| Source: intro.avi.exe, type: SAMPLE | Matched rule: Windows_Trojan_Quasarrat_e52df647 Author: unknown |
| Source: intro.avi.exe, type: SAMPLE | Matched rule: Detects Quasar RAT Author: Florian Roth |
| Source: intro.avi.exe, type: SAMPLE | Matched rule: Detects Quasar RAT Author: Florian Roth |
| Source: intro.avi.exe, type: SAMPLE | Matched rule: Detects QuasarRAT malware Author: Florian Roth |
| Source: intro.avi.exe, type: SAMPLE | Matched rule: Detects Vermin Keylogger Author: Florian Roth |
| Source: intro.avi.exe, type: SAMPLE | Matched rule: Detects Patchwork malware Author: Florian Roth |
| Source: intro.avi.exe, type: SAMPLE | Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth |
| Source: intro.avi.exe, type: SAMPLE | Matched rule: Detect QuasarRAT (reted from samples 2023-03) Author: Sekoia.io |
| Source: intro.avi.exe, type: SAMPLE | Matched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group |
| Source: intro.avi.exe, type: SAMPLE | Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen |
| Source: intro.avi.exe, type: SAMPLE | Matched rule: QuasarRAT payload Author: ditekSHen |
| Source: 0.0.intro.avi.exe.5f0000.0.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Quasarrat_e52df647 Author: unknown |
| Source: 0.0.intro.avi.exe.5f0000.0.unpack, type: UNPACKEDPE | Matched rule: Detects Quasar RAT Author: Florian Roth |
| Source: 0.0.intro.avi.exe.5f0000.0.unpack, type: UNPACKEDPE | Matched rule: Detects Quasar RAT Author: Florian Roth |
| Source: 0.0.intro.avi.exe.5f0000.0.unpack, type: UNPACKEDPE | Matched rule: Detects QuasarRAT malware Author: Florian Roth |
| Source: 0.0.intro.avi.exe.5f0000.0.unpack, type: UNPACKEDPE | Matched rule: Detects Vermin Keylogger Author: Florian Roth |
| Source: 0.0.intro.avi.exe.5f0000.0.unpack, type: UNPACKEDPE | Matched rule: Detects Patchwork malware Author: Florian Roth |
| Source: 0.0.intro.avi.exe.5f0000.0.unpack, type: UNPACKEDPE | Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth |
| Source: 0.0.intro.avi.exe.5f0000.0.unpack, type: UNPACKEDPE | Matched rule: Detect QuasarRAT (reted from samples 2023-03) Author: Sekoia.io |
| Source: 0.0.intro.avi.exe.5f0000.0.unpack, type: UNPACKEDPE | Matched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group |
| Source: 0.0.intro.avi.exe.5f0000.0.unpack, type: UNPACKEDPE | Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen |
| Source: 0.0.intro.avi.exe.5f0000.0.unpack, type: UNPACKEDPE | Matched rule: QuasarRAT payload Author: ditekSHen |
| Source: 00000000.00000000.1349274211.00000000005F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Quasarrat_e52df647 Author: unknown |
| Source: 00000000.00000000.1349274211.00000000005F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY | Matched rule: Detects Quasar RAT Author: Florian Roth |
| Source: 00000000.00000000.1349274211.00000000005F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY | Matched rule: Detect QuasarRAT (reted from samples 2023-03) Author: Sekoia.io |
| Source: 00000000.00000000.1349274211.00000000005F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY | Matched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe, type: DROPPED | Matched rule: Windows_Trojan_Quasarrat_e52df647 Author: unknown |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe, type: DROPPED | Matched rule: Detects Quasar RAT Author: Florian Roth |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe, type: DROPPED | Matched rule: Detects Quasar RAT Author: Florian Roth |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe, type: DROPPED | Matched rule: Detects QuasarRAT malware Author: Florian Roth |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe, type: DROPPED | Matched rule: Detects Vermin Keylogger Author: Florian Roth |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe, type: DROPPED | Matched rule: Detects Patchwork malware Author: Florian Roth |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe, type: DROPPED | Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe, type: DROPPED | Matched rule: Detect QuasarRAT (reted from samples 2023-03) Author: Sekoia.io |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe, type: DROPPED | Matched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe, type: DROPPED | Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe, type: DROPPED | Matched rule: QuasarRAT payload Author: ditekSHen |
| Source: intro.avi.exe, type: SAMPLE | Matched rule: Windows_Trojan_Quasarrat_e52df647 reference_sample = a58efd253a25cc764d63476931da2ddb305a0328253a810515f6735a6690de1d, os = windows, severity = x86, creation_date = 2021-06-27, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Quasarrat, fingerprint = c888f0856c6568b83ab60193f8144a61e758e6ff53f6ead8565282ae8b3a9815, id = e52df647-c197-4790-b051-8951fba80c3b, last_modified = 2021-08-23 |
| Source: intro.avi.exe, type: SAMPLE | Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/ |
| Source: intro.avi.exe, type: SAMPLE | Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740 |
| Source: intro.avi.exe, type: SAMPLE | Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10 |
| Source: intro.avi.exe, type: SAMPLE | Matched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/ |
| Source: intro.avi.exe, type: SAMPLE | Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = https://creativecommons.org/licenses/by-nc/4.0/ |
| Source: intro.avi.exe, type: SAMPLE | Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/ |
| Source: intro.avi.exe, type: SAMPLE | Matched rule: implant_win_quasarrat author = Sekoia.io, description = Detect QuasarRAT (reted from samples 2023-03), creation_date = 2023-03-17, classification = TLP:CLEAR, version = 1.0, reference = https://blog.alyac.co.kr/5103, id = 492fdffc-8e5f-4225-a2eb-cd6d80e6bcb8 |
| Source: intro.avi.exe, type: SAMPLE | Matched rule: Quasar hash1 = 390c1530ff62d8f4eddff0ac13bc264cbf4183e7e3d6accf8f721ffc5250e724, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan |
| Source: intro.avi.exe, type: SAMPLE | Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers |
| Source: intro.avi.exe, type: SAMPLE | Matched rule: MALWARE_Win_QuasarRAT author = ditekSHen, description = QuasarRAT payload |
| Source: 0.0.intro.avi.exe.5f0000.0.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Quasarrat_e52df647 reference_sample = a58efd253a25cc764d63476931da2ddb305a0328253a810515f6735a6690de1d, os = windows, severity = x86, creation_date = 2021-06-27, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Quasarrat, fingerprint = c888f0856c6568b83ab60193f8144a61e758e6ff53f6ead8565282ae8b3a9815, id = e52df647-c197-4790-b051-8951fba80c3b, last_modified = 2021-08-23 |
| Source: 0.0.intro.avi.exe.5f0000.0.unpack, type: UNPACKEDPE | Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/ |
| Source: 0.0.intro.avi.exe.5f0000.0.unpack, type: UNPACKEDPE | Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740 |
| Source: 0.0.intro.avi.exe.5f0000.0.unpack, type: UNPACKEDPE | Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10 |
| Source: 0.0.intro.avi.exe.5f0000.0.unpack, type: UNPACKEDPE | Matched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/ |
| Source: 0.0.intro.avi.exe.5f0000.0.unpack, type: UNPACKEDPE | Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = https://creativecommons.org/licenses/by-nc/4.0/ |
| Source: 0.0.intro.avi.exe.5f0000.0.unpack, type: UNPACKEDPE | Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/ |
| Source: 0.0.intro.avi.exe.5f0000.0.unpack, type: UNPACKEDPE | Matched rule: implant_win_quasarrat author = Sekoia.io, description = Detect QuasarRAT (reted from samples 2023-03), creation_date = 2023-03-17, classification = TLP:CLEAR, version = 1.0, reference = https://blog.alyac.co.kr/5103, id = 492fdffc-8e5f-4225-a2eb-cd6d80e6bcb8 |
| Source: 0.0.intro.avi.exe.5f0000.0.unpack, type: UNPACKEDPE | Matched rule: Quasar hash1 = 390c1530ff62d8f4eddff0ac13bc264cbf4183e7e3d6accf8f721ffc5250e724, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan |
| Source: 0.0.intro.avi.exe.5f0000.0.unpack, type: UNPACKEDPE | Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers |
| Source: 0.0.intro.avi.exe.5f0000.0.unpack, type: UNPACKEDPE | Matched rule: MALWARE_Win_QuasarRAT author = ditekSHen, description = QuasarRAT payload |
| Source: 00000000.00000000.1349274211.00000000005F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Quasarrat_e52df647 reference_sample = a58efd253a25cc764d63476931da2ddb305a0328253a810515f6735a6690de1d, os = windows, severity = x86, creation_date = 2021-06-27, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Quasarrat, fingerprint = c888f0856c6568b83ab60193f8144a61e758e6ff53f6ead8565282ae8b3a9815, id = e52df647-c197-4790-b051-8951fba80c3b, last_modified = 2021-08-23 |
| Source: 00000000.00000000.1349274211.00000000005F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY | Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/ |
| Source: 00000000.00000000.1349274211.00000000005F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY | Matched rule: implant_win_quasarrat author = Sekoia.io, description = Detect QuasarRAT (reted from samples 2023-03), creation_date = 2023-03-17, classification = TLP:CLEAR, version = 1.0, reference = https://blog.alyac.co.kr/5103, id = 492fdffc-8e5f-4225-a2eb-cd6d80e6bcb8 |
| Source: 00000000.00000000.1349274211.00000000005F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY | Matched rule: Quasar hash1 = 390c1530ff62d8f4eddff0ac13bc264cbf4183e7e3d6accf8f721ffc5250e724, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe, type: DROPPED | Matched rule: Windows_Trojan_Quasarrat_e52df647 reference_sample = a58efd253a25cc764d63476931da2ddb305a0328253a810515f6735a6690de1d, os = windows, severity = x86, creation_date = 2021-06-27, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Quasarrat, fingerprint = c888f0856c6568b83ab60193f8144a61e758e6ff53f6ead8565282ae8b3a9815, id = e52df647-c197-4790-b051-8951fba80c3b, last_modified = 2021-08-23 |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe, type: DROPPED | Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/ |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe, type: DROPPED | Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740 |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe, type: DROPPED | Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10 |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe, type: DROPPED | Matched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/ |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe, type: DROPPED | Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = https://creativecommons.org/licenses/by-nc/4.0/ |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe, type: DROPPED | Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/ |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe, type: DROPPED | Matched rule: implant_win_quasarrat author = Sekoia.io, description = Detect QuasarRAT (reted from samples 2023-03), creation_date = 2023-03-17, classification = TLP:CLEAR, version = 1.0, reference = https://blog.alyac.co.kr/5103, id = 492fdffc-8e5f-4225-a2eb-cd6d80e6bcb8 |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe, type: DROPPED | Matched rule: Quasar hash1 = 390c1530ff62d8f4eddff0ac13bc264cbf4183e7e3d6accf8f721ffc5250e724, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe, type: DROPPED | Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe, type: DROPPED | Matched rule: MALWARE_Win_QuasarRAT author = ditekSHen, description = QuasarRAT payload |
| Source: C:\Users\user\Desktop\intro.avi.exe | Section loaded: mscoree.dll | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Section loaded: kernel.appcore.dll | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Section loaded: version.dll | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Section loaded: vcruntime140_clr0400.dll | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Section loaded: ucrtbase_clr0400.dll | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Section loaded: uxtheme.dll | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Section loaded: windows.storage.dll | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Section loaded: wldp.dll | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Section loaded: profapi.dll | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Section loaded: cryptsp.dll | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Section loaded: rsaenh.dll | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Section loaded: cryptbase.dll | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Section loaded: wbemcomn.dll | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Section loaded: amsi.dll | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Section loaded: userenv.dll | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Section loaded: rasapi32.dll | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Section loaded: rasman.dll | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Section loaded: rtutils.dll | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Section loaded: mswsock.dll | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Section loaded: winhttp.dll | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Section loaded: ondemandconnroutehelper.dll | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Section loaded: iphlpapi.dll | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Section loaded: dhcpcsvc6.dll | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Section loaded: dhcpcsvc.dll | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Section loaded: dnsapi.dll | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Section loaded: winnsi.dll | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Section loaded: rasadhlp.dll | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Section loaded: fwpuclnt.dll | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Section loaded: ntmarta.dll | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Section loaded: apphelp.dll | Jump to behavior |
| Source: C:\Windows\SysWOW64\schtasks.exe | Section loaded: kernel.appcore.dll | Jump to behavior |
| Source: C:\Windows\SysWOW64\schtasks.exe | Section loaded: taskschd.dll | Jump to behavior |
| Source: C:\Windows\SysWOW64\schtasks.exe | Section loaded: sspicli.dll | Jump to behavior |
| Source: C:\Windows\SysWOW64\schtasks.exe | Section loaded: xmllite.dll | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Section loaded: mscoree.dll | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Section loaded: kernel.appcore.dll | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Section loaded: version.dll | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Section loaded: vcruntime140_clr0400.dll | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Section loaded: ucrtbase_clr0400.dll | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Section loaded: ucrtbase_clr0400.dll | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Section loaded: uxtheme.dll | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Section loaded: windows.storage.dll | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Section loaded: wldp.dll | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Section loaded: profapi.dll | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Section loaded: cryptsp.dll | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Section loaded: rsaenh.dll | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Section loaded: cryptbase.dll | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Section loaded: wbemcomn.dll | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Section loaded: amsi.dll | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Section loaded: userenv.dll | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Section loaded: rasapi32.dll | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Section loaded: rasman.dll | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Section loaded: rtutils.dll | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Section loaded: mswsock.dll | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Section loaded: winhttp.dll | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Section loaded: ondemandconnroutehelper.dll | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Section loaded: iphlpapi.dll | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Section loaded: dhcpcsvc6.dll | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Section loaded: dhcpcsvc.dll | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Section loaded: dnsapi.dll | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Section loaded: winnsi.dll | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Section loaded: rasadhlp.dll | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Section loaded: fwpuclnt.dll | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Section loaded: propsys.dll | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Section loaded: edputil.dll | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Section loaded: urlmon.dll | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Section loaded: iertutil.dll | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Section loaded: srvcli.dll | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Section loaded: netutils.dll | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Section loaded: windows.staterepositoryps.dll | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Section loaded: sspicli.dll | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Section loaded: wintypes.dll | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Section loaded: appresolver.dll | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Section loaded: bcp47langs.dll | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Section loaded: slc.dll | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Section loaded: sppc.dll | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Section loaded: onecorecommonproxystub.dll | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Section loaded: onecoreuapcommonproxystub.dll | Jump to behavior |
| Source: C:\Windows\SysWOW64\schtasks.exe | Section loaded: kernel.appcore.dll | Jump to behavior |
| Source: C:\Windows\SysWOW64\schtasks.exe | Section loaded: taskschd.dll | Jump to behavior |
| Source: C:\Windows\SysWOW64\schtasks.exe | Section loaded: sspicli.dll | Jump to behavior |
| Source: C:\Windows\SysWOW64\schtasks.exe | Section loaded: xmllite.dll | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Section loaded: mscoree.dll | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Section loaded: kernel.appcore.dll | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Section loaded: version.dll | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Section loaded: vcruntime140_clr0400.dll | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Section loaded: ucrtbase_clr0400.dll | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Section loaded: uxtheme.dll | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Section loaded: windows.storage.dll | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Section loaded: wldp.dll | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Section loaded: profapi.dll | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Section loaded: cryptsp.dll | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Section loaded: rsaenh.dll | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Section loaded: cryptbase.dll | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Section loaded: wbemcomn.dll | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Section loaded: amsi.dll | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Section loaded: userenv.dll | Jump to behavior |
| Source: C:\Windows\SysWOW64\cmd.exe | Section loaded: cmdext.dll | Jump to behavior |
| Source: C:\Windows\SysWOW64\chcp.com | Section loaded: ulib.dll | Jump to behavior |
| Source: C:\Windows\SysWOW64\chcp.com | Section loaded: fsutilext.dll | Jump to behavior |
| Source: C:\Windows\SysWOW64\PING.EXE | Section loaded: iphlpapi.dll | Jump to behavior |
| Source: C:\Windows\SysWOW64\PING.EXE | Section loaded: mswsock.dll | Jump to behavior |
| Source: C:\Windows\SysWOW64\PING.EXE | Section loaded: dnsapi.dll | Jump to behavior |
| Source: C:\Windows\SysWOW64\PING.EXE | Section loaded: rasadhlp.dll | Jump to behavior |
| Source: C:\Windows\SysWOW64\PING.EXE | Section loaded: fwpuclnt.dll | Jump to behavior |
| Source: C:\Windows\SysWOW64\PING.EXE | Section loaded: winnsi.dll | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Section loaded: mscoree.dll | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Section loaded: kernel.appcore.dll | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Section loaded: version.dll | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Section loaded: vcruntime140_clr0400.dll | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Section loaded: ucrtbase_clr0400.dll | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Section loaded: ucrtbase_clr0400.dll | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Section loaded: uxtheme.dll | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Section loaded: windows.storage.dll | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Section loaded: wldp.dll | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Section loaded: profapi.dll | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Section loaded: cryptsp.dll | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Section loaded: rsaenh.dll | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Section loaded: cryptbase.dll | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Section loaded: wbemcomn.dll | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Section loaded: amsi.dll | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Section loaded: userenv.dll | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\intro.avi.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\cmd.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\system\systemware.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: Amcache.hve.14.dr | Binary or memory string: VMware |
| Source: Amcache.hve.14.dr | Binary or memory string: VMware Virtual USB Mouse |
| Source: Amcache.hve.14.dr | Binary or memory string: vmci.syshbin |
| Source: Amcache.hve.14.dr | Binary or memory string: VMware, Inc. |
| Source: Amcache.hve.14.dr | Binary or memory string: VMware20,1hbin@ |
| Source: Amcache.hve.14.dr | Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563 |
| Source: Amcache.hve.14.dr | Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000 |
| Source: Amcache.hve.14.dr | Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys |
| Source: Amcache.hve.14.dr | Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000 |
| Source: systemware.exe, 00000004.00000002.1615832564.0000000005108000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: Prod_VMware_SATA_CD0 |
| Source: Amcache.hve.14.dr | Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev |
| Source: systemware.exe, 00000004.00000002.1602907003.0000000000E09000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\y& |
| Source: Amcache.hve.14.dr | Binary or memory string: c:/windows/system32/drivers/vmci.sys |
| Source: Amcache.hve.14.dr | Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000 |
| Source: systemware.exe, 00000004.00000002.1602907003.0000000000E09000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll |
| Source: intro.avi.exe, 00000000.00000002.1375285314.0000000000C15000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllw |
| Source: Amcache.hve.14.dr | Binary or memory string: vmci.sys |
| Source: Amcache.hve.14.dr | Binary or memory string: vmci.syshbin` |
| Source: Amcache.hve.14.dr | Binary or memory string: \driver\vmci,\driver\pci |
| Source: Amcache.hve.14.dr | Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000 |
| Source: Amcache.hve.14.dr | Binary or memory string: VMware20,1 |
| Source: Amcache.hve.14.dr | Binary or memory string: Microsoft Hyper-V Generation Counter |
| Source: Amcache.hve.14.dr | Binary or memory string: NECVMWar VMware SATA CD00 |
| Source: Amcache.hve.14.dr | Binary or memory string: VMware Virtual disk SCSI Disk Device |
| Source: Amcache.hve.14.dr | Binary or memory string: VMware-42 27 c7 3b 45 a3 e4 a4-61 bc 19 7c 28 5c 10 19 |
| Source: Amcache.hve.14.dr | Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom |
| Source: Amcache.hve.14.dr | Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk |
| Source: Amcache.hve.14.dr | Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver |
| Source: Amcache.hve.14.dr | Binary or memory string: VMware PCI VMCI Bus Device |
| Source: Amcache.hve.14.dr | Binary or memory string: VMware VMCI Bus Device |
| Source: Amcache.hve.14.dr | Binary or memory string: VMware Virtual RAM |
| Source: Amcache.hve.14.dr | Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1 |
| Source: Amcache.hve.14.dr | Binary or memory string: vmci.inf_amd64_68ed49469341f563 |
Edit tour
intro.avi.exe (PID: 7560 cmdline: 
conhost.exe (PID: 7700 cmdline: 
WerFault.exe (PID: 8056 cmdline: 
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node