_2_05832DC8
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeCode function: 0_2_05832DD8
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeCode function: 0_2_05838570
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeCode function: 0_2_05837423
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeCode function: 0_2_05837430
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeCode function: 3_2_030FF090
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeCode function: 3_2_030FF960
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeCode function: 3_2_030FED48
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeCode function: 3_2_058610B8
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeCode function: 3_2_06CA4368
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeCode function: 3_2_06CA7140
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeCode function: 3_2_06CA8C08
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeCode function: 3_2_07340FC3
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeCode function: 3_2_07340040
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeCode function: 5_2_0149FB50
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeCode function: 5_2_0149F808
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeCode function: 5_2_057E0548
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeCode function: 5_2_057E1BE0
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeCode function: 5_2_057E4A50
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeCode function: 5_2_057E9F71
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeCode function: 5_2_057E47D8
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeCode function: 5_2_057E47CB
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeCode function: 5_2_057E9F80
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeCode function: 9_2_0150FB50
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeCode function: 9_2_015081E5
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeCode function: 9_2_0150F808
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeCode function: 9_2_016A1BE0
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeCode function: 9_2_016A4A50
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeCode function: 9_2_016A0548
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeCode function: 9_2_016A4A40
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeCode function: 9_2_016A9F73
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeCode function: 9_2_016A47C8
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeCode function: 9_2_016A47D8
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeCode function: 9_2_016A9F80
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeCode function: 13_2_02D1F090
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeCode function: 13_2_02D1F960
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeCode function: 13_2_02D1ED48
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeCode function: 15_2_00F4F090
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeCode function: 15_2_00F4F960
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeCode function: 15_2_00F4ED48
      Source: COVID-19 CDC Secon Outbreak Warning release.exeStatic PE information: invalid certificate
      Source: COVID-19 CDC Secon Outbreak Warning release.exeStatic PE information: invalid certificate
      Source: COVID-19 CDC Secon Outbreak Warning release.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: COVID-19 CDC Secon Outbreak Warning release.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: winrar.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: winrar.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: COVID-19 CDC Secon Outbreak Warning release.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: COVID-19 CDC Secon Outbreak Warning release.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: winrar.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: winrar.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000000.00000002.733655475.0000000004F90000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs COVID-19 CDC Secon Outbreak Warning release.exe
      Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000000.00000002.730445830.0000000003B51000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameEszbxlm.dll4 vs COVID-19 CDC Secon Outbreak Warning release.exe
      Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000000.00000000.658274471.0000000000778000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameXjrkkafy5.exe0 vs COVID-19 CDC Secon Outbreak Warning release.exe
      Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000000.00000002.730193991.0000000002E97000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClassLibrary3.dll< vs COVID-19 CDC Secon Outbreak Warning release.exe
      Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000000.00000002.730193991.0000000002E97000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClient.exe" vs COVID-19 CDC Secon Outbreak Warning release.exe
      Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.924756957.00000000011A8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs COVID-19 CDC Secon Outbreak Warning release.exe
      Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000000.722478373.0000000001008000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameXjrkkafy5.exe0 vs COVID-19 CDC Secon Outbreak Warning release.exe
      Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.927941569.0000000006640000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs COVID-19 CDC Secon Outbreak Warning release.exe
      Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.924643263.000000000045A000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameClient.exe" vs COVID-19 CDC Secon Outbreak Warning release.exe
      Source: COVID-19 CDC Secon Outbreak Warning release.exeBinary or memory string: OriginalFilenameXjrkkafy5.exe0 vs COVID-19 CDC Secon Outbreak Warning release.exe
      Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000000.00000002.733655475.0000000004F90000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs COVID-19 CDC Secon Outbreak Warning release.exe
      Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000000.00000002.730445830.0000000003B51000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameEszbxlm.dll4 vs COVID-19 CDC Secon Outbreak Warning release.exe
      Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000000.00000000.658274471.0000000000778000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameXjrkkafy5.exe0 vs COVID-19 CDC Secon Outbreak Warning release.exe
      Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000000.00000002.730193991.0000000002E97000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClassLibrary3.dll< vs COVID-19 CDC Secon Outbreak Warning release.exe
      Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000000.00000002.730193991.0000000002E97000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClient.exe" vs COVID-19 CDC Secon Outbreak Warning release.exe
      Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.924756957.00000000011A8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs COVID-19 CDC Secon Outbreak Warning release.exe
      Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000000.722478373.0000000001008000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameXjrkkafy5.exe0 vs COVID-19 CDC Secon Outbreak Warning release.exe
      Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.927941569.0000000006640000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs COVID-19 CDC Secon Outbreak Warning release.exe
      Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.924643263.000000000045A000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameClient.exe" vs COVID-19 CDC Secon Outbreak Warning release.exe
      Source: COVID-19 CDC Secon Outbreak Warning release.exeBinary or memory string: OriginalFilenameXjrkkafy5.exe0 vs COVID-19 CDC Secon Outbreak Warning release.exe
      Source: 0000000F.00000002.827897659.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000009.00000002.822302365.00000000040E1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000003.00000002.924590953.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000D.00000002.808322166.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000005.00000002.808237163.00000000042C5000.00000004.00000001.sdmp, type: MEMORYMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000009.00000002.822958398.00000000041C5000.00000004.00000001.sdmp, type: MEMORYMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000000.00000002.730551537.0000000003C35000.00000004.00000001.sdmp, type: MEMORYMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 15.2.winrar.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 15.2.winrar.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 15.2.winrar.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 15.2.winrar.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
      Source: 15.2.winrar.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
      Source: 15.2.winrar.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
      Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
      Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 13.2.winrar.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 13.2.winrar.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 13.2.winrar.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 13.2.winrar.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
      Source: 13.2.winrar.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
      Source: 13.2.winrar.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000F.00000002.827897659.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000009.00000002.822302365.00000000040E1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000003.00000002.924590953.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000D.00000002.808322166.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000005.00000002.808237163.00000000042C5000.00000004.00000001.sdmp, type: MEMORYMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000009.00000002.822958398.00000000041C5000.00000004.00000001.sdmp, type: MEMORYMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000000.00000002.730551537.0000000003C35000.00000004.00000001.sdmp, type: MEMORYMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 15.2.winrar.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 15.2.winrar.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 15.2.winrar.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 15.2.winrar.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
      Source: 15.2.winrar.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
      Source: 15.2.winrar.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
      Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
      Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 13.2.winrar.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 13.2.winrar.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 13.2.winrar.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 13.2.winrar.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
      Source: 13.2.winrar.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
      Source: 13.2.winrar.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: COVID-19 CDC Secon Outbreak Warning release.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: winrar.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: COVID-19 CDC Secon Outbreak Warning release.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: winrar.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: COVID-19 CDC Secon Outbreak Warning release.exe, u0001/u0008.csCryptographic APIs: 'TransformFinalBlock'
      Source: winrar.exe.0.dr, u0001/u0008.csCryptographic APIs: 'TransformFinalBlock'
      Source: COVID-19 CDC Secon Outbreak Warning release.exe, u0001/u0008.csCryptographic APIs: 'TransformFinalBlock'
      Source: winrar.exe.0.dr, u0001/u0008.csCryptographic APIs: 'TransformFinalBlock'
      Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, ufffd?u23de?u2b96???ue028??ufd45???ufffd??ue0ca?.csBase64 encoded string: 'PWj6lHXDOxrLfwXNzfnaLMjOfzO9+W+4JxWWiTvfenV8SQApGzJ0Di/b8fuXcZ0M5PrXoL7V9sk8b6uX8xhtZw==', 'm0LUgy1TBJLS/Rv0+i1hOxLPRvKMsf09np12UQ5OrwBPWWSUYbRf+y9WQJ8KY1h7++uGSo0tWuw0x8ypgzipLl1b12b1d2xLp6CNHiFEtAk=', 'NcFtjbDOcsw7Evd3coMC0y4koy/SRZGydhNmno81ZOWOvdfg7sv0Cj5ad2ROUfX4QMscAIjYJdjrrs41+qcQwg==', 'T5995aiahDmRotzNR+wPzkhM3KlC5s/O43KC/1X3Cxu2swVztTyi14Z01j5qsLhy+ZSCP+lJl3YSu4KaMkTl74E6v3MGTgcDoCAikm98Vzg=', 'jLorJj8inqFdgz/bM7KXpwKX+vdTgIpVKMMjF72veNdt62nzBlqRLeihc0RWxDu4tSOd4DuvQwCqGcdB8QTCyQ=='
      Source: 13.2.winrar.exe.400000.0.unpack, ufffd?u23de?u2b96???ue028??ufd45???ufffd??ue0ca?.csBase64 encoded string: 'PWj6lHXDOxrLfwXNzfnaLMjOfzO9+W+4JxWWiTvfenV8SQApGzJ0Di/b8fuXcZ0M5PrXoL7V9sk8b6uX8xhtZw==', 'm0LUgy1TBJLS/Rv0+i1hOxLPRvKMsf09np12UQ5OrwBPWWSUYbRf+y9WQJ8KY1h7++uGSo0tWuw0x8ypgzipLl1b12b1d2xLp6CNHiFEtAk=', 'NcFtjbDOcsw7Evd3coMC0y4koy/SRZGydhNmno81ZOWOvdfg7sv0Cj5ad2ROUfX4QMscAIjYJdjrrs41+qcQwg==', 'T5995aiahDmRotzNR+wPzkhM3KlC5s/O43KC/1X3Cxu2swVztTyi14Z01j5qsLhy+ZSCP+lJl3YSu4KaMkTl74E6v3MGTgcDoCAikm98Vzg=', 'jLorJj8inqFdgz/bM7KXpwKX+vdTgIpVKMMjF72veNdt62nzBlqRLeihc0RWxDu4tSOd4DuvQwCqGcdB8QTCyQ=='
      Source: 15.2.winrar.exe.400000.0.unpack, ufffd?u23de?u2b96???ue028??ufd45???ufffd??ue0ca?.csBase64 encoded string: 'PWj6lHXDOxrLfwXNzfnaLMjOfzO9+W+4JxWWiTvfenV8SQApGzJ0Di/b8fuXcZ0M5PrXoL7V9sk8b6uX8xhtZw==', 'm0LUgy1TBJLS/Rv0+i1hOxLPRvKMsf09np12UQ5OrwBPWWSUYbRf+y9WQJ8KY1h7++uGSo0tWuw0x8ypgzipLl1b12b1d2xLp6CNHiFEtAk=', 'NcFtjbDOcsw7Evd3coMC0y4koy/SRZGydhNmno81ZOWOvdfg7sv0Cj5ad2ROUfX4QMscAIjYJdjrrs41+qcQwg==', 'T5995aiahDmRotzNR+wPzkhM3KlC5s/O43KC/1X3Cxu2swVztTyi14Z01j5qsLhy+ZSCP+lJl3YSu4KaMkTl74E6v3MGTgcDoCAikm98Vzg=', 'jLorJj8inqFdgz/bM7KXpwKX+vdTgIpVKMMjF72veNdt62nzBlqRLeihc0RWxDu4tSOd4DuvQwCqGcdB8QTCyQ=='
      Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, ufffd?u23de?u2b96???ue028??ufd45???ufffd??ue0ca?.csBase64 encoded string: 'PWj6lHXDOxrLfwXNzfnaLMjOfzO9+W+4JxWWiTvfenV8SQApGzJ0Di/b8fuXcZ0M5PrXoL7V9sk8b6uX8xhtZw==', 'm0LUgy1TBJLS/Rv0+i1hOxLPRvKMsf09np12UQ5OrwBPWWSUYbRf+y9WQJ8KY1h7++uGSo0tWuw0x8ypgzipLl1b12b1d2xLp6CNHiFEtAk=', 'NcFtjbDOcsw7Evd3coMC0y4koy/SRZGydhNmno81ZOWOvdfg7sv0Cj5ad2ROUfX4QMscAIjYJdjrrs41+qcQwg==', 'T5995aiahDmRotzNR+wPzkhM3KlC5s/O43KC/1X3Cxu2swVztTyi14Z01j5qsLhy+ZSCP+lJl3YSu4KaMkTl74E6v3MGTgcDoCAikm98Vzg=', 'jLorJj8inqFdgz/bM7KXpwKX+vdTgIpVKMMjF72veNdt62nzBlqRLeihc0RWxDu4tSOd4DuvQwCqGcdB8QTCyQ=='
      Source: 13.2.winrar.exe.400000.0.unpack, ufffd?u23de?u2b96???ue028??ufd45???ufffd??ue0ca?.csBase64 encoded string: 'PWj6lHXDOxrLfwXNzfnaLMjOfzO9+W+4JxWWiTvfenV8SQApGzJ0Di/b8fuXcZ0M5PrXoL7V9sk8b6uX8xhtZw==', 'm0LUgy1TBJLS/Rv0+i1hOxLPRvKMsf09np12UQ5OrwBPWWSUYbRf+y9WQJ8KY1h7++uGSo0tWuw0x8ypgzipLl1b12b1d2xLp6CNHiFEtAk=', 'NcFtjbDOcsw7Evd3coMC0y4koy/SRZGydhNmno81ZOWOvdfg7sv0Cj5ad2ROUfX4QMscAIjYJdjrrs41+qcQwg==', 'T5995aiahDmRotzNR+wPzkhM3KlC5s/O43KC/1X3Cxu2swVztTyi14Z01j5qsLhy+ZSCP+lJl3YSu4KaMkTl74E6v3MGTgcDoCAikm98Vzg=', 'jLorJj8inqFdgz/bM7KXpwKX+vdTgIpVKMMjF72veNdt62nzBlqRLeihc0RWxDu4tSOd4DuvQwCqGcdB8QTCyQ=='
      Source: 15.2.winrar.exe.400000.0.unpack, ufffd?u23de?u2b96???ue028??ufd45???ufffd??ue0ca?.csBase64 encoded string: 'PWj6lHXDOxrLfwXNzfnaLMjOfzO9+W+4JxWWiTvfenV8SQApGzJ0Di/b8fuXcZ0M5PrXoL7V9sk8b6uX8xhtZw==', 'm0LUgy1TBJLS/Rv0+i1hOxLPRvKMsf09np12UQ5OrwBPWWSUYbRf+y9WQJ8KY1h7++uGSo0tWuw0x8ypgzipLl1b12b1d2xLp6CNHiFEtAk=', 'NcFtjbDOcsw7Evd3coMC0y4koy/SRZGydhNmno81ZOWOvdfg7sv0Cj5ad2ROUfX4QMscAIjYJdjrrs41+qcQwg==', 'T5995aiahDmRotzNR+wPzkhM3KlC5s/O43KC/1X3Cxu2swVztTyi14Z01j5qsLhy+ZSCP+lJl3YSu4KaMkTl74E6v3MGTgcDoCAikm98Vzg=', 'jLorJj8inqFdgz/bM7KXpwKX+vdTgIpVKMMjF72veNdt62nzBlqRLeihc0RWxDu4tSOd4DuvQwCqGcdB8QTCyQ=='
      Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, ???ue4ac??????u2370????ufd45?u2824uf246?.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, ???ue4ac??????u2370????ufd45?u2824uf246?.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
      Source: 13.2.winrar.exe.400000.0.unpack, ???ue4ac??????u2370????ufd45?u2824uf246?.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: 13.2.winrar.exe.400000.0.unpack, ???ue4ac??????u2370????ufd45?u2824uf246?.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
      Source: 15.2.winrar.exe.400000.0.unpack, ???ue4ac??????u2370????ufd45?u2824uf246?.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: 15.2.winrar.exe.400000.0.unpack, ???ue4ac??????u2370????ufd45?u2824uf246?.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
      Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, ???ue4ac??????u2370????ufd45?u2824uf246?.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, ???ue4ac??????u2370????ufd45?u2824uf246?.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
      Source: 13.2.winrar.exe.400000.0.unpack, ???ue4ac??????u2370????ufd45?u2824uf246?.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: 13.2.winrar.exe.400000.0.unpack, ???ue4ac??????u2370????ufd45?u2824uf246?.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
      Source: 15.2.winrar.exe.400000.0.unpack, ???ue4ac??????u2370????ufd45?u2824uf246?.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: 15.2.winrar.exe.400000.0.unpack, ???ue4ac??????u2370????ufd45?u2824uf246?.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
      Source: classification engineClassification label: mal100.troj.evad.winEXE@11/4@2/2
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WinrarJump to behavior
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WinrarJump to behavior
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeMutant created: \Sessions\1\BaseNamedObjects\QSR_MUTEX_aEyHRwA2EwWBI7cCGO
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeMutant created: \Sessions\1\BaseNamedObjects\QSR_MUTEX_aEyHRwA2EwWBI7cCGO
      Source: COVID-19 CDC Secon Outbreak Warning release.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: COVID-19 CDC Secon Outbreak Warning release.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: COVID-19 CDC Secon Outbreak Warning release.exeVirustotal: Detection: 52%
      Source: COVID-19 CDC Secon Outbreak Warning release.exeReversingLabs: Detection: 58%
      Source: COVID-19 CDC Secon Outbreak Warning release.exeVirustotal: Detection: 52%
      Source: COVID-19 CDC Secon Outbreak Warning release.exeReversingLabs: Detection: 58%
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeFile read: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeJump to behavior
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeFile read: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe 'C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe'
      Source: unknownProcess created: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe
      Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe'
      Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe'
      Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe
      Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe
      Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess created: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe
      Source: unknownProcess created: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe 'C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe'
      Source: unknownProcess created: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe
      Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe'
      Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe'
      Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe
      Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe
      Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess created: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
      Source: COVID-19 CDC Secon Outbreak Warning release.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
      Source: COVID-19 CDC Secon Outbreak Warning release.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
      Source: COVID-19 CDC Secon Outbreak Warning release.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: COVID-19 CDC Secon Outbreak Warning release.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeCode function: 3_2_0586C590 pushfd ; ret
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeCode function: 3_2_0586A622 push es; ret
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeCode function: 3_2_0586B141 push es; ret
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeCode function: 3_2_0586AD41 push es; ret
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeCode function: 3_2_0586B980 push es; ret
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeCode function: 3_2_06B820A8 push es; iretd
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeCode function: 3_2_06CAD55E push es; ret
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeCode function: 3_2_06CAA923 push esp; retf
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeCode function: 3_2_0586C590 pushfd ; ret
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeCode function: 3_2_0586A622 push es; ret
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeCode function: 3_2_0586B141 push es; ret
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeCode function: 3_2_0586AD41 push es; ret
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeCode function: 3_2_0586B980 push es; ret
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeCode function: 3_2_06B820A8 push es; iretd
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeCode function: 3_2_06CAD55E push es; ret
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeCode function: 3_2_06CAA923 push esp; retf
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeCode function: 9_2_016AE342 push 00000001h; retf
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeCode function: 9_2_016AE33E push 00000001h; iretd
      Source: initial sampleStatic PE information: section name: .text entropy: 7.94855371176
      Source: initial sampleStatic PE information: section name: .text entropy: 7.94855371176
      Source: initial sampleStatic PE information: section name: .text entropy: 7.94855371176
      Source: initial sampleStatic PE information: section name: .text entropy: 7.94855371176
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeFile created: \covid-19 cdc secon outbreak warning release.exe
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeFile created: \covid-19 cdc secon outbreak warning release.exe
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeJump to dropped file
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeJump to dropped file
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WinrarJump to behavior
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeJump to behavior
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe\:Zone.Identifier:$DATAJump to behavior
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WinrarJump to behavior
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeJump to behavior
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe\:Zone.Identifier:$DATAJump to behavior
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run winrarJump to behavior
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run winrarJump to behavior
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run winrarJump to behavior
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run winrarJump to behavior

      Hooking and other Techniques for Hiding and Protection:

      barindex
      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeFile opened: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe:Zone.Identifier read attributes | delete
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeFile opened: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe:Zone.Identifier read attributes | delete
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information set: NOOPENFILEERRORBOX

      Malware Analysis System Evasion:

      barindex
      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BaseBoard
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BIOS
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BaseBoard
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BIOS
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
      Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000000.00000002.729223721.0000000002B51000.00000004.00000001.sdmp, winrar.exe, 00000005.00000002.807697076.0000000003515000.00000004.00000001.sdmp, winrar.exe, 00000009.00000002.821205550.0000000003415000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
      Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000000.00000002.730445830.0000000003B51000.00000004.00000001.sdmp, winrar.exe, 00000005.00000002.808092469.00000000041E1000.00000004.00000001.sdmp, winrar.exe, 00000009.00000002.824536467.0000000005520000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLLHEAD
      Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000000.00000002.729223721.0000000002B51000.00000004.00000001.sdmp, winrar.exe, 00000005.00000002.807697076.0000000003515000.00000004.00000001.sdmp, winrar.exe, 00000009.00000002.821205550.0000000003415000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
      Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000000.00000002.730445830.0000000003B51000.00000004.00000001.sdmp, winrar.exe, 00000005.00000002.808092469.00000000041E1000.00000004.00000001.sdmp, winrar.exe, 00000009.00000002.824536467.0000000005520000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLLHEAD
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeWindow / User API: threadDelayed 366
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeWindow / User API: threadDelayed 366
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe TID: 4780Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe TID: 1680Thread sleep count: 366 > 30
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe TID: 7028Thread sleep time: -30000s >= -30000s
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe TID: 1680Thread sleep count: 347 > 30
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe TID: 7056Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe TID: 3660Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe TID: 5320Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe TID: 4664Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe TID: 4780Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe TID: 1680Thread sleep count: 366 > 30
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe TID: 7028Thread sleep time: -30000s >= -30000s
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe TID: 1680Thread sleep count: 347 > 30
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe TID: 7056Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe TID: 3660Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe TID: 5320Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe TID: 4664Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeLast function: Thread delayed
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeLast function: Thread delayed
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeLast function: Thread delayed
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeLast function: Thread delayed
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeFile opened: C:\Users\user\AppData\
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeFile opened: C:\Users\user\
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeFile opened: C:\Users\user\AppData\
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeFile opened: C:\Users\user\
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\
      Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.927941569.0000000006640000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
      Source: winrar.exe, 00000009.00000002.821205550.0000000003415000.00000004.00000001.sdmpBinary or memory string: vmware
      Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.927941569.0000000006640000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
      Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.927941569.0000000006640000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
      Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.927941569.0000000006640000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
      Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.927941569.0000000006640000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
      Source: winrar.exe, 00000009.00000002.821205550.0000000003415000.00000004.00000001.sdmpBinary or memory string: vmware
      Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.927941569.0000000006640000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
      Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.927941569.0000000006640000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
      Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.927941569.0000000006640000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information queried: ProcessInformation
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess information queried: ProcessInformation
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess token adjusted: Debug
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess token adjusted: Debug
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess token adjusted: Debug
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess token adjusted: Debug
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess token adjusted: Debug
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess token adjusted: Debug
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess token adjusted: Debug
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess token adjusted: Debug
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeMemory allocated: page read and write | page guard
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeMemory allocated: page read and write | page guard

      HIPS / PFW / Operating System Protection Evasion:

      barindex
      .NET source code references suspicious native API functionsShow sources
      Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, ??u08bd????ue13eu26f9?ue3e2???uedca?uef61???.csReference to suspicious API methods: ('????????????????????', 'LoadLibrary@kernel32.dll'), ('????????????????????', 'GetProcAddress@kernel32.dll')
      Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, ??uf6f5???ue4b2?????????????.csReference to suspicious API methods: ('????????????????????', 'MapVirtualKeyEx@user32.dll')
      Source: 13.2.winrar.exe.400000.0.unpack, ??u08bd????ue13eu26f9?ue3e2???uedca?uef61???.csReference to suspicious API methods: ('????????????????????', 'LoadLibrary@kernel32.dll'), ('????????????????????', 'GetProcAddress@kernel32.dll')
      Source: 13.2.winrar.exe.400000.0.unpack, ??uf6f5???ue4b2?????????????.csReference to suspicious API methods: ('????????????????????', 'MapVirtualKeyEx@user32.dll')
      Source: 15.2.winrar.exe.400000.0.unpack, ??u08bd????ue13eu26f9?ue3e2???uedca?uef61???.csReference to suspicious API methods: ('????????????????????', 'LoadLibrary@kernel32.dll'), ('????????????????????', 'GetProcAddress@kernel32.dll')
      Source: 15.2.winrar.exe.400000.0.unpack, ??uf6f5???ue4b2?????????????.csReference to suspicious API methods: ('????????????????????', 'MapVirtualKeyEx@user32.dll')
      Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, ??u08bd????ue13eu26f9?ue3e2???uedca?uef61???.csReference to suspicious API methods: ('????????????????????', 'LoadLibrary@kernel32.dll'), ('????????????????????', 'GetProcAddress@kernel32.dll')
      Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, ??uf6f5???ue4b2?????????????.csReference to suspicious API methods: ('????????????????????', 'MapVirtualKeyEx@user32.dll')
      Source: 13.2.winrar.exe.400000.0.unpack, ??u08bd????ue13eu26f9?ue3e2???uedca?uef61???.csReference to suspicious API methods: ('????????????????????', 'LoadLibrary@kernel32.dll'), ('????????????????????', 'GetProcAddress@kernel32.dll')
      Source: 13.2.winrar.exe.400000.0.unpack, ??uf6f5???ue4b2?????????????.csReference to suspicious API methods: ('????????????????????', 'MapVirtualKeyEx@user32.dll')
      Source: 15.2.winrar.exe.400000.0.unpack, ??u08bd????ue13eu26f9?ue3e2???uedca?uef61???.csReference to suspicious API methods: ('????????????????????', 'LoadLibrary@kernel32.dll'), ('????????????????????', 'GetProcAddress@kernel32.dll')
      Source: 15.2.winrar.exe.400000.0.unpack, ??uf6f5???ue4b2?????????????.csReference to suspicious API methods: ('????????????????????', 'MapVirtualKeyEx@user32.dll')
      Injects a PE file into a foreign processesShow sources
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeMemory written: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe base: 400000 value starts with: 4D5A
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeMemory written: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe base: 400000 value starts with: 4D5A
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeMemory written: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe base: 400000 value starts with: 4D5A
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeMemory written: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe base: 400000 value starts with: 4D5A
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeMemory written: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe base: 400000 value starts with: 4D5A
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeMemory written: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe base: 400000 value starts with: 4D5A
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess created: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess created: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe
      Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.925192004.0000000001B90000.00000002.00000001.sdmpBinary or memory string: Program Manager
      Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.925192004.0000000001B90000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
      Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.925192004.0000000001B90000.00000002.00000001.sdmpBinary or memory string: Progman
      Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.925192004.0000000001B90000.00000002.00000001.sdmpBinary or memory string: Progmanlock
      Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.925192004.0000000001B90000.00000002.00000001.sdmpBinary or memory string: Program Manager
      Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.925192004.0000000001B90000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
      Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.925192004.0000000001B90000.00000002.00000001.sdmpBinary or memory string: Progman
      Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.925192004.0000000001B90000.00000002.00000001.sdmpBinary or memory string: Progmanlock
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeQueries volume information: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe VolumeInformation
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeQueries volume information: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe VolumeInformation
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe VolumeInformation
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe VolumeInformation
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe VolumeInformation
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe VolumeInformation
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeQueries volume information: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe VolumeInformation
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeQueries volume information: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe VolumeInformation
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe VolumeInformation
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe VolumeInformation
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe VolumeInformation
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe VolumeInformation
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeCode function: 0_2_0583CF60 GetUserNameA,
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeCode function: 0_2_0583CF60 GetUserNameA,
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

      Stealing of Sensitive Information:

      barindex
      Yara detected Quasar RATShow sources
      Source: Yara matchFile source: 0000000F.00000002.827897659.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.822302365.00000000040E1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.924590953.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000002.808322166.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000002.808237163.00000000042C5000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.822958398.00000000041C5000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.730551537.0000000003C35000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: winrar.exe PID: 4576, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: winrar.exe PID: 5256, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: COVID-19 CDC Secon Outbreak Warning release.exe PID: 5856, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: winrar.exe PID: 5576, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: COVID-19 CDC Secon Outbreak Warning release.exe PID: 7040, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: winrar.exe PID: 6972, type: MEMORY
      Source: Yara matchFile source: 15.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE

      Remote Access Functionality:

      barindex
      Yara detected Quasar RATShow sources
      Source: Yara matchFile source: 0000000F.00000002.827897659.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.822302365.00000000040E1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.924590953.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000002.808322166.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000002.808237163.00000000042C5000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.822958398.00000000041C5000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.730551537.0000000003C35000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: winrar.exe PID: 4576, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: winrar.exe PID: 5256, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: COVID-19 CDC Secon Outbreak Warning release.exe PID: 5856, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: winrar.exe PID: 5576, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: COVID-19 CDC Secon Outbreak Warning release.exe PID: 7040, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: winrar.exe PID: 6972, type: MEMORY
      Source: Yara matchFile source: 15.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsWindows Management Instrumentation121Registry Run Keys / Startup Folder11Process Injection112Disable or Modify Tools1OS Credential DumpingAccount Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumIngress Tool Transfer1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsNative API1Boot or Logon Initialization ScriptsRegistry Run Keys / Startup Folder11Deobfuscate/Decode Files or Information1LSASS MemoryFile and Directory Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothEncrypted Channel1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information21Security Account ManagerSystem Information Discovery123SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Standard Port1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing2NTDSSecurity Software Discovery221Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol2SIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptMasquerading1LSA SecretsVirtualization/Sandbox Evasion4SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol12Manipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.commonVirtualization/Sandbox Evasion4Cached Domain CredentialsProcess Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsProcess Injection112DCSyncApplication Window Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobHidden Files and Directories1Proc FilesystemSystem Owner/User Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadowRemote System Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
      Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Invalid Code SignatureNetwork SniffingSystem Network Configuration Discovery1Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      COVID-19 CDC Secon Outbreak Warning release.exe53%VirustotalBrowse
      COVID-19 CDC Secon Outbreak Warning release.exe14%MetadefenderBrowse
      COVID-19 CDC Secon Outbreak Warning release.exe59%ReversingLabsByteCode-MSIL.Trojan.NanoBot
      COVID-19 CDC Secon Outbreak Warning release.exe100%Joe Sandbox ML

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe100%Joe Sandbox ML
      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe53%VirustotalBrowse
      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe14%MetadefenderBrowse
      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe59%ReversingLabsByteCode-MSIL.Trojan.NanoBot

      Unpacked PE Files

      SourceDetectionScannerLabelLinkDownload
      15.2.winrar.exe.400000.0.unpack100%AviraHEUR/AGEN.1135947Download File
      3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack100%AviraHEUR/AGEN.1135947Download File
      13.2.winrar.exe.400000.0.unpack100%AviraHEUR/AGEN.1135947Download File

      Domains

      SourceDetectionScannerLabelLink
      devils.shacknet.us1%VirustotalBrowse

      URLs

      SourceDetectionScannerLabelLink
      http://ip-api.com4Ck0%Avira URL Cloudsafe
      http://schemas.datacontract.org/2004/07/0%URL Reputationsafe
      http://schemas.datacontract.org/2004/07/0%URL Reputationsafe
      http://schemas.datacontract.org/2004/07/0%URL Reputationsafe
      http://schemas.datacontract.org/2004/07/0%URL Reputationsafe
      http://ocsp.thawte.com00%URL Reputationsafe
      http://ocsp.thawte.com00%URL Reputationsafe
      http://ocsp.thawte.com00%URL Reputationsafe
      http://ocsp.thawte.com00%URL Reputationsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      ip-api.com
      		208.95.112.1
      		truefalse
        		high
        devils.shacknet.us
        		185.244.26.221
        		truefalseunknown

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        http://ip-api.com/json/false
          		high

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://api.ipify.org/COVID-19 CDC Secon Outbreak Warning release.exe, 00000000.00000002.730193991.0000000002E97000.00000004.00000001.sdmp, COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.924590953.0000000000402000.00000040.00000001.sdmp, winrar.exe, 00000005.00000002.807724606.0000000003528000.00000004.00000001.sdmp, winrar.exe, 00000009.00000002.822302365.00000000040E1000.00000004.00000001.sdmp, winrar.exe, 0000000D.00000002.808322166.0000000000402000.00000040.00000001.sdmp, winrar.exe, 0000000F.00000002.827897659.0000000000402000.00000040.00000001.sdmpfalse
            		high
            http://ip-api.com4CkCOVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.925435864.000000000329C000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://freegeoip.net/xml/COVID-19 CDC Secon Outbreak Warning release.exe, 00000000.00000002.730193991.0000000002E97000.00000004.00000001.sdmp, COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.924590953.0000000000402000.00000040.00000001.sdmp, winrar.exe, 00000005.00000002.807724606.0000000003528000.00000004.00000001.sdmp, winrar.exe, 00000009.00000002.822302365.00000000040E1000.00000004.00000001.sdmp, winrar.exe, 0000000D.00000002.808322166.0000000000402000.00000040.00000001.sdmp, winrar.exe, 0000000F.00000002.827897659.0000000000402000.00000040.00000001.sdmpfalse
              		high
              http://crl.thawte.com/ThawteTimestampingCA.crl0COVID-19 CDC Secon Outbreak Warning release.exefalse
                		high
                http://schemas.datacontract.org/2004/07/COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.925473782.00000000032E3000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameCOVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.925435864.000000000329C000.00000004.00000001.sdmpfalse
                  		high
                  http://ocsp.thawte.com0COVID-19 CDC Secon Outbreak Warning release.exefalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://ip-api.comCOVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.925435864.000000000329C000.00000004.00000001.sdmpfalse
                    		high

                    Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public

                    IPDomainCountryFlagASNASN NameMalicious
                    208.95.112.1
                    		unknownUnited States
                    		53334TUT-ASUSfalse
                    185.244.26.221
                    		unknownNetherlands
                    		47158VAMU-ASIP-TRANSITVAMURUfalse

                    General Information

                    Joe Sandbox Version:31.0.0 Red Diamond
                    Analysis ID:319976
                    Start date:18.11.2020
                    Start time:22:01:38
                    Joe Sandbox Product:CloudBasic
                    Overall analysis duration:0h 10m 28s
                    Hypervisor based Inspection enabled:false
                    Report type:light
                    Sample file name:COVID-19 CDC Secon Outbreak Warning release.scr (renamed file extension from scr to exe)
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                    Number of analysed new started processes analysed:18
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • HDC enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Detection:MAL
                    Classification:mal100.troj.evad.winEXE@11/4@2/2
                    EGA Information:Failed
                    HDC Information:
                    • Successful, ratio: 0.8% (good quality ratio 0.6%)
                    • Quality average: 50.5%
                    • Quality standard deviation: 38.3%
                    HCA Information:
                    • Successful, ratio: 97%
                    • Number of executed functions: 0
                    • Number of non-executed functions: 0
                    Cookbook Comments:
                    • Adjust boot time
                    • Enable AMSI
                    Warnings:
                    Show All
                    • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                    • Excluded IPs from analysis (whitelisted): 13.88.21.125, 104.43.193.48, 51.104.139.180, 52.155.217.156, 20.54.26.129, 67.26.137.254, 67.26.83.254, 8.241.11.126, 8.253.204.249, 8.253.204.121, 92.122.213.194, 92.122.213.247
                    • Excluded domains from analysis (whitelisted): displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, arc.msn.com.nsatc.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, a1449.dscg2.akamai.net, arc.msn.com, skypedataprdcolcus15.cloudapp.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, ris.api.iris.microsoft.com, umwatsonrouting.trafficmanager.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, img-prod-cms-rt-microsoft-com.akamaized.net, skypedataprdcolwus15.cloudapp.net, au-bg-shim.trafficmanager.net
                    • Report size exceeded maximum capacity and may have missing behavior information.
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    22:02:59AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run winrar "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe"
                    22:03:07AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run winrar "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe"

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                    208.95.112.150139_GJO.msiGet hashmaliciousBrowse
                    • ip-api.com/json/
                    accaf1b5618d15f665ee933d2684e82f.exeGet hashmaliciousBrowse
                    • ip-api.com/line/
                    q4W2doW0OZ.exeGet hashmaliciousBrowse
                    • ip-api.com/json
                    CDC GUIDES COVID-19 Second Outbreak Warning release.exeGet hashmaliciousBrowse
                    • ip-api.com/json/
                    JfBrVoAbZJ.exeGet hashmaliciousBrowse
                    • ip-api.com/json/
                    COMSurrogate.exeGet hashmaliciousBrowse
                    • ip-api.com/xml
                    XbVizOmLp2.exeGet hashmaliciousBrowse
                    • ip-api.com/line/
                    5GdTme5iYr.exeGet hashmaliciousBrowse
                    • ip-api.com/line/
                    ASX9zO2dRS.exeGet hashmaliciousBrowse
                    • ip-api.com/json
                    nW6wmlBvYs.exeGet hashmaliciousBrowse
                    • ip-api.com/line/
                    58M6JBEHW4.exeGet hashmaliciousBrowse
                    • ip-api.com/json/
                    wQDprpZ6i7.exeGet hashmaliciousBrowse
                    • ip-api.com/json/
                    Xxgm9UF1xP.exeGet hashmaliciousBrowse
                    • ip-api.com/json/
                    mY08H9Efjn.exeGet hashmaliciousBrowse
                    • ip-api.com/line/
                    DHL Shipment Notice of Arrival AWB 8032697940773.jsGet hashmaliciousBrowse
                    • ip-api.com/json/
                    UuKzWnNMP6.exeGet hashmaliciousBrowse
                    • ip-api.com/json/
                    xGaL85Q9T2.exeGet hashmaliciousBrowse
                    • ip-api.com/line/
                    J7y5VaY5WM.exeGet hashmaliciousBrowse
                    • ip-api.com/line/
                    M5tzeNIe5t.exeGet hashmaliciousBrowse
                    • ip-api.com/json/
                    1LdcfAJXhM.exeGet hashmaliciousBrowse
                    • ip-api.com/json/
                    185.244.26.221CDC GUIDES COVID-19 Second Outbreak Warning release.exeGet hashmaliciousBrowse

                      Domains

                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                      ip-api.com50139_GJO.msiGet hashmaliciousBrowse
                      • 208.95.112.1
                      accaf1b5618d15f665ee933d2684e82f.exeGet hashmaliciousBrowse
                      • 208.95.112.1
                      q4W2doW0OZ.exeGet hashmaliciousBrowse
                      • 208.95.112.1
                      CDC GUIDES COVID-19 Second Outbreak Warning release.exeGet hashmaliciousBrowse
                      • 208.95.112.1
                      JfBrVoAbZJ.exeGet hashmaliciousBrowse
                      • 208.95.112.1
                      COMSurrogate.exeGet hashmaliciousBrowse
                      • 208.95.112.1
                      XbVizOmLp2.exeGet hashmaliciousBrowse
                      • 208.95.112.1
                      5GdTme5iYr.exeGet hashmaliciousBrowse
                      • 208.95.112.1
                      ASX9zO2dRS.exeGet hashmaliciousBrowse
                      • 208.95.112.1
                      nW6wmlBvYs.exeGet hashmaliciousBrowse
                      • 208.95.112.1
                      58M6JBEHW4.exeGet hashmaliciousBrowse
                      • 208.95.112.1
                      wQDprpZ6i7.exeGet hashmaliciousBrowse
                      • 208.95.112.1
                      Xxgm9UF1xP.exeGet hashmaliciousBrowse
                      • 208.95.112.1
                      mY08H9Efjn.exeGet hashmaliciousBrowse
                      • 208.95.112.1
                      DHL Shipment Notice of Arrival AWB 8032697940773.jsGet hashmaliciousBrowse
                      • 208.95.112.1
                      UuKzWnNMP6.exeGet hashmaliciousBrowse
                      • 208.95.112.1
                      xGaL85Q9T2.exeGet hashmaliciousBrowse
                      • 208.95.112.1
                      J7y5VaY5WM.exeGet hashmaliciousBrowse
                      • 208.95.112.1
                      M5tzeNIe5t.exeGet hashmaliciousBrowse
                      • 208.95.112.1
                      1LdcfAJXhM.exeGet hashmaliciousBrowse
                      • 208.95.112.1
                      devils.shacknet.usCDC GUIDES COVID-19 Second Outbreak Warning release.exeGet hashmaliciousBrowse
                      • 185.244.26.221

                      ASN

                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                      VAMU-ASIP-TRANSITVAMURUKaszfnrcg7.exeGet hashmaliciousBrowse
                      • 185.244.26.213
                      Inv No.5200003959 (FL).exeGet hashmaliciousBrowse
                      • 185.244.26.247
                      CDC GUIDES COVID-19 Second Outbreak Warning release.exeGet hashmaliciousBrowse
                      • 185.244.26.221
                      85RNPseqgJ.exeGet hashmaliciousBrowse
                      • 185.244.26.206
                      Olzcqxcxnf9.exeGet hashmaliciousBrowse
                      • 185.244.26.213
                      R1MfM3z2Nz.exeGet hashmaliciousBrowse
                      • 185.244.26.206
                      Fh06tuCZaK.exeGet hashmaliciousBrowse
                      • 185.244.26.206
                      AlTKG0L5d8.exeGet hashmaliciousBrowse
                      • 185.244.26.206
                      Rbmmuoavjkz8.exeGet hashmaliciousBrowse
                      • 185.244.26.213
                      PO 6300019918..exeGet hashmaliciousBrowse
                      • 185.244.26.206
                      gSTnUDrWFe.exeGet hashmaliciousBrowse
                      • 185.244.26.199
                      FpK385nmHk.exeGet hashmaliciousBrowse
                      • 185.244.26.199
                      7sbXVpHq6E.exeGet hashmaliciousBrowse
                      • 185.244.26.199
                      Order N#U00b022019.exeGet hashmaliciousBrowse
                      • 185.244.26.219
                      scan.exeGet hashmaliciousBrowse
                      • 185.244.26.219
                      3kpUlycHABfLMj6.exeGet hashmaliciousBrowse
                      • 185.244.26.228
                      BTQBVILB.EXEGet hashmaliciousBrowse
                      • 185.244.26.228
                      NCNRDEZ1.EXEGet hashmaliciousBrowse
                      • 185.244.26.228
                      BM6GMIYN.EXEGet hashmaliciousBrowse
                      • 185.244.26.228
                      QPI51NCL.EXEGet hashmaliciousBrowse
                      • 185.244.26.228
                      TUT-ASUS50139_GJO.msiGet hashmaliciousBrowse
                      • 208.95.112.1
                      accaf1b5618d15f665ee933d2684e82f.exeGet hashmaliciousBrowse
                      • 208.95.112.1
                      q4W2doW0OZ.exeGet hashmaliciousBrowse
                      • 208.95.112.1
                      CDC GUIDES COVID-19 Second Outbreak Warning release.exeGet hashmaliciousBrowse
                      • 208.95.112.1
                      JfBrVoAbZJ.exeGet hashmaliciousBrowse
                      • 208.95.112.1
                      COMSurrogate.exeGet hashmaliciousBrowse
                      • 208.95.112.1
                      XbVizOmLp2.exeGet hashmaliciousBrowse
                      • 208.95.112.1
                      5GdTme5iYr.exeGet hashmaliciousBrowse
                      • 208.95.112.1
                      nW6wmlBvYs.exeGet hashmaliciousBrowse
                      • 208.95.112.1
                      58M6JBEHW4.exeGet hashmaliciousBrowse
                      • 208.95.112.1
                      wQDprpZ6i7.exeGet hashmaliciousBrowse
                      • 208.95.112.1
                      Xxgm9UF1xP.exeGet hashmaliciousBrowse
                      • 208.95.112.1
                      mY08H9Efjn.exeGet hashmaliciousBrowse
                      • 208.95.112.1
                      DHL Shipment Notice of Arrival AWB 8032697940773.jsGet hashmaliciousBrowse
                      • 208.95.112.1
                      UuKzWnNMP6.exeGet hashmaliciousBrowse
                      • 208.95.112.1
                      xGaL85Q9T2.exeGet hashmaliciousBrowse
                      • 208.95.112.1
                      J7y5VaY5WM.exeGet hashmaliciousBrowse
                      • 208.95.112.1
                      M5tzeNIe5t.exeGet hashmaliciousBrowse
                      • 208.95.112.1
                      1LdcfAJXhM.exeGet hashmaliciousBrowse
                      • 208.95.112.1
                      hjeBW2gHjq.exeGet hashmaliciousBrowse
                      • 208.95.112.1

                      JA3 Fingerprints

                      No context

                      Dropped Files

                      No context

                      Created / dropped Files

                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\COVID-19 CDC Secon Outbreak Warning release.exe.log
                      Process:C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:modified
                      Size (bytes):517
                      Entropy (8bit):5.335306720429945
                      Encrypted:false
                      SSDEEP:12:Q3La/KDLI4MWuPk21OKbbDLI4MWuPJKiUrRZ9I0ZKhaxzAbDLI4M6:ML9E4Ks2wKDE4KhK3VZ9pKhmsXE4j
                      MD5:BB6624785B5CCCA1B27C160A2F19C179
                      SHA1:51C3A976DB55F4E09009C1E7663643A2205FBEA5
                      SHA-256:CF05D58CFF71D857664AAB4D49D3ABABFD0D59A65303B0FA5B1996C1CD3E66DA
                      SHA-512:83C5B206F17844ECE6D3F8330C661A66C76803DF80BDD29780C541963D4693F89947407336D4CDE03F1F902C8F50B64E4F49C1577B99AAB09EDA16F1677CA843
                      Malicious:true
                      Reputation:moderate, very likely benign file
                      Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..2,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..
                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\winrar.exe.log
                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):517
                      Entropy (8bit):5.335306720429945
                      Encrypted:false
                      SSDEEP:12:Q3La/KDLI4MWuPk21OKbbDLI4MWuPJKiUrRZ9I0ZKhaxzAbDLI4M6:ML9E4Ks2wKDE4KhK3VZ9pKhmsXE4j
                      MD5:BB6624785B5CCCA1B27C160A2F19C179
                      SHA1:51C3A976DB55F4E09009C1E7663643A2205FBEA5
                      SHA-256:CF05D58CFF71D857664AAB4D49D3ABABFD0D59A65303B0FA5B1996C1CD3E66DA
                      SHA-512:83C5B206F17844ECE6D3F8330C661A66C76803DF80BDD29780C541963D4693F89947407336D4CDE03F1F902C8F50B64E4F49C1577B99AAB09EDA16F1677CA843
                      Malicious:false
                      Reputation:moderate, very likely benign file
                      Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..2,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..
                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe
                      Process:C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe
                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):634176
                      Entropy (8bit):7.917866889273155
                      Encrypted:false
                      SSDEEP:12288:4pwAe1+dbJ1wD7wBvn7pGxp+46IFBqmzKxBUJXA+:wLe1+dbJ1wQhtg1iBUJXA+
                      MD5:DB0D632B83738DFC64013B9B5B7C339E
                      SHA1:2F9269BFC05473A6DCE71C56D25B37D8B5490BCD
                      SHA-256:6FB60C80BDC9CD558A384B468DC8B8467FB2E02764728E6A0EBC28CA865F31F6
                      SHA-512:F35A95B4F1E31049AD9599D111F0F4E3E1422F98F8D539B6E9AB7327B1020A691026BD37CF7FAC090DB2AB810A8F9C471063BF5447FD63DBBF68F270825AA9CA
                      Malicious:true
                      Antivirus:
                      • Antivirus: Joe Sandbox ML, Detection: 100%
                      • Antivirus: Virustotal, Detection: 53%, Browse
                      • Antivirus: Metadefender, Detection: 14%, Browse
                      • Antivirus: ReversingLabs, Detection: 59%
                      Reputation:low
                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...a[._.................B...8......:`... ........@.. ....................................@.................................._..J........5...........|..@1........................................................... ............... ..H............text...@@... ...B.................. ..`.rsrc....5.......6...D..............@..@.reloc...............z..............@..B................ `......H............B..............(...........................................N+.+.*(....+.(....+..0..V........8....8.... U.f.8....8.... P.f.8.....9....&8....8....8......o......o.... ..f.(|...o........,..o........ .f.(|....o....(.......... U.f.(|...(........o........o........s........o..........,...o.........,...o.........,...o.......(........ .f.(|.....o....(.......(....&*.8....(....8....(|...8......8....(|...8......8......8......8....(....8.......L....B..Z........;.+f..3.......
                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe:Zone.Identifier
                      Process:C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):26
                      Entropy (8bit):3.95006375643621
                      Encrypted:false
                      SSDEEP:3:ggPYV:rPYV
                      MD5:187F488E27DB4AF347237FE461A079AD
                      SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                      SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                      SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                      Malicious:true
                      Reputation:high, very likely benign file
                      Preview: [ZoneTransfer]....ZoneId=0

                      Static File Info

                      General

                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                      Entropy (8bit):7.917866889273155
                      TrID:
                      • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                      • Win32 Executable (generic) a (10002005/4) 49.97%
                      • Generic Win/DOS Executable (2004/3) 0.01%
                      • DOS Executable Generic (2002/1) 0.01%
                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                      File name:COVID-19 CDC Secon Outbreak Warning release.exe
                      File size:634176
                      MD5:db0d632b83738dfc64013b9b5b7c339e
                      SHA1:2f9269bfc05473a6dce71c56d25b37d8b5490bcd
                      SHA256:6fb60c80bdc9cd558a384b468dc8b8467fb2e02764728e6a0ebc28ca865f31f6
                      SHA512:f35a95b4f1e31049ad9599d111f0f4e3e1422f98f8d539b6e9ab7327b1020a691026bd37cf7fac090db2ab810a8f9c471063bf5447fd63dbbf68f270825aa9ca
                      SSDEEP:12288:4pwAe1+dbJ1wD7wBvn7pGxp+46IFBqmzKxBUJXA+:wLe1+dbJ1wQhtg1iBUJXA+
                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...a[._.................B...8......:`... ........@.. ....................................@................................

                      File Icon

                      Icon Hash:3b3b332b696932b2

                      Static PE Info

                      General

                      Entrypoint:0x48603a
                      Entrypoint Section:.text
                      Digitally signed:true
                      Imagebase:0x400000
                      Subsystem:windows gui
                      Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                      DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Time Stamp:0x5FB35B61 [Tue Nov 17 05:10:57 2020 UTC]
                      TLS Callbacks:
                      CLR (.Net) Version:v4.0.30319
                      OS Version Major:4
                      OS Version Minor:0
                      File Version Major:4
                      File Version Minor:0
                      Subsystem Version Major:4
                      Subsystem Version Minor:0
                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                      Authenticode Signature

                      Signature Valid:false
                      Signature Issuer:CN=GlobalSign CodeSigning CA - SHA256 - G3, O=GlobalSign nv-sa, C=BE
                      Signature Validation Error:The digital signature of the object did not verify
                      Error Number:-2146869232
                      Not Before, Not After
                      • 8/25/2020 3:42:07 PM 8/26/2023 3:42:07 PM
                      Subject Chain
                      • CN=win.rar GmbH, O=win.rar GmbH, L=Berlin, S=Berlin, C=DE
                      Version:3
                      Thumbprint MD5:185DBD4A2E2671589EEB3E7E1920EA9F
                      Thumbprint SHA-1:B3DF816A17A25557316D181DDB9F46254D6D8CA0
                      Thumbprint SHA-256:66DB1C86D38273627C837F4638122FA88BBFFFF31C4052115B98CAF6CE0C631E
                      Serial:731D40AE3F3A1FB2BC3D8395

                      Entrypoint Preview

                      Instruction
                      jmp dword ptr [00402000h]
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al

                      Data Directories

                      NameVirtual AddressVirtual Size Is in Section
                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IMPORT0x85ff00x4a.text
                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x880000x13590.rsrc
                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                      IMAGE_DIRECTORY_ENTRY_SECURITY0x97c000x3140.rsrc
                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x9c0000xc.reloc
                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                      Sections

                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                      .text0x20000x840400x84200False0.957613307119data7.94855371176IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      .rsrc0x880000x135900x13600False0.85138608871data7.63155477621IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .reloc0x9c0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                      Resources

                      NameRVASizeTypeLanguageCountry
                      RT_ICON0x8809c0x568GLS_BINARY_LSB_FIRST
                      RT_ICON0x886280x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0
                      RT_ICON0x88ef40xea8data
                      RT_ICON0x89dc00x468GLS_BINARY_LSB_FIRST
                      RT_ICON0x8a24c0x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0
                      RT_ICON0x8b3180x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0
                      RT_ICON0x8d8e40xd646PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                      RT_GROUP_ICON0x9af660x68data
                      RT_VERSION0x9b00a0x360data
                      RT_MANIFEST0x9b3a60x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                      Imports

                      DLLImport
                      mscoree.dll_CorExeMain

                      Network Behavior

                      Network Port Distribution

                      TCP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      Nov 18, 2020 22:03:06.486851931 CET4974780192.168.2.4208.95.112.1
                      Nov 18, 2020 22:03:06.517319918 CET8049747208.95.112.1192.168.2.4
                      Nov 18, 2020 22:03:06.519470930 CET4974780192.168.2.4208.95.112.1
                      Nov 18, 2020 22:03:06.519504070 CET4974780192.168.2.4208.95.112.1
                      Nov 18, 2020 22:03:06.590480089 CET8049747208.95.112.1192.168.2.4
                      Nov 18, 2020 22:03:06.609174013 CET8049747208.95.112.1192.168.2.4
                      Nov 18, 2020 22:03:06.740864038 CET4974780192.168.2.4208.95.112.1
                      Nov 18, 2020 22:03:07.506920099 CET497484782192.168.2.4185.244.26.221
                      Nov 18, 2020 22:03:07.739882946 CET478249748185.244.26.221192.168.2.4
                      Nov 18, 2020 22:03:07.740027905 CET497484782192.168.2.4185.244.26.221
                      Nov 18, 2020 22:03:07.975766897 CET478249748185.244.26.221192.168.2.4
                      Nov 18, 2020 22:03:08.131855965 CET497484782192.168.2.4185.244.26.221
                      Nov 18, 2020 22:03:09.252739906 CET497484782192.168.2.4185.244.26.221
                      Nov 18, 2020 22:03:09.486231089 CET478249748185.244.26.221192.168.2.4
                      Nov 18, 2020 22:03:09.631756067 CET497484782192.168.2.4185.244.26.221
                      Nov 18, 2020 22:03:34.495062113 CET497484782192.168.2.4185.244.26.221
                      Nov 18, 2020 22:03:34.727848053 CET478249748185.244.26.221192.168.2.4
                      Nov 18, 2020 22:03:34.880531073 CET478249748185.244.26.221192.168.2.4
                      Nov 18, 2020 22:03:34.883851051 CET497484782192.168.2.4185.244.26.221
                      Nov 18, 2020 22:03:59.745313883 CET497484782192.168.2.4185.244.26.221
                      Nov 18, 2020 22:03:59.977499008 CET478249748185.244.26.221192.168.2.4
                      Nov 18, 2020 22:04:00.114784956 CET478249748185.244.26.221192.168.2.4
                      Nov 18, 2020 22:04:00.114859104 CET497484782192.168.2.4185.244.26.221
                      Nov 18, 2020 22:04:24.862526894 CET8049747208.95.112.1192.168.2.4
                      Nov 18, 2020 22:04:24.862608910 CET4974780192.168.2.4208.95.112.1
                      Nov 18, 2020 22:04:24.981982946 CET497484782192.168.2.4185.244.26.221
                      Nov 18, 2020 22:04:25.215270042 CET478249748185.244.26.221192.168.2.4
                      Nov 18, 2020 22:04:25.352879047 CET478249748185.244.26.221192.168.2.4
                      Nov 18, 2020 22:04:25.352948904 CET497484782192.168.2.4185.244.26.221

                      UDP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      Nov 18, 2020 22:02:26.615756035 CET5172653192.168.2.48.8.8.8
                      Nov 18, 2020 22:02:26.642864943 CET53517268.8.8.8192.168.2.4
                      Nov 18, 2020 22:02:29.198508024 CET5679453192.168.2.48.8.8.8
                      Nov 18, 2020 22:02:29.225600004 CET53567948.8.8.8192.168.2.4
                      Nov 18, 2020 22:02:30.225917101 CET5653453192.168.2.48.8.8.8
                      Nov 18, 2020 22:02:30.261406898 CET53565348.8.8.8192.168.2.4
                      Nov 18, 2020 22:02:33.435633898 CET5662753192.168.2.48.8.8.8
                      Nov 18, 2020 22:02:33.462861061 CET53566278.8.8.8192.168.2.4
                      Nov 18, 2020 22:02:34.557153940 CET5662153192.168.2.48.8.8.8
                      Nov 18, 2020 22:02:34.584332943 CET53566218.8.8.8192.168.2.4
                      Nov 18, 2020 22:02:35.602444887 CET6311653192.168.2.48.8.8.8
                      Nov 18, 2020 22:02:35.629566908 CET53631168.8.8.8192.168.2.4
                      Nov 18, 2020 22:02:36.399518967 CET6407853192.168.2.48.8.8.8
                      Nov 18, 2020 22:02:36.426800013 CET53640788.8.8.8192.168.2.4
                      Nov 18, 2020 22:02:37.204504013 CET6480153192.168.2.48.8.8.8
                      Nov 18, 2020 22:02:37.240169048 CET53648018.8.8.8192.168.2.4
                      Nov 18, 2020 22:02:38.009109020 CET6172153192.168.2.48.8.8.8
                      Nov 18, 2020 22:02:38.036233902 CET53617218.8.8.8192.168.2.4
                      Nov 18, 2020 22:02:38.843467951 CET5125553192.168.2.48.8.8.8
                      Nov 18, 2020 22:02:38.878778934 CET53512558.8.8.8192.168.2.4
                      Nov 18, 2020 22:02:39.664978981 CET6152253192.168.2.48.8.8.8
                      Nov 18, 2020 22:02:39.692018032 CET53615228.8.8.8192.168.2.4
                      Nov 18, 2020 22:02:40.470731020 CET5233753192.168.2.48.8.8.8
                      Nov 18, 2020 22:02:40.506336927 CET53523378.8.8.8192.168.2.4
                      Nov 18, 2020 22:02:54.412713051 CET5504653192.168.2.48.8.8.8
                      Nov 18, 2020 22:02:54.439892054 CET53550468.8.8.8192.168.2.4
                      Nov 18, 2020 22:03:06.440885067 CET4961253192.168.2.48.8.8.8
                      Nov 18, 2020 22:03:06.468094110 CET53496128.8.8.8192.168.2.4
                      Nov 18, 2020 22:03:07.297065020 CET4928553192.168.2.48.8.8.8
                      Nov 18, 2020 22:03:07.497384071 CET53492858.8.8.8192.168.2.4
                      Nov 18, 2020 22:03:15.046999931 CET5060153192.168.2.48.8.8.8
                      Nov 18, 2020 22:03:15.098958015 CET53506018.8.8.8192.168.2.4
                      Nov 18, 2020 22:03:15.633944988 CET6087553192.168.2.48.8.8.8
                      Nov 18, 2020 22:03:15.669302940 CET53608758.8.8.8192.168.2.4
                      Nov 18, 2020 22:03:16.098850965 CET5644853192.168.2.48.8.8.8
                      Nov 18, 2020 22:03:16.134459019 CET53564488.8.8.8192.168.2.4
                      Nov 18, 2020 22:03:16.446012974 CET5917253192.168.2.48.8.8.8
                      Nov 18, 2020 22:03:16.481395960 CET53591728.8.8.8192.168.2.4
                      Nov 18, 2020 22:03:16.733311892 CET6242053192.168.2.48.8.8.8
                      Nov 18, 2020 22:03:16.768939018 CET53624208.8.8.8192.168.2.4
                      Nov 18, 2020 22:03:16.834768057 CET6057953192.168.2.48.8.8.8
                      Nov 18, 2020 22:03:16.870117903 CET53605798.8.8.8192.168.2.4
                      Nov 18, 2020 22:03:16.945837021 CET5018353192.168.2.48.8.8.8
                      Nov 18, 2020 22:03:16.972923994 CET53501838.8.8.8192.168.2.4
                      Nov 18, 2020 22:03:17.264987946 CET6153153192.168.2.48.8.8.8
                      Nov 18, 2020 22:03:17.292031050 CET53615318.8.8.8192.168.2.4
                      Nov 18, 2020 22:03:17.715737104 CET4922853192.168.2.48.8.8.8
                      Nov 18, 2020 22:03:17.751249075 CET53492288.8.8.8192.168.2.4
                      Nov 18, 2020 22:03:18.289900064 CET5979453192.168.2.48.8.8.8
                      Nov 18, 2020 22:03:18.325318098 CET53597948.8.8.8192.168.2.4
                      Nov 18, 2020 22:03:18.922276020 CET5591653192.168.2.48.8.8.8
                      Nov 18, 2020 22:03:18.960123062 CET53559168.8.8.8192.168.2.4
                      Nov 18, 2020 22:03:19.415637016 CET5275253192.168.2.48.8.8.8
                      Nov 18, 2020 22:03:19.451225996 CET53527528.8.8.8192.168.2.4
                      Nov 18, 2020 22:03:30.517765045 CET6054253192.168.2.48.8.8.8
                      Nov 18, 2020 22:03:30.555037975 CET53605428.8.8.8192.168.2.4
                      Nov 18, 2020 22:04:01.499881983 CET6068953192.168.2.48.8.8.8
                      Nov 18, 2020 22:04:01.527025938 CET53606898.8.8.8192.168.2.4
                      Nov 18, 2020 22:04:03.307820082 CET6420653192.168.2.48.8.8.8
                      Nov 18, 2020 22:04:03.345563889 CET53642068.8.8.8192.168.2.4

                      DNS Queries

                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                      Nov 18, 2020 22:03:06.440885067 CET192.168.2.48.8.8.80x3cb3Standard query (0)ip-api.comA (IP address)IN (0x0001)
                      Nov 18, 2020 22:03:07.297065020 CET192.168.2.48.8.8.80x6a02Standard query (0)devils.shacknet.usA (IP address)IN (0x0001)

                      DNS Answers

                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                      Nov 18, 2020 22:03:06.468094110 CET8.8.8.8192.168.2.40x3cb3No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)
                      Nov 18, 2020 22:03:07.497384071 CET8.8.8.8192.168.2.40x6a02No error (0)devils.shacknet.us185.244.26.221A (IP address)IN (0x0001)

                      HTTP Request Dependency Graph

                      • ip-api.com

                      HTTP Packets

                      Session IDSource IPSource PortDestination IPDestination PortProcess
                      0192.168.2.449747208.95.112.180C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe
                      TimestampkBytes transferredDirectionData
                      Nov 18, 2020 22:03:06.519504070 CET360OUTGET /json/ HTTP/1.1
                      User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0
                      Host: ip-api.com
                      Connection: Keep-Alive
                      Nov 18, 2020 22:03:06.609174013 CET361INHTTP/1.1 200 OK
                      Date: Wed, 18 Nov 2020 21:03:06 GMT
                      Content-Type: application/json; charset=utf-8
                      Content-Length: 281
                      Access-Control-Allow-Origin: *
                      X-Ttl: 60
                      X-Rl: 44
                      Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 53 77 69 74 7a 65 72 6c 61 6e 64 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 43 48 22 2c 22 72 65 67 69 6f 6e 22 3a 22 5a 48 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 5a 75 72 69 63 68 22 2c 22 63 69 74 79 22 3a 22 5a 75 72 69 63 68 22 2c 22 7a 69 70 22 3a 22 38 31 35 32 22 2c 22 6c 61 74 22 3a 34 37 2e 34 33 2c 22 6c 6f 6e 22 3a 38 2e 35 37 31 38 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 45 75 72 6f 70 65 2f 5a 75 72 69 63 68 22 2c 22 69 73 70 22 3a 22 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 22 6f 72 67 22 3a 22 43 64 6e 37 37 20 5a 55 52 20 49 54 58 22 2c 22 61 73 22 3a 22 41 53 36 30 30 36 38 20 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 22 71 75 65 72 79 22 3a 22 38 34 2e 31 37 2e 35 32 2e 34 30 22 7d
                      Data Ascii: {"status":"success","country":"Switzerland","countryCode":"CH","region":"ZH","regionName":"Zurich","city":"Zurich","zip":"8152","lat":47.43,"lon":8.5718,"timezone":"Europe/Zurich","isp":"Datacamp Limited","org":"Cdn77 ZUR ITX","as":"AS60068 Datacamp Limited","query":"84.17.52.40"}


                      Code Manipulations

                      Statistics

                      Behavior

                      Click to jump to process

                      System Behavior

                      Analysis Process: COVID-19 CDC Secon Outbreak Warning release.exe PID: 5856 Parent PID: 5964

                      General

                      Start time:22:02:31
                      Start date:18/11/2020
                      Path:C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe
                      Wow64 process (32bit):true
                      Commandline:'C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe'
                      Imagebase:0x6f0000
                      File size:634176 bytes
                      MD5 hash:DB0D632B83738DFC64013B9B5B7C339E
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:.Net C# or VB.NET
                      Yara matches:
                      • Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 00000000.00000002.730551537.0000000003C35000.00000004.00000001.sdmp, Author: Florian Roth
                      • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000002.730551537.0000000003C35000.00000004.00000001.sdmp, Author: Joe Security
                      Reputation:low

                      Analysis Process: COVID-19 CDC Secon Outbreak Warning release.exe PID: 7040 Parent PID: 5856

                      General

                      Start time:22:03:01
                      Start date:18/11/2020
                      Path:C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe
                      Wow64 process (32bit):true
                      Commandline:C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe
                      Imagebase:0xf80000
                      File size:634176 bytes
                      MD5 hash:DB0D632B83738DFC64013B9B5B7C339E
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:.Net C# or VB.NET
                      Yara matches:
                      • Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 00000003.00000002.924590953.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                      • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000003.00000002.924590953.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                      Reputation:low

                      Analysis Process: winrar.exe PID: 6972 Parent PID: 3424

                      General

                      Start time:22:03:07
                      Start date:18/11/2020
                      Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe
                      Wow64 process (32bit):true
                      Commandline:'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe'
                      Imagebase:0xc70000
                      File size:634176 bytes
                      MD5 hash:DB0D632B83738DFC64013B9B5B7C339E
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:.Net C# or VB.NET
                      Yara matches:
                      • Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 00000005.00000002.808237163.00000000042C5000.00000004.00000001.sdmp, Author: Florian Roth
                      • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000005.00000002.808237163.00000000042C5000.00000004.00000001.sdmp, Author: Joe Security
                      Antivirus matches:
                      • Detection: 100%, Joe Sandbox ML
                      • Detection: 53%, Virustotal, Browse
                      • Detection: 14%, Metadefender, Browse
                      • Detection: 59%, ReversingLabs
                      Reputation:low

                      Analysis Process: winrar.exe PID: 4576 Parent PID: 3424

                      General

                      Start time:22:03:15
                      Start date:18/11/2020
                      Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe
                      Wow64 process (32bit):true
                      Commandline:'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe'
                      Imagebase:0xbe0000
                      File size:634176 bytes
                      MD5 hash:DB0D632B83738DFC64013B9B5B7C339E
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:.Net C# or VB.NET
                      Yara matches:
                      • Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 00000009.00000002.822302365.00000000040E1000.00000004.00000001.sdmp, Author: Florian Roth
                      • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000009.00000002.822302365.00000000040E1000.00000004.00000001.sdmp, Author: Joe Security
                      • Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 00000009.00000002.822958398.00000000041C5000.00000004.00000001.sdmp, Author: Florian Roth
                      • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000009.00000002.822958398.00000000041C5000.00000004.00000001.sdmp, Author: Joe Security
                      Reputation:low

                      Analysis Process: winrar.exe PID: 5256 Parent PID: 6972

                      General

                      Start time:22:03:37
                      Start date:18/11/2020
                      Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe
                      Wow64 process (32bit):true
                      Commandline:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe
                      Imagebase:0xb20000
                      File size:634176 bytes
                      MD5 hash:DB0D632B83738DFC64013B9B5B7C339E
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:.Net C# or VB.NET
                      Yara matches:
                      • Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 0000000D.00000002.808322166.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                      • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000000D.00000002.808322166.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                      Reputation:low

                      Analysis Process: winrar.exe PID: 5572 Parent PID: 4576

                      General

                      Start time:22:03:46
                      Start date:18/11/2020
                      Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe
                      Imagebase:0xb0000
                      File size:634176 bytes
                      MD5 hash:DB0D632B83738DFC64013B9B5B7C339E
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:low

                      Analysis Process: winrar.exe PID: 5576 Parent PID: 4576

                      General

                      Start time:22:03:46
                      Start date:18/11/2020
                      Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe
                      Wow64 process (32bit):true
                      Commandline:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe
                      Imagebase:0x710000
                      File size:634176 bytes
                      MD5 hash:DB0D632B83738DFC64013B9B5B7C339E
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:.Net C# or VB.NET
                      Yara matches:
                      • Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 0000000F.00000002.827897659.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                      • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000000F.00000002.827897659.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                      Reputation:low

                      Disassembly

                      Code Analysis

                      Reset < >